Privacy Statement


This is the privacy notice of THE LEY COMMUNITY DRUG AND ALCOHOL SERVICES. In this document, “we”, “our”, or “us” refer to our business name.

We are a charitable company limited by guarantee; registered charity number 107487; company number 3736193.

Our registered office is at: Sandy Croft, 26 Sandy Lane, Yarnton, Oxfordshire OX5 1PB

Our core purpose is to provide residential based treatment and support to individuals with addiction related issues.

The Ley Community is registered with the Information Commissioners Office (ICO). Details of our registration can be found at:

(enter our registration number Z5617149 and click ‘search register’ Z5617149).


The Ley Community is fully committed to the principles of openness and transparency in every aspect of business, while ensuring that we remain respectful of individual rights in relation to the data and information we collect, process, retain and disclose. We see no conflict and work hard to achieve the right balance that enables us to effectively deliver services to the benefit of those we serve.

This notice sets out what data and information we collect about you, how we will use it and why, and what your rights are. It is part of our commitment to ensuring that we process your personal data and information fairly and lawfully and covers data and information we collect on; residents; donors/supporters; and, staff members including volunteers.

Under no circumstances do we share data and information for marketing purposes, nor do we sell any personal data and information that we may hold.


Our privacy notice is part of a broader set of legally compliant policies and guidelines that are informed by the latest legislation that has been designed to protect individual data and information rights and guide us in how we process, manage and store personal data and information. The key legislation and guidance includes (not exhaustive):

  • General Data Protection Regulations (GDPR; 2018);
  • Data Protection Act (1998);
  • Human Rights Act 1998 (Article 8);
  • Access to Health Records Act (1990);
  • Freedom of Information Act (2000);
  • Health and Social Care Act (2015);
  • Caldicott Principles (1997).


The law requires us to determine a firm legal basis for collecting, processing, storing and disclosing personal data and information and to notify you of the basis in each case.

Aligned to the nature of our business, we apply the following legal bases when processing personal data and information:

Legitimate Interests

We process data and information on the basis there is a legitimate interest, either to you or to us, of doing so.

Where we process your information on this basis, we do so after careful consideration to:

  • whether, or not, the same objective could be achieved through other means;
  • whether, or not, we are able to continue fulfilling our care obligations to you;
  • whether processing (or not processing) might cause you harm; and,
  • whether you would expect us to process your personal data and information, and whether you would consider it reasonable to do so.

For example, we may process your data on this basis for the purposes of:

  • fulfilling our necessary business administration needs;
  • responding to unsolicited communication;
  • protecting and asserting the legal rights of any party;
  • insuring against or obtaining professional advice that is required to manage business risk; and,
  • protecting your interests where we believe we have a duty to do so.


There are many instances where you provide consent for us to collect, process, manage and store personal data and information. In most cases, specifically, personal data and information that we process in regards residents of our service, we seek explicit consent.

There are also times when you might give your consent implicitly, such as when you send us a message by e-mail, or, where you have requested information regarding services and to which you would reasonably expect us to reply.

Except where you have consented to our use of your data and information for a specific purpose, we do not use your data and information in any way that would identify you personally.

If you have given us explicit permission to do so, and unless legally obliged to do so (see below), we may be required to share information with third party organisations involved in the care of our residents. In such cases, we will only share information that is relevant and reasonable to the request.

We continue to process your data and information on this basis until you withdraw your consent, or it can be reasonably assumed that your consent no longer exists.

You may withdraw your consent at any time, however, if you do so, it may have an impact on our ability to adequately provide services.

Legal Obligation

Sometimes, we must process your data and information to comply with a statutory obligation. For example, we may be required to give information to legal authorities if they make the request within the parameters of certain legal conditions, for example, where residents are residing with us as part of a community sentence, or if they have the proper authorisation such as a search warrant or court order.

Contractual Obligation

When you buy services from us and agree to specific terms and conditions, a contract is formed between us.

To carry out our obligations under that contract we must process the data and information you give us. Some of this data and information will be personal information and we may use it to:

  • verify your identity for security purposes;
  • maintain communications with you; and/or,
  • provide you with our services.

We process this information on the basis there is a contract between us, or that you have requested we use the data and information before we enter into a legal contract.

We shall continue to process this data and information until the contract between us ends or is terminated by either party under the terms of the contract.


When we use your personal information, we will always consider if it is fair and balanced to do so and whether it would be within your reasonable expectations that we would use your data in this way. This includes:

Residents of our Service

To ensure that we can respond to applications for our services effectively and to continue providing the right levels of care and support to you, we must collect, process and store personal information. More detail on the type of information we process is provided at referral.

Donors, Grant Givers and Supporters

When you provide financial support, or express an interest in supporting us, we will use the data and information we collect from you to thank you for your support and process a Gift Aid claim, where appropriate.

Unless you explicitly ask us not to, we will also provide updates of our work and, occasionally, we may also use your information to ask for additional support. You have the right to opt-out of these communications at any time.

Employees (paid and unpaid)

We process the personal data and information of our employees for recruitment, staff administration, remuneration, pensions and performance management purposes.

Job Applicants

We use the data and information we collect from you to process and consider your job application. Your information will only be shared with those staff involved in processing your application. We will only request a reference or a DBS disclosure with your prior consent, however, this can affect requests due to the nature of the work we undertake.

Your data and information will not be added to our mailing list without your explicit consent and will not be used for any subsequent purposes other than ensuring fair recruitment.


Under data protection law, there are certain categories of personal information that are recognised as sensitive, including; health information; race; religious beliefs; and, sexual orientation (‘sensitive personal data’).

We only collect ‘sensitive personal data’ if there is a clear reason for doing so. For example, where the information is needed to enable us to effectively and safely deliver care, such as health information (GDPR: ‘the provision of social care’; article 9.h).

There are also other categories of ‘sensitive personal data’ that we are required to collect for the purposes of anonymous government monitoring (NDTMS).

We also need to collect information on previous convictions from potential residents, staff and volunteers to ensure appropriate safeguards are in place to protect the residents of our programme and provide the most appropriate care to them. Such data is processed in accordance with UK Data Protection law and with the utmost discretion.


Except where otherwise mentioned in this privacy notice, we keep your personal data and information only for as long as is required:

  • to provide you with the services you have requested;
  • to comply with law; and/or’
  • to support a claim or defence in court.

Data and information is collected, processed, managed and stored using electronic and/or paper files, folders and archives. All storage systems adhere to the requirements of law and are secured by encryption and governed by strict data handling protocols.

We also take all reasonable steps to ensure that the information we hold about you can only be read by the appropriate staff members.


We will not share your information with any other organisation without explicit consent, except where stated otherwise in this notice. Instances where we will need to share information include:

  • if instructed to in law, for example through a court order;
  • as a necessary part of providing you with our service, for example with other professionals involved in your care;
  • to process the pay-roll, pensions and tax of our staff; and/or,
  • in order to contact you as a supporter – for example, by using a mailing house or email broadcaster to process our communications. In such cases, we will have a written contractual agreement in place that clearly stipulates that those organisations can only use the data as directed by us, and that they have in place strict security requirements in order to protect your personal information.


We utilise third party cloud-based software to process and store resident information. The provider is UK based and contractually bound by the appropriate legislation and GDPR requirements.


Right to be Informed

You have the right to be told how your personal information will be used.

We endeavour to always be clear and transparent regarding how your data may be used.

Right of Access

You have a right to ask us to confirm whether we are processing information about you, and to request access to this information.

It will help us to process your request if you can be specific about what information you require, otherwise we may need to contact you again to clarify this.

Right of erasure

Except where we need to retain your data and information for legal reasons, you have the right to be forgotten (i.e. to have your personally identifiable data deleted).

Right of rectification

You have the right to request that we update or correct any information we hold about you.

Please contact us to let us know what needs correcting.

Right to restrict processing

In certain situations, you have the right to ask for the processing of your personal data to be restricted because there is some disagreement about its accuracy or legitimate usage.

Right to data portability

Where we are processing your personal data with your consent, the law allows you to request data portability from one service provider to another.

Right to object

You have the right to stop the processing of your personal data for direct marketing purposes. This does not apply to the us.

Right to object to automated decisions

In a situation where a data controller is using your personal data in a computerised model or algorithm to make decisions that have a legal effect on you, you have the right to object. This does not apply to any aspect of our business.

Any request relating to the rights listed above should be made to:

We will respond to your request within 30 days, once we have confirmed your rights and we have successfully confirmed your identity.


Our website does not use ‘cookies’ to track your visit. However, embedded links may direct you to another site which may contain ‘cookies’. In this case, you should read the relevant privacy notice on the linked site.


We regularly review our privacy notice and related policies to ensure they are aligned to latest legislation and standards. Review may lead to changes to our notice and policies. Last review was completed in May 2018.


We endeavour to meet the highest standards when collecting, processing, storing and using personal data and information. We encourage you to bring any concerns to our attention and treat all concerns raised seriously.

If you want to raise a concern, you can request a copy of the relevant policy with instructions on how to proceed by contacting:

Or, you can write to the ‘Data Controller’ at: The Ley Community, Sandy Croft, 26 Sandy Lane, Yarnton, Oxon OX5 1PB

If, for any reason, you remain dissatisfied with our decision following your complaint, you may wish to contact: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF;

The Information Commissioner will not normally consider an appeal until you have exhausted your rights of redress and complaint with us.