Skip links

Privacy policy


Carradale Futures Horizon Limited, a company incorporated in the UK with company number 13099555 and registered office at Camburgh House, 27 New Dover Road, Canterbury, Kent, United Kingdom, CT1 3DN (“we”, “us”, “our”, “CF”) are the data controller and we are committed to protecting and respecting your privacy.We comply with the UK General Data Protection Regulation (GDPR). This Privacy Policy describes why and how we collect and use personal data and provides information about individuals’ rights. It applies to personal data provided to us by individuals themselves or by others. CF may use personal data provided to us for any of the purposes described in this Privacy Policy or as otherwise stated at the point of collection.

Personal data means any information relating to an identified or identifiable natural person. CF processes personal data for a number of reasons, and the means of collection, lawful basis of processing, use, disclosure and retention periods for each reason will differ.

Who can you contact for privacy questions or concerns?

If you have questions or comments about this Privacy Policy or how we handle personal data, please contact

You may also contact the UK Information Commissioner’s Office at to report concerns you may have about our data handling process.

How do we collect personal data?


We obtain personal data directly from individuals in a number of different ways. These can include from:

  1. Submitted Information: information that you share with us by filling in forms or sharing documents with us both digitally and in paper format.
  2. Office visits
  3. Meeting attendances
  4. Surveys. We may also ask you to complete surveys that We use for research purposes, although you do not have to respond to them.
  5. Job applications

We may also obtain personal data directly when we are establishing a business relationship, performing professional services through a contract, or through our hosted cloud platform.


We obtain personal data indirectly from a number of sources. These can include from:

  1. Public registers and public data
  2. Framework agreements
  3. Internet searches
  4. News articles

We may also obtain personal data indirectly from our business clients. This will be in the event that our business clients engage us to perform professional services and personal data that they control will be shared as part of that engagement. For example, we may need to review workforce data that will inevitably contain personal data. Our services may also include processing personal data under our clients’ control of our hosted cloud platforms, which may be governed by different privacy terms and policies.

What are the categories of personal data that we collect?

We may obtain the following two categories of personal data through either direct interactions, client engagements, suppliers, job applications or other situations including those described in this Policy.

Personal data

Personal data we commonly collect to conduct our business activities include:

  1. Workforce personal details such as: job role and duties, contact details (name, surname and work email address), working hours and shifts, etc.
  2. Aggregated data. A combination of anonymised personal data, and special categories of personal data for the purpose of analysis to enable us to predict future trends and plan our services

Special categories of personal data

We usually do not collect special categories of personal data about individuals. In the event that we do process special categories of personal data, it is with the explicit consent of the individual unless it is obtained indirectly for legitimate purposes. An exampleof special categories of personal data we may obtain include:

  • Information provided to us by clients in the course of a professional engagement may include data related to patients, having previously signed a confidentiality agreement.
What are the lawful bases we use for processing personal data?

In order to process personal data, we must have a lawful basis for doing so.

The processing of personal data is permitted under the following UK GDPR condition:

  • GDPR Article 6 (1) (f) – It is necessary for our legitimate interests in being able to provide tools and services that will benefit healthcare organisations.

The processing of special categories of personal data is permitted under the following UK GDPR condition:

  • GDPR Article 9 (2) (h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.
  • GDPR Article 9 (2) (j) – It is necessary for reasons that are in the public interest in the area of public health. We provide tools and services to public healthcare organisations that help them to monitor and improve the standards and quality of care that they offer. Our processing is thus designed to benefit patients and society as a whole through facilitating better healthcare in the UK

Some of our NHS clients provide us with pseudonymised patient-level healthcare data that we use for our analyses; here we act as the data processor and our NHS client acts as the data controller who is acting in the public interest.

We may depend on the following lawful bases when collecting and using personal data to perform our business activities and provide our services:

  1. Legal obligations and public interests: We may process personal data to meet certain regulatory and public interest obligations or mandates
  2. Legitimate interests: We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced.
  3. Consent – we may rely on your freely given consent
  4. Contract – we may process personal data in order to perform contractual obligations
Why do we need personal data?

We will always endeavour to explain our rationale for collecting personal data and maintain transparency throughout. We process employee and patient data for the purpose of helping healthcare organisations to identify areas of opportunity in performance or efficiency and work with them to improve. Reasons can include:

  1. Providing professional advice and delivering reports related to our professional services
  2. Promoting our professional services to existing and prospective business clients
  3. Fulfilling employment or contractual obligations 
  4. For business intelligence and analytical services to enable us to predict future trends and plan our services
  5. To benchmark performance and spend against similar health systems in England
  6. Identify improvements in operational efficiency and monitor the impact of implemented changes
  7. Understand the drivers of activity and spend in a system and use this to develop a forward plan
  8. Analyse patient outcomes, quality and activity metrics and use this to develop plans to improve
  9. Seeking qualified candidates
Do we share personal data with third parties?

Sometimes we may share personal data with trusted third parties to help us deliver effective and quality services.These recipients are either contractually bound to safeguard the data we entrust them or will sign an agreement to ensure this is the case. Your personal data will be used only for specific client work and for research in the public interest. The data we share with our NHS clients will not be identifiable unless specifically requested to do so by the data controller.

Recipients that we engage with can include:

  1. Parties that support us as we provide services (e.g. IT system support, providers of telecommunication systems, document production services and cloud-based software services)
  2. Sub-contractors and partner organisations involved in delivering our professional services
  3. Professional advisers such as lawyers and insurers
  4. Recruitment service providers
  5. Law enforcement and regulatory agencies

We do not share your personal information with marketing and advertising companies. We hold your information securely in the UK at all times. Your information is not shared anywhere outside the UK.

Do we use cookies?

Our website may use cookies. Where cookies are used, a statement will be sent to your internet browser explaining the use of cookies.

What are your data protection rights?

Your rights are outlined below. To submit a request, please email

The right of access to personal data

  • You have the right to access your personal data held by us.

The right of rectification

  • You have the right to request the correction of personal data held by us to the extent that it is inaccurate or incomplete.

The right to data portability

  • You have the right (in certain circumstances) to obtain personal data in a format to allow you to transfer it to another organisation.

The right to withdraw consent

  • You have the right to withdraw consent at any time, and the process to withdraw consent will be as easy as the process to give consent.

The right to object

  • You have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling).
  • This right also applies to direct marketing and processing for purposes of scientific/historical research and statistics.

The right to restrict processing

  • You have the right (in certain circumstances) to “block” or suppress the processing of your personal data.

The right to object to automated decision making (including profiling)

  • You have the right (in certain circumstances) to object to automated decisions (including profiling) based upon the processing of personal data and request human involvement.

The right to erasure/to be forgotten

  • You have the right (in certain circumstances) to request the deletion of personal data where there is no compelling reason for its continued processing.

We may request specific information from you to help us confirm your identity and therefore ensure your rights. This will help us guarantee that personal data is not disclosed to any person who has no right to receive it.

No fee is required to make a request. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.

Personal data security

The measures we use to ensure personal data security include:

  1. Putting in place policies and procedures to protect personal data from loss, misuse, alteration or destruction.
  2. Making sure that access to personal data is limited only to those who need access to it and that confidentiality is maintained.
  3. Applying pseudonymisation and anonymisation techniques to further protect the data.

Please be aware that the transmission of data via the Internet is not always completely secure. Whilst we will do our utmost to protect the security of your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.

How long do we retain personal data?

We retain personal data to:

  1. Provide our services
  2. Stay in contact with you
  3. Comply with applicable laws, regulations and professional obligations that we are subject to

Unless a different time frame applies as a result of business need or specific legal, regulatory or contractual obligations, where we retain personal data in accordance with these uses, we retain personal data for seven years.

We will dispose of personal data in a secure manner when we no longer require it.

Job applicants, current and former CF employees

Personal details you provide in your application for a job opening at CF will be used by us to process your application in accordance with the GDPR and other applicable laws.

Third parties

We may also share your data with approved organisations for fraud prevention purposes or with other third-party suppliers working on our behalf, such as employment verification service providers.

Data retention

In all instances, we take steps to ensure that an adequate level of protection is given to your personal data. Any information provided will only be stored for the necessary amount of time required, after which it will be safely destroyed. By submitting your application you are agreeing to your data being processed in accordance with these terms.

Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.

Upon employment

Once a person has taken up employment with CF, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete or anonymise it. 

Visitors to our websites

When someone visits

  1. We collect standard internet log information and details of visitor behaviour patterns.
  2. We do this to find out things such as the number of visitors to the various parts of the sites.
  3. We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website.
  4. We will not associate any data gathered from these sites with any personally identifying information from any source.
Links to other websites

On our website ( and its subdomains, we may provide links to other websites – known as external links. This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

External links are selected and reviewed when the page is published. However, we are not responsible for the content of external websites we have no control over. The content on external websites can be changed without our knowledge or agreement.

Some of our external links may be to websites which also offer commercial services. The inclusion of a link to an external website from our website should not be understood to be an endorsement of that website or the site’s owners, their products or services.

People who email us

Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with office policy.

Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

How to complain

If you feel that we have let you down in relation to your information rights, then please contact Information Governance using the details above.

You can also make complaints directly to the Information Commissioner’s Office (ICO). The ICO is the independent authority upholding information rights for the UK. Their website is and their telephone helpline number is 0303 123 1113.

Changes to this privacy policy

We keep our privacy notice under regular review. This privacy notice was last updated on 13 March 2023.