Skip links
Book a Demo
Carradale Futures

Privacy policy

Introduction

Carradale Futures Horizon Limited, a company incorporated in the UK with company number 13099555 and registered office at Camburgh House, 27 New Dover Road, Canterbury, Kent, United Kingdom, CT1 3DN (“we”, “us”, “our”, “CF”) are the data controller and we are committed to protecting and respecting your privacy. We comply with the UK General Data Protection Regulation (GDPR). This Privacy Policy describes why and how we collect and use personal data and provides information about individuals’ rights. It applies to personal data provided to us by individuals themselves or by others. CF may use personal data provided to us for any of the purposes described in this Privacy Policy or as otherwise stated at the point of collection.

Personal data means any information relating to an identified or identifiable natural person. CF processes personal data for a number of reasons, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each reason will differ.

Contact Information

If you have questions or comments about this Privacy Policy or how we handle personal data, please contact albavargas@caradalefutures.com.

You may also contact the UK Information Commissioner’s Office at https://ico.org.uk/concerns/ to report concerns you may have about our data handling process.

How We Collect Personal Data

Directly

Personal data is collected directly from individuals in various ways:

  • Submitted Information: Information that you share with us by filling in forms or sharing documents with us both digitally and in paper format.
  • Office Visits: Data collected during visits to our office.
  • Meeting Attendances: Information gathered during meetings.
  • Surveys: We may ask you to complete surveys for research purposes.
  • Job Applications: Information provided during job applications.
  • Business Relationships: Data collected when establishing a business relationship or performing professional services.

Indirectly

Personal data is collected indirectly from various sources:

  • Public Registers and Public Data
  • Framework Agreements
  • Internet Searches
  • News Articles
  • Business Clients: When our clients engage us to perform professional services, we may review workforce data that includes personal data.
Categories of Personal Data We Collect

We may obtain the following two categories of personal data through either direct interactions, client engagements, suppliers, job applications or other situations including those described in this Policy.

Personal Data
Common personal data collected includes:

  • Workforce Personal Details: Job role, contact details, working hours, etc.
  • Aggregated Data: Anonymized personal data and special categories of personal data for analysis purposes.

Special Categories of Personal Data
We usually do not collect special categories of personal data. If we do, it is with explicit consent unless obtained indirectly for legitimate purposes.

Lawful Bases for Processing Personal Data

In order to process personal data, we must have a lawful basis for doing so.

The processing of personal data is permitted under the following UK GDPR condition:

  • GDPR Article 6 (1) (f) – It is necessary for our legitimate interests in being able to provide tools and services that will benefit healthcare organisations.

The processing of special categories of personal data is permitted under the following UK GDPR condition:

  • GDPR Article 9 (2) (h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.
  • GDPR Article 9 (2) (j) – It is necessary for reasons that are in the public interest in the area of public health. We provide tools and services to public healthcare organisations that help them to monitor and improve the standards and quality of care that they offer. Our processing is thus designed to benefit patients and society as a whole through facilitating better healthcare in the UK

Some of our NHS clients provide us with pseudonymised patient-level healthcare data that we use for our analyses; here we act as the data processor and our NHS client acts as the data controller who is acting in the public interest.

We may depend on the following lawful bases when collecting and using personal data to perform our business activities and provide our services:

  1. Legal obligations and public interests: We may process personal data to meet certain regulatory and public interest obligations or mandates
  2. Legitimate interests: We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced.
  3. Consent – we may rely on your freely given consent
  4. Contract – we may process personal data in order to perform contractual obligations
Why We Nwws Personal Data

We will always endeavour to explain our rationale for collecting personal data and maintain transparency throughout. We process employee and patient data for the purpose of helping healthcare organisations to identify areas of opportunity in performance or efficiency and work with them to improve. Reasons can include:

  1. Providing professional advice and delivering reports related to our professional services
  2. Promoting our professional services to existing and prospective business clients
  3. Fulfilling employment or contractual obligations 
  4. For business intelligence and analytical services to enable us to predict future trends and plan our services
  5. To benchmark performance and spend against similar health systems in England
  6. Identify improvements in operational efficiency and monitor the impact of implemented changes
  7. Understand the drivers of activity and spend in a system and use this to develop a forward plan
  8. Analyse patient outcomes, quality and activity metrics and use this to develop plans to improve
  9. Seeking qualified candidates
Sharing Personal Data with Third Parties

Sometimes we may share personal data with trusted third parties to help us deliver effective and quality services.These recipients are either contractually bound to safeguard the data we entrust them or will sign an agreement to ensure this is the case. Your personal data will be used only for specific client work and for research in the public interest. The data we share with our NHS clients will not be identifiable unless specifically requested to do so by the data controller.

Recipients that we engage with can include:

  1. Parties that support us as we provide services (e.g. IT system support, providers of telecommunication systems, document production services and cloud-based software services)
  2. Sub-contractors and partner organisations involved in delivering our professional services
  3. Professional advisers such as lawyers and insurers
  4. Recruitment service providers
  5. Law enforcement and regulatory agencies

We do not share your personal information with marketing and advertising companies. We hold your information securely in the UK at all times. Your information is not shared anywhere outside the UK.

Cookies

Our website may use cookies. Where cookies are used, a statement will be sent to your internet browser explaining the use of cookies.

Your Data Protection Rights

Your rights are outlined below. To submit a request, please email albavargas@carradalefutures.com

The right of access to personal data

  • You have the right to access your personal data held by us.

The right of rectification

  • You have the right to request the correction of personal data held by us to the extent that it is inaccurate or incomplete.

The right to data portability

  • You have the right (in certain circumstances) to obtain personal data in a format to allow you to transfer it to another organisation.

The right to withdraw consent

  • You have the right to withdraw consent at any time, and the process to withdraw consent will be as easy as the process to give consent.

The right to object

  • You have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling).
  • This right also applies to direct marketing and processing for purposes of scientific/historical research and statistics.

The right to restrict processing

  • You have the right (in certain circumstances) to “block” or suppress the processing of your personal data.

The right to object to automated decision making (including profiling)

  • You have the right (in certain circumstances) to object to automated decisions (including profiling) based upon the processing of personal data and request human involvement.

The right to erasure/to be forgotten

  • You have the right (in certain circumstances) to request the deletion of personal data where there is no compelling reason for its continued processing.

We may request specific information from you to help us confirm your identity and therefore ensure your rights. This will help us guarantee that personal data is not disclosed to any person who has no right to receive it.

No fee is required to make a request. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.

Personal Data Security

The measures we use to ensure personal data security include:

  1. Putting in place policies and procedures to protect personal data from loss, misuse, alteration or destruction.
  2. Making sure that access to personal data is limited only to those who need access to it and that confidentiality is maintained.
  3. Applying pseudonymisation and anonymisation techniques to further protect the data.

Please be aware that the transmission of data via the Internet is not always completely secure. Whilst we will do our utmost to protect the security of your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.

Data Retention

We retain personal data to:

  1. Provide our services
  2. Stay in contact with you
  3. Comply with applicable laws, regulations and professional obligations that we are subject to

Unless a different time frame applies as a result of business need or specific legal, regulatory or contractual obligations, where we retain personal data in accordance with these uses, we retain personal data for seven years.

Personal data is usually disposed of in a secure manner when we no longer require it.

Job Applicants, Current and Former employees

Personal details you provide in your application for a job opening at CF will be used by us to process your application in accordance with the GDPR and other applicable laws.

Third parties

We may also share your data with approved organisations for fraud prevention purposes or with other third-party suppliers working on our behalf, such as employment verification service providers.

Data retention

In all instances, we take steps to ensure that an adequate level of protection is given to your personal data. Any information provided will only be stored for the necessary amount of time required, after which it will be safely destroyed. By submitting your application you are agreeing to your data being processed in accordance with these terms.

Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.

Upon employment

Once a person has taken up employment with CF, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete or anonymise it. 

Visitors to our websites

Standard internet log information and visitor behavior patterns is collected. We do not identify individuals and do not associate data from the website with any personally identifying information.

External Links

Our website (https://www.carradalefutures.com/) may contain links to other websites. This privacy notice does not cover those links. We encourage you to read the privacy statements of other websites you visit.

External links are selected and reviewed when the page is published. However, we are not responsible for the content of external websites we have no control over. The content on external websites can be changed without our knowledge or agreement.

Some of our external links may be to websites which also offer commercial services. The inclusion of a link to an external website from our website should not be understood to be an endorsement of that website or the site’s owners, their products or services.

Email Communications

Emails sent to us, including attachments, may be monitored for security and compliance purposes. Ensure that any email you send to us is within the bounds of the law.

Complaints

If you feel that we have let you down regarding your information rights, contact Information Governance at albavargas@caradalefutures.com. You can also make complaints directly to the Information Commissioner’s Office (ICO) at ico.org.uk or call 0303 123 1113.

Changes to this privacy policy

There is a regular review our privacy notice. This privacy notice was last updated on 13 March 2023.