Eden Futures is the name given to a group of four companies who provide social care to individuals. The four companies are as follows:
Within this statement, a reference to company will include all of the companies named above.
All companies named above are registered with the Information Commissioners Office (ICO) for data protection purposes.
The purpose of this statement is to provide information on the control, processing and use of data within the company.
Personal data is information held by the company that would enable the identification of a living individual.
The actions of the company meet the requirements of the Data Protection Act 2018 (incorporating the principles of the General Data Protection Regulations 2018).
The company will uphold and support all individual rights of data subjects under the General Data Protection Regulations. All data held will be stored securely and the privacy and confidentiality of data subjects will be a priority in all data processing. Data will not be held for any longer than is required.
Data is collected and held through all company business activities. This means data is collected by doing the following –
The data collected depends on the reason that for collecting it. It can include, but is not limited to, the following –
The legal basis on which the company relies in order to collect and process data under the GDPR/Data Protection Act 2018 is that of legitimate interests, consent and contractual obligations.
Information will only be used for the purpose for which it is provided. If the company wishes to use data for any other purpose, express permission will be sought to do so.
In the event that the company is asked to provide information to prevent immediate harm or is asked by the police to provide information in respect of a criminal investigation, it will act in accordance with its’ responsibilities as set out in the
All electronic data is held securely within company systems with appropriate security measures in place to ensure that the information is both securely stored and that permissions are in place to ensure that only employees with a “need to know” information have access to stored information.
All paper records are held securely in locked cabinets with key access restricted to those who require those records as part of their job role.
If any person responds to the Company on Facebook or Twitter, that information may be shown on our website.
The Company monitors comments on social media and will act in respect of these comments where appropriate.
Images of people will only be used on our website or in any other marketing material if permission has been given for the company to do this.
The company may wish to advise interested parties of new company initiatives that could be of interest. Consent will be requested to do this, and information will not be sent to anyone who has not consented.
A person’s data will only be accessed by individuals within the company who need to do this in order to complete their work for the company.
The company contracts with external companies to provide IT services. All of those companies are required to be compliant with GDPR and have provided assurance that this is the case.
Further information is provided in the appendix related to recruitment, where an assigned third party undertakes pre-employment checks for the company.
The company provides support to a number of individuals who do not have the capacity to consent to the use and storage of their personal data. In this instance decisions about data use and storage will be made on a Best Interest basis in line with the requirements of the Mental Capacity Act 2005.
From time to time the Company may use direct feedback from individuals in receipt of services or others who have an interest in how the Company performs. This may be published on the Company website, contained in marketing material or shared with a commissioner or regulator. This information will not contain any information which could enable the identification of the person sharing it.
Different types of data are retained for different periods of time in line with regulatory and best practice guidelines. Data is not retained for any longer than is required and this is regularly reviewed. Full details can be found in the company Archiving Policy which can be provided on request.
Appendix A contains information about the National Patient Data Opt-Out and Appendix B contains information about data held in relation to recruitment. This information is also available when applicants log onto the company recruitment portal.
If you wish to make a request to see data held by the Company about you, please contact the Company and provide – Your full name and address; your email address if you have one and any other contact details. You must provide details of your enquiry.
The Company head office is –
Long Bennington Business Park
03300 240 039
You can email GDPR@edenfutures.org with any queries in respect of Data Protection and how the Company collects, uses and stores data.
The person who is the Data Protection Officer for the Company is Sarah Frank, Director of Quality and Governance.
If you wish to see a full version of our Data Protection Policy, please contact us as above.
The version of this statement on the website will always be the Company’s most recent statement in respect of its approach to the GDPR and the management of data within the Company.
This statement confirms that the company will commit to being compliant under the General Data Protection Regulations (EU) 2016/679 and the Data Protection Act 2018.
National data-opt out statement – people we support
Under the national data opt-out everyone who uses publicly-funded health and/or care services can stop health and care organisations from sharing their “confidential patient information” with other organisations if it is not about managing or delivering their own care. For example, if this information is used for research or planning purposes.
Information may be shared with other organisations, if this is required to manage someone’s care. Information may also be shared if explicit consent has been given in respect of sharing that information or if the information is appropriately anonymised so that any individual is not identifiable.
Most care providers do not share confidential patient information except for the purpose of managing or delivering care.
At Eden Futures we do not share any information that we collect about service users and their care and support except for the purpose of providing that care and support. It is only shared with people who “need to know” this information in order to support the care being provided and staff at the company work under strict Confidentiality and Data Protection policies.
There may be exceptions in relation to legal and public interest requirements where there may be an obligation to share information externally, and these are detailed in our Data Protection Policy.
We are using the term “confidential patient information” as this is the term already used by the NHS where the opt-out is already in force. “Confidential patient information” applies to information about someone’s health or social care that can identify them.
Service users will also be asked about this opt-out by other healthcare providers such as their GP practice or when in receipt of acute NHS services (such as in hospital). It is the responsibility of that provider to ensure information is provided in relation to any information held by those parties.
If service users or their relatives or representatives have any questions about the national data opt-out choice at any time, there is an online service to contact as follows: www.nhs.uk/your-nhs-data-matters/ or they can call this number 0300 3035678 – for further information.
All companies within the Eden Futures Group that provide support to individuals are registered with the Information Commissioners Office. In addition companies are registered for the NHS Data Security Protection toolkit and have achieved compliance with the required standards.
This appendix sets out the basis on which the company collects, uses, shares and disposes of information provided by job applicants. The job applicant retains all existing rights under GDPR/Data Protection Act 2018 in relation to this data.
In making an application to join the company via the recruitment portal, the applicant consents to the collection, use, sharing and disposal of information provided by themselves or created by the company in relation to their application. In making this application, you authorise the company to provide your personal details to an assigned third party for the purpose of completing all necessary compliance checks, of which an offer of employment is subject to. The assigned third party will use your personal data for the purposes of compliance checks only. All information is provided on a voluntary basis by the applicant. If the applicant does not wish to provide relevant information they may choose not to do so, but this may impact on the progression of their application.
The company will collect a range of information about you in the course of your job application. This may include (but is not limited to):
This information may be collected in a variety of ways – such as through an application form or CV; by the applicant providing documents (such as identity documents); information collected through the assessment process including interview records and other assessment information.
We may also collect personal data about you from third parties, such as references supplied by former employers. We will seek information from third parties only once a job offer has been made to you and with your explicit consent (stated on the application form) that we may do so.
Data will be stored in a range of different places, including on your application record, in our HR management systems and our email system.
There are a number of reasons for this:
Your data is only used for the purpose for which it is provided – namely the recruitment process and on-boarding of successful candidates who accept a role with the company.
Your information will only be viewed or used by those in the company who are involved in the recruitment process including an assigned third party to undertake all the necessary compliance checks, of which any offer of employment made to you is subject to.
This includes, but is not limited to, the following:
If you are a successful candidate and join the company, your initial data forms part of your employee record and therefore becomes subject to the retention periods as stated in our Archiving Policy.
The assigned third party who collect your personal data for the purposes of compliance will hold your data for a period of six months.
If you an unsuccessful candidate, your data is retained for a six month period in case of any question following the conclusion of the recruitment process. In rare situations we may retain data for longer but will only do this if there is a specific and documented reason to do so (for example, to defend a legal claim).
As soon as we collect your data you have all individual rights as stated in the GDPR and Data Protection Act 2018. If you wish to exercise any of these rights please as a result of your recruitment application, please contact GDPR@edenfutures.org setting out your request.
By entering into the company recruitment process and providing personal and other data on a voluntary basis, you are providing consent for the use of that data as set out in this statement. If you refuse to provide any data requested that will impact on our ability to proceed with any application or employment offer.
If you require further information about the use of data within the recruitment process, please contact GDPR@edenfutures.org or contact a member of the company recruitment team.