Our privacy statement

Our committment to your privacy

Privacy statement

This privacy statement applies to all Edgecumbe owned websites, domains, services, applications and products including but not limited to Edgecumbe Doctor 360, Edgecumbe Health & Edgecumbe Surveys.

Edgecumbe Consulting Group Limited of Whitefriars, Lewins Mead, Bristol BS1 2NT is committed to protecting the privacy of the data that we process and hold and complying with GDPR.

We hold personal data about our clients and their employees; this document explains what information we hold, how we use it and your rights regarding that information.

What data do we hold?

The data we hold may include some or all of the following:

  1. Identifying information – e.g. name, GMC number
  2. Contact information – e.g. email address, postal address, phone number
  3. Professional information – e.g. job title, specialty, place of qualification, year of qualification, CV / biography, education level, job grade or level, employment start date, department/ function, location (your place of work), contract type, working hours, performance rating, income level
  4. Ethnicity information – nationality, race
  5. Physical characteristics – age, gender, disability
  6. Religion, sexual orientation
  7. Behavioural data – psychometric data (e.g. responses to personality, ability and competency questionnaires), attitudinal data (e.g. survey responses), responses to 360° feedback questionnaires, data gathered in interviews
  8. Preference information – consultant / psychologist notes taken during an interview or focus group

Online payment information
In addition to the above, if you elect to pay for our services by Stripe or PayPal, we may hold the last four digits of your payment card number.

Where do we get your data from?

The personal data that we hold is provided to us by you, your respondents to your 360° feedback or your employer.

If you elect to pay by PayPal or Stripe, they may provide us with the last 4 digits of your payment card number.

How do we use your personal data?

  1. Contractual relationship. We may use your data to fulfil a contract to provide services to you or our client (usually this would be your employer). In carrying out these services we may do one or more of the following:
  • use data provided to us by Stripe and PayPal for the purpose of matching service users and payments
  • use your details so that we can communicate with you by email or phone
  • use data provided by completing psychometric questionnaires to prepare a report which summarises your personality, ability and/or competency profile. This may include showing how your responses compare to those of a comparison or norm group, so that your profile can be interpreted fairly and objectively
  • use data provided by respondents completing 360⁰ feedback to provide an external view of an individual’s behaviours and performance
  • use feedback requested during 360⁰ from colleagues, peers and patients to support the revalidation process for hospital doctors and GPs
  • use data provided by your employer that is combined with employee engagement survey responses to produce anonymised aggregate responses that identify themes and patterns within an organisations culture and/or performance
  • use demographic data gathered when you take part in an employee engagement survey to help an organisation measure and improve their employees’ experiences at work and the organisation’s performance
  • use professional data in the form of relevant background information/reports provided by NHS Trusts ahead of assessment interviews to inform the professional opinion of a psychologist
  • use data provided during assessment interviews, coaching and feedback sessions to inform the professional opinion of a consultant / psychologist
  • aggregate data collected on individuals within a team or a group of participants in a programme to provide a report on the group as a whole, in order to help with the group’s development and performance
  • aggregate data collected on individuals within a focus group to create a report on the group as a whole, in order to identify themes and patterns in participant attitudes and preferences
  • use personal data in order to conduct organisational research to help our clients to improve their organisation’s culture and/or performance
  • use personal data in order to provide analyses of trends and patterns in different data sets for an individual, team or organisation (e.g. to track changes over time).
  1. Legal compliance. We may hold your data if we are legally required to do so.
  1. Legitimate business interests.
  • We may anonymise your data for research purposes in order to:
    • produce relevant norm groups so that individuals, teams and organisations can compare themselves to others
    • improve the quality of our services and products
    • conduct and publish research to provide thought leadership in our field.
  • Where data we use for research is special category the anonymising process will take place using the permitted exception to article 9 .2.j archiving, research and statistics.
  • When we provide our Doctor 360 services to client organisations, for the purposes of the UK GDPR the client is the data controller and we act on their instructions as a data processor. We include on the platform the option for the client to provide users with an address book containing professional email addresses of doctors and their colleagues, which is available to users within that organisation. Where this option is selected the information is provided at outset by the client and updated by client organisation doctors and administrators using the system. Edgecumbe has a legitimate business interest in storing and maintaining the address book to help us provide our services, such as streamlining the set-up of a Doctor 360 exercise. All system users can change their email address or remove their personal details from their organisation address book via their profile settings at any time.
  1. Information that we collect automatically on our Websites. Our website or its third-party tools use cookies, which are necessary to its functioning and required to achieve the purposes illustrated in the cookie policy.  If you want to know more or withdraw your consent to some or all of the cookies, please refer to our Cookie Policy.
  1. How we protect your data. The personal information we hold is stored and processed securely in line with the UK government’s guidelines for Cyber security controls, Cyber Essentials Plus*.
  • Your personal information is held and processed in the UK.
  • Your personal information may also be held and processed in the EU.
  • Where your Personal Information is transferred between the UK and any other country, we will ensure that appropriate transfer agreements and mechanisms (such as International Data Transfers Agreements) are in place to protect your Personal Information. Your Personal Information will only be transferred between the UK and any other country in accordance with applicable laws.
  • Where we share your personal information with third parties, we will ensure that the appropriate data processing agreements are in place in accordance with the UK GDPR.
  • Where we share your personal information with our clients (usually your employer) we will ensure that this is only with authorised persons set out in the data processing agreement.
  1. Online payment processing. If you elect to pay for services using the Stripe system (i.e. you elect to pay by credit/debit card) or PayPal, the personal data you provide to complete the transaction may be transferred outside the EEA. To see further information about Stripe’s privacy policy, please click here. For further information about PayPal’s privacy policy, pleased click here.

What we don’t do with your personal data

  • We do not make automated decisions relating to your personal data
  • We do not sell your personal data to any third party
  • We do not transfer your personal data to any third parties other than sub-contractors whose services are necessary for us to carry out our contracted service
  • We do not collect or store credit card details

How long do we keep your personal data?

The information we use to communicate with you will be kept until you notify us that you no longer wish to receive information from us, or you want us to delete your personal data. Any personal data that we hold will be kept in line with the requirements of the Data Controller (this is usually your employer), or if the Data Controller has not provided a deletion policy, we will hold the data until we are requested to delete it.

What are your personal data rights?

If at any point you believe the personal data we hold on you is incorrect, you want us to correct or delete that information, or you no longer want us to hold that information or contact you, you can exercise your rights under the current Data Protection laws. These rights include:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

For more information about your personal data rights please visit the Information Commissioner Office website at: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/

Who do I contact if I have an issue with or question about the personal data relating to me?

Please contact our Data Protection Officer, Johannah Palmer on 0117 3328255 or email us at GDPR@edgecumbe.co.uk

Our EU representative: As we do not have an establishment in the European Union (“EU”), we have appointed an EU representative in Ireland, who you may contact if you are located in the EU, and wish to raise any issues relating to our processing of your data and/or this Privacy Policy or Cookie Policy more generally. Our EU Representative is SME Comply Ltd, 71 Lower Baggot Street, Dublin, D02 P593. Our EU Representative can be contacted directly by emailing them at the following address: eurep@smecomply.com

How do I make a complaint about how my personal data is being held or processed?

If you wish to raise a complaint regarding the way we have handled your personal data, you can contact our Data Protection Officer (details above) who will investigate the matter. If you are an EU citizen, please contact our EU representative (details above).

If you are not satisfied with our response or believe we are processing your personal data in a manner which is not in accordance with the instructions of the Data Controller or the law, you can contact the Information Commissioner’s Office (ICO) https://ico.org.uk/ Their Helpdesk number is 0303 123 1113.

* For more information about Cyber Essentials Plus please visit: https://www.gov.uk/government/publications/cyber-essentials-scheme-overview