Who we are
We are Enable East, an independent business unit within the Essex Partnership University NHS Foundation Trust.
Our Data Controller is:
For HeadsUp: Department for Work and Pensions (for data-related queries of the DWP, please contact https://www.gov.uk/guidance/request-your-personal-information-from-the-department-for-work-and-pensions )
Our contact details are:
Enable East, Severalls House, 2 Boxted Rd, Colchester, CO4 5HG
Our Data Protection Officer is:
This privacy notice provides links to the website of the Information Commissioner’s Office, which are provided for your convenience. We have no responsibility for the content of the linked website.
How do we get information?
Much of the personal information we process is provided to us directly by you for one or more of the following reasons:
- You have made an enquiry to us.
- You wish to use, or have used, our services.
- You are representing your organisation.
We also receive information from some third parties, such as:
- Our delivery partners (on HeadsUp this includes Signpost, Employ-Ability and EPUT).
- Other members of your organisation, on the basis that they expect us to contact you.
- From corporate information in the public domain (e.g. a corporate website or advertising).
We may receive limited details from a third party who believe we may be able to avail you of our services, for example organisations such as the Department for Work and Pensions and other referring organisations that you have contacted.
We may have been asked by our employees to hold your contact details as provided by them, either as an emergency contact or for use as a referee.
Under data protection law (Data Protection Act 2018) you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
Your right of access
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. For more information, please visit https://ico.org.uk/your-data-matters/your-right-of-access/
Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. For more information, please visit https://ico.org.uk/your-data-matters/your-right-to-get-your-data-corrected/
Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances. For more information, please visit https://ico.org.uk/your-data-matters/your-right-to-get-your-data-corrected/
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances. For more information, visit https://ico.org.uk/your-right-to-limit-how-organisations-use-your-data/
Your right to object to processing
You have the right to object to the processing of your personal data in some circumstances. For more information, visit https://ico.org.uk/your-data-matters/the-right-to-object-to-the-use-of-your-data/
Your right to data portability
This only applies to data you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you, as long as it is technically feasible. For more information, visit https://ico.org.uk/your-data-matters/your-right-to-data-portability/
Request a service adjustment
We have a legal duty to comply with the Equality Act (2010).
This means we need to make service adjustments for anyone with a disability who contacts us in any capacity, to eliminate any barriers to accessing our services. Our legal basis for processing this information is Article 6 (1) (c) of the GDPR, as we have a legal obligation to provide this. Our processing of special category data, such as health data you give us, will be based on Article 9 (2) (a) of GDPR, which means we need your consent.
We will create a record of your adjustment requirements. These will give your name, contact details and type of adjustment required, along with a brief description of why it is required. Relevant staff can access this to ensure they are communicating with you in the required way.
How long we keep it
NHS retention schedule: https://www.england.nhs.uk/wp-content/uploads/2018/05/pcs-records-retention-schedule.pdf
Big Lottery Fund retention schedule: https://www.biglotteryfund.org.uk/big_archive_retention_policy.pdf
What are your rights?
As we need your consent to process your special category data, you have the right to withdraw your consent at any time. Without your consent to process this data there would be severe restrictions on the service we can provide you.
For more information on your rights, please refer to the “Your rights” section above.
Sharing your information
We will not share your information with any third parties for the purposes of direct marketing.
We use data processors who are third parties who provide elements of services for us (our delivery partners). We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it, or in their discharge of duties as our delivery partner. With the exception of this, they will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
If, at any time, we determine that we need to share information beyond the boundaries as described above, at all times we will satisfy ourselves that we have a lawful basis on which to share the information and document our decision making.
Links to other websites
Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.
Your right to complain
We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us at
firstname.lastname@example.org (HeadsUp only)
email@example.com (Enable East generally)
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
0303 123 1113
Changes to this privacy notice
We keep our privacy notice under regular review, to make sure it is up to date and accurate. All details are accurate at the time of publishing.
We do not provide services directly to children, or proactively collect their personal information. If we do receive any information regarding children during the provision of our services, then relevant information within this notice applies to them also.
Should we begin to provide services directly to children, we will follow the guidance outlined by the Information Commissioner’s Office, which can be viewed here https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/applications/children/
We would ensure that where Article 6 (1) of GDPR applies, and the child is under the age of 16, we would meet the obligations of Article 8 generally, and Article 8 (1) of GDPR more specifically.
Managing customer contact
We may impose a restriction on your access to our services if it’s necessary to protect our staff from unacceptable behaviour. In this instance we would hold a record of your contact details and the reason for our actions. The legal basis for such would be Article 6 (1) (e).
If we do this we will explain to you the restriction we have applied and why we have done so. This decision would be made by a manager, and would be reviewed periodically. We will remove the restriction at our discretion, or if you no longer contact us.
How you can contact us
Calling our office
When you ring our main office (01206 228628) we collect Calling Line Identification (CLI) information. This gives us the number you are ringing from, but is not automatically recorded. If you call any Enable East mobile telephones, an electronic record of your phone number will be stored. This will be removed by the recipient when no longer required. Our mobile telephones are secured by passwords and/ or fingerprints and other biometric security measures.
We use this CLI to help us provide our services. We may use the number to call you back if you have asked us to, or if there is a break in the call. We may use it to check against our records to ascertain prior contact. Whilst we do not record calls, it is to be expected that we would take notes when relevant.
We can be contacted via Facebook, Twitter and LinkedIn. Contacts made via these services are subject to the normal conditions of use of these services. As such, we do not claim to control data transmitted via social media. Any data we use will be that given to us by you, and will be processed in line with all our processes outlined in this Privacy Notice.
We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government guidance on email security. Most webmail such as Gmail and Hotmail use TLS by default.
Emails and attachments sent to us are monitored for malicious software and viruses. You must ensure that any email you send is within the bounds of the law. Any which we discover are not, or are a threat to our security will be referred to third parties which may include law enforcement or data security experts.
Visitors to our website
Analytics and Cookies
We use Google Analytics to collect information about how visitors use our website, to help us improve it. These cookies collect data in an anonymous form, including the number of visitors to our website and blog, where visitors have come from and the pages they visited.
Specifically, we use Universal Analytics (Google) Cookies _ga, _gali, _gat_UA-1036645-1 and _gid
To understand what Google does with data, visit https://support.google.com/analytics/answer/6004245
We also embed videos on our website from YouTube. For information on cookies used by YouTube, visit https://support.google.com/youtube/answer/171780?hl=en-GB
Our website uses WordPress as its contact management system (CMS). For information on cookies used by WordPress, visit https://codex.wordpress.org/WordPress_Cookies
To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout
Security and performance
Purpose and legal basis for processing
The purpose for implementing all of the above is to maintain and monitor the performance of our website, and to constantly look to improve the site and the services it offers to our users. The legal basis we rely on to process your personal data is Article 6 (1) (f) of the GDPR, which allows us to process personal data when it’s necessary for the purposes of our legitimate interests.
What are your rights?
As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. For more information on your rights, please see the section, “Your rights”, above.
Visitors to our office
We meet visitors in our office including dignitaries, medical professionals, external training providers, job applicants, suppliers and tradespeople, participants or other users of our services, stakeholders, delivery partners and other organisations.
We ask all visitors to sign in and out using a “visitors book” situated adjacent to our office entrance and within our secure building. The primary purpose of this is as part of our fire safety measures. Information collated in this book will be kept only for the useful lifetime of the book. If you wish to have your details removed from this book as you leave the office, or at any time in the future, please contact us.
There is some CCTV operating around the building, for the safety of our staff, visitors and members of the public. The legal basis we rely on to process your personal data is Article 6 (1) (f) of the GDPR , which allows us to process your personal data when it is necessary for the purposes of our legitimate interests.
We have Wi-Fi on site for the use of visitors. We can provide you with details. During your connection we automatically record the device address, and also log traffic information in the form of sites visited, duration and date sent/ received. We ask that you agree we have no control or responsibility over your use of the internet while you are on site. We do not ask that you provide any of your information to use this service. The sole purpose for processing this information is to provide you with access to the internet whilst visiting our site. The legal basis we rely on to process this personal data is Article 6 (1) (f) of the GDPR, which allows us to process personal data for the purposes of our legitimate interests.
For information about how long we hold personal data, see “How long we keep it”, above.
Reason for contacting us
Make an enquiry
When you contact us to make an enquiry, we collect information, including your personal data, so that we can respond effectively and assist you in accessing our services. The legal basis we rely on to process your data is Article 6 (1) (f) of the GDPR, which allows us to process personal data for the purposes of our legitimate interests.
If the information you provide us with in your enquiry contains special category data, for example regarding matters of health, ethnicity or religion, the legal bases on which we rely to process it are Article 9 (2) (d), 9 (2) (h) and 9 (2) (j). This is because such processing is carried out in the course of our legitimate activities; the processing is required for the provision of health or social care; and the processing is necessary for archiving purposes in the public interest or statistical purposes in accordance with Article 89 (1) of the GDPR.
We need enough information from you to answer your enquiry. If you call our offices we won’t make an audio recording, but we will take contact details and if necessary we might take notes in order that we can provide you with the best service. If you contact us via email or post, we’ll need a return address for response.
If we start to work together we will use your details as part of your file. If we do not proceed to work together we will remove your details from our database unless you ask us to keep them.
We would normally keep contact details for a period of two years after last contact. In certain circumstances we may need to keep them for longer. For details, see “How long we keep it”, above.
When you contact us we act within our professional capacity to respond to your enquiry, so you have the right to object to our processing of your personal data. For further information, please refer to the “Your rights” section above.
Applying for a job or to be an associate
Our purpose for processing this information is to assess your suitability for a role you have applied for. (Unless specified below, the use of “employee” or “employment” will cover both those seeking employment within Enable East and those seeking associate roles, and does not imply the existence of a contract of employment between associates and Enable East.) The legal basis we rely on for processing your personal data is Article 6 (1) (b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract. The legal basis we rely on to process any information you provide us with which is special category data such as health, religion or ethnicity, is Article 9 (2) (b) of the GDPR, which also relates to our obligations in employment and the safeguarding of your fundamental rights. In addition we rely on Article 9 (2) (h) for assessing your work capacity as an employee, as well as Schedule 1 part 1 (1) and 2 (a) and (b) of the DPA2018 which relates to processing for employment, the assessment of your working capacity and preventative or occupational medicine.
We’ll use all the information you provide during the recruitment process to progress your application with a view to offering you an employment contract with us, or to fulfil legal or regulatory requirements if necessary. We will not share any of the information you provide with any third parties for marketing purposes. We’ll use the contact details you give us to contact you to progress your application. We’ll use the other information you provide to assess your suitability for the role.
We do not collect more information than we need to fulfil our stated purposes and will not keep it longer than necessary. The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for, but it may affect your application if you don’t.
If you are applying to register as an associate, we would ask you for a CV and then send you a link to the Enable East database and the relevant registration form.
We will ask for personal details including name and contact details. We’ll also ask you about previous experience, education, referees and for answers to questions relevant to the role. Our recruitment team will have access to all this information.
You will also be asked to provide equal opportunities information. This is not mandatory. Not providing it will not affect your application. We will not make this information available in a way that can be used to identify you. Such data will be used to produce and monitor equal opportunities statistics. The legal basis on which we rely to process this information is Article 9 (2) (g) of the GDPR.
We may ask you to participate in assessment days; complete tests or occupational personality profile questionnaires; attend an interview; or a combination of these. Information will be generated by you (e.g. your responses to a written test) or by us as e.g. interview notes. This information is held by us. If you are unsuccessful after assessment for the role, we may ask if you would like your details retained in our talent pool. If you say yes, we would proactively contact you should any further suitable vacancies arise.
If we make you a conditional offer, either as an employee or to register as an associate, we’ll ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We must confirm the identity of our staff and associates, as well as their right to work in the United Kingdom; and seek assurance as to their trustworthiness, integrity and reliability. You must therefore provide:
- Proof of your identity. You will be asked to attend our office with original documents, and we will take copies.
- Proof of your qualifications. You will be asked to bring in original documents, and we will take copies.
- A criminal records declaration to declare any unspent convictions.
- If a DBS check is required, either as an employee or an associate, we will use the standard NHS service provider, covered by the privacy notice shared above.
We will contact your referees directly, using the details you provide in your application, in order to obtain references. We will also ask you to complete a questionnaire about your health to establish your fitness to work.
If we make a final offer, we’ll also ask you for the following:
- Bank details, so we can process salary payments.
- Emergency contact details, so we know who to contact if you have an emergency at work.
- Where relevant, information about previous or existing membership of the NHS pension scheme.
For information about how long we hold personal data, see “How long we keep it”, above.
Please see the section “Your rights”, above, for more information on your personal data.
Our purpose for collecting this information is so we can respond to you and give information about our organisation and programmes. The legal basis we rely on for processing your personal data is legitimate interests, under Article 6 (1) (f) of the GDPR.
We would need enough information from you so we can respond to you. We’ll take your name and contact details and, where relevant, the name of the organisation you represent.
We need to keep a record of who we have spoken with and what has been asked for or provided.
We will only use your personal information to respond to you and will make a record of our communications with you, both verbal and written. We will also use your contact details to send you further information and/ or press releases in the future (you can opt out at any time). For details on how long we hold personal data for, see “How long we keep it”, above. For information on your rights as an individual, refer to the “Your rights” section above.
Attend an event, seminar or workshop
Our purpose for collecting this information is so we can facilitate the event and provide you with an acceptable service.
The legal basis we rely on for processing your personal data is your consent under Article 6 (1)(a) of the GDPR. Where we collect special category data such as that regarding dietary requirements, access or religious observation needs we also need your consent under Article 9 (2)(a) of the GDPR.
If you wish to attend one of our events you will be asked to provide your and your organisation’s contact information, as well as such data as we deem necessary for the successful facilitation of the event. We will delete all special category data regarding the event once the event is completed. For information regarding how long we hold other personal data, please see “How long we keep it”, above. As we rely on your consent to process the personal data you give us to facilitate the event, you have the right to withdraw your consent at any time. This may impinge on your ability to attend the event. For more information, please see the “Your rights” section, above.
Subscribe to our e-newsletter
Our purpose for collecting this information is so we can provide you with information about our services, and let you know about upcoming events. The legal basis we rely on for processing your personal data is your consent, under Article 6 (1)(a) of the GDPR.
We need your name and email address to send you our e-communications. We only use your data to provide this service. Currently we do not use third party tracking systems to monitor mail openings. If we do so in the future we will update this policy accordingly.
For information about how long we keep your data, please see “How long we keep it”, above.
As we rely on your consent to process the personal data you provide to us for marketing purposes, you retain the right to withdraw that consent at any time. If you do so, we will update our records immediately and remove you from our mailing list. For further information, please see the “Your rights” section, above.
Request our publications
Our purpose for collecting this information is so we can post the requested publications to you. The legal basis we rely on for processing this information is Article 6 (1)(a) of the GDPR.
We need your name and address so we can send the requested publications to you. We only use your data for this purpose. For information on how long we hold this data, please see “How long we keep it”, above. As we rely on your consent to process your data, you can withdraw that consent at any time. If you do that we will update our records immediately. For more information, please see the “Your rights” section, above.
Communicate with us as a business
We hold the names and contact details of individuals acting in their capacity as representatives of their organisations, across the business. If the interactions relate to suppliers, contracts, buildings management, IT services etc, the legal basis is Article 6 (1) (c) of the GDPR for any legal obligation, or Article 6 (1) (f) because the processing is within our legitimate interests as a business.