eMBED Privacy Notice


eMBED Health Consortium is a collaboration of four service leaders which provide commissioning support services to the Yorkshire and Humber Health Community. For more information please refer to About eMBED. This notice is issued by Kier Business Services Limited acting as lead contractor for the EMBED Health Consortium.

This Privacy Policy (together with our Terms of UseCookie PolicyAcceptable Use Policy and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following Privacy Policy carefully to understand how we use and protect the information that you provide to us.

This Privacy Policy is a statement as to how we shall process your personal data. We take the security and privacy of you and your personal data very seriously and we are committed to safeguarding your privacy. Please be aware that communications over the internet, such as emails, are not secure unless they are encrypted. We do not accept any responsibility for any unauthorised access or loss of personal data beyond our control.

This Privacy Policy may change from time to time so please check it periodically.

We are committed to the security of your personal data. All of our employees, sub-contractors and members of the EMBED Health Consortium and their respective employees and sub-contractors, with access to your personal data and/or who are associated with the processing of that data, are contractually obliged to respect the confidentiality of your personal data.

We have implemented technology measures and security policies to protect the personal data that we have in our control from unauthorised access, improper use, alteration, unlawful or accidental destruction or accidental loss.

We and the EMBED Health Consortium have implemented governance standards appropriate to the provision of services to NHS customers in line with the requirements of the Health & Social Care Information Centre and the Information Governance Statement of Compliance (http://systems.hscic.gov.uk/infogov/igsoc).

Your Rights

You have the right to object to your personal data being used for ‘direct marketing’ and/or ‘host mailing’ purposes. You can change your options in relation to the information you wish to receive at any time by contacting our Information Security and RA Team Manager in writing by post or email.

You can set your internet browser to refuse cookies or you can ask your internet browser to alert you when a cookie is being set up (see our Cookie Policy).

Under the Data Protection Act individuals have the right to have access to personal information held about them by the organisation. This is known as a ‘subject access request’ (SAR). Requests may be received from members of staff, service users or any other individual who the organisation has had dealings with and holds data about that individual.  There are statutory requirements to respond to such requests within 40 days.

Members of the public should contact the department they have dealt with stating that the request is a Subject Access Request or write to:-

Information Security and RA Team Manager

Subject Access Request

eMBED Health Consortium

3rd Floor

Douglas Mill

Bowling Old Lane


West Yorkshire


Kier staff can make a Subject Access Request through the AskHR@Kier.co.uk

You have the right to request corrections be made to the personal data held by us about you by contacting our Information Security & RA Team Manager in writing by post or email.

You have other rights under the DPA in relation to our processing of your personal data.


In line with the eighth principle of the Data Protection Act all data that is processed by eMBED is done so within the UK and does not leave the EEA. Where it is intended for data to be transferred outside of the EEA a privacy impact assessment will be completed and consent will be obtain before any transfers commence.


Making a complaint

Where you have concerns or think that your personal data has not been processed appropriate in line with legislation you make lodge a complaint. Please write to the Information Security & RA Team Manager using the below details stating the nature of the issue and any supporting information.

Where this process has been followed and you feel that you have not had the issue resolved then you can raise these concerns with the Information Commissioners Office via their website or using their helpline 0303 123 1113.

Data Processing We Perform

Human Resources and Learning Development

eMBED Health Consortium provides a Human Resources, Organisational Development, HR Systems Support and Payroll transactional services to customers. This involves the management and processing of information from recruitment through the employment lifecycle to leavers processes and would include supporting the organisation through and disciplinary actions taken against employees. The information processed falls within the sensitive personal information classification. The commissioning organisation legally remains the data controller under the Data Protection Act with eMBED acting as a data processor.

Where an individual applies for a vacant position they are consenting to the use of this data and we will use the information provided to process their application. Where we are required to disclosure this information to a third party to obtain references or to the Disclosure and Barring Service this would be discussed and consent obtained during the applications process unless the disclosure is required by law.

Where an applicant is unsuccessful in obtaining a position their information will be held for 12 months following the completion of the recruitment. Following this period the information will be disposed of securely following organisational policy. Anonymised information for statistical purposes will be retained to allow the effective management of the service.

Where an application if offered a position within a customer organisation a record will be created for this individual on the Electronic Staff Record system and a personal file complied. The Electronic Staff Record System is a system purchased for use by eMBED by commissioning CCGs. The system is run by The Health Information Service. More details can be found here.

These records will be maintain in line with retention schedules set out within Records Management Policies.

Employee data is processed under the Data Protection Act Schedule 2 – The processing is necessary for the performance of a contract to which the data subject is a party and Schedule 3 – The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.

Patient Advice and Liaison Service

The Patient Advice and Liaison Service (PALS) offers confidential advice, support and information on health-related matters. They provide a point of contact for patients, their families and their carers. This service is run on behalf of Clinical Commissioning Group customers.

The service handles personal sensitive information on behalf of individuals contacting the service. Consent is obtained from individuals when contacting the service and details will be provided to the individual on how their information will be shared to resolve the query or issue. Information supplied to the service is only to progress the query with aggregate statistical information supplied to service commissioners to manage the contract.

Information is therefore processed under the Data Protection Act Schedule 2 – The data subject has given his consent to the processing and Schedule 3 – The data subject has given his explicit consent to the processing of the personal data.


Our primary reason for collecting your personal data through this Site is to address enquiries which you may make on our Site from time to time and provide you with the most efficient service possible. We do not anticipate collecting or processing sensitive personal data about you through this Site.

Our Site may contain links to other websites. Please note that we are not responsible for the privacy practices of such other websites and advise you to read the privacy statements of each website you visit which collects personal information.

When you contact us via the “Contact Us” link on our Site, by telephone or email us we will collect personal data from you.

Personal information may also be obtained automatically by your internet browser.

The types of personal data which we may collect from you could include, for example, your name, email address, telephone number, postal address and other information collected through the “Contact Us” link on our Site.

We may also collect technical and non-personally identifiable information about your visit to our Site through the use of cookies. This information may include, for example the pages which you browse and the “IP” (Internet Protocol) address used to connect your computer to the internet. This information helps us to better manage and develop our Site. Further information about the cookies we use can be found in our separate Cookie Policy

Unless otherwise stated, the copyright and other intellectual property rights in all material on this Site (including without limitation photographs and graphical images) are owned by us or our licensors. For the purposes of this legal notice, any use of extracts from our Site for any purpose is prohibited. If you breach any of the terms in this legal notice, your permission to use this Site will automatically terminate and you must immediately destroy any downloaded or printed extracts from our Site.

No part of this Site may be reproduced or stored in any other website or included in any public or private electronic retrieval system or service without our prior written permission.

Any rights not expressly granted in this legal notice are reserved.

You must not visit or use this Site for the purposes of Commercial Gain.

Our Site may contain links to other websites. Please note that we are not responsible for the privacy practices of such other websites and advise you to read the privacy statements of each website you visit which collects personal information.

If your use of material on this Site results in the need for servicing, repair or correction of equipment, software or data, you assume all costs thereof.

Further Information

If you have any queries about our processing or use of your personal data you should write, in the first instance to our Information Security & RA Team Manager.

If you want to learn more about your rights regarding your personal data, you should contact the Information Commissioner’s office information line on: (0044) 01625 545745 or visit their website at www.ico.org.uk.



Definitions and Interpretations
The following words and expressions have the following meanings unless inconsistent with the context:
“Information Security & RA Team Manager” Barry Jackson who can be contacted by post at Health Place, Wrawby Road, Brigg, North Lincolnshire, DN20 8GS or by email at barry.jackson@nhs.net
“Cookies” a small amount of data sent from the server, which is then stored on your computer’s hard disc drive;
“DPA” Data Protection Act 1998 as amended from time to time;
“data processors”“personal data”“process” or “processing”“sensitive personal data” as defined in the DPA;
“you” “your” an individual, company or firm accessing our Site.
“EMBED Health Consortium” means the companies and organisations identified on our Site as members of such from time to time;
“Site” www.embedhealth.co.uk;
“we”, “us” or “our” Kier Business Services Limited, a company registered in England and Wales with company number 03679828 and also registered with the Information Commissioner as a data processor registration number Z6062958 whose registered office is at Tempsford Hall, Sandy, Bedfordshire, SG19 2BD acting as lead Contractor for the EMBED Health Consortium and who may be contacted on enquiries@embedhealth.co.uk; and
“you”, “your” an individual, company, or firm accessing our Site.

References to any statute or statutory provision include, unless the context otherwise requires, a reference to the statute or statutory provision as modified or re-enacted and in force from time to time, and any subordinate legislation made from time to time under the relevant statute or statutory provision.

References to “persons” include natural persons, firms, partnerships, companies, corporations, associations and organisations (in each case whether or not having separate legal personality).

Use of any gender includes the other genders.

Words in the singular include the plural and words in the plural include the singular.

Any reference to “writing” or any cognate expression includes communications by post and email but excludes facsimile and text messages.

The headings to Conditions do not affect the interpretation of these Conditions.

Any phrase introduced by the term “include”, “including”, “in particular” or any similar expression will be construed as illustrative and will not limit the sense of the words preceding that term.


Governing Law and Jurisdiction

This legal notice and any dispute or claim arising out of or in connection with it or its subject matter will be governed by and construed in accordance with the laws of England and Wales.

The parties irrevocably agree that the courts of England will have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this legal notice or its subject matter.