NDPP Privacy Notice

Ingeus UK Limited is committed to protecting your privacy and being transparent about how we process your personal information. This document describes what data we collect, why we collect it, how we use it, how we keep it secure, and the conditions under which we share it. It also outlines your rights under the General Data Protection Regulation and the Data Protection Act 2018. It also contains important information about your rights as an individual and how to contact us. Further information is available on the Privacy section of the Ingeus website (www.ingeus.com).

What is the NDPP Programme?

The National Diabetes Prevention Programme (NDPP) supports individuals at risk of contracting Type 2 Diabetes to change their lifestyle habits, such as diet, exercise and weight loss, to avoid contracting the condition.

Who are we?

Ingeus UK Limited is a company incorporated in England, registered at Companies House under number 04320853, and is a provider of people-centred services (such as employability programmes, youth programmes and health-related support) which help people to reach their full potential. We have a network of organisations which we use to help us deliver these services, either to provide support or to deliver services on our behalf- they are called our Delivery Partners. Our key Delivery Partners for the NHS National Diabetes Prevention Programme are Leicester Diabetes Centre, an internationally renowned NHS applied health research centre, Oviva and Changing Health, digital providers of health education and support services.
Ingeus UK Limited is the Data Controller in relation to the processing of your personal data for the purpose of delivering the NDPP service. In this notice, the term ‘we’ means Ingeus and our Delivery Partners.

The types of information we use

The types of information we may collect and keep on record about you includes:

  • Personal details such as your name, address, contact details, and NHS number
  • Physical and mental health conditions
  • Family details e.g. next of kin information
  • Information regarding your lifestyle and social circumstances
  • Weight readings
  • Details of your GP
  • If you provide it, socio-demographic information such as your ethnicity and religion
  • With your explicit consent, in order to assess the quality and standard of the NDPP programme delivery by our Educators, we may also obtain video/audio recordings of a small number of core programme sessions that may indirectly include visual and audio information about you
Ingeus UK Limited process your information in order to provide you with the best possible support whilst on the programme, as well as to meet the requirements of our contracts and other legal obligations. We cannot process your information without having a valid, lawful reason for doing so.

How and why we collect and use your information

All organisations must have a valid, lawful reason to process your information. We collect and use your information for the purposes of administering the services we are contracted to deliver on behalf of NHS England, Public Health England and Diabetes UK. Key reasons for processing your information are:
  • To bring you on board the programme. We will receive information including name, address, date of birth, NHS number, and further information
  • When you attend your first appointment and throughout the programme
We endeavour to provide you with the highest quality of service and therefore need to keep information about you, your health, the services and care we have provided and those which we plan to provide to ensure that:
  • We provide a good basis for any support or advisory services we offer to you
  • The support and the services we provide are safe, effective, appropriate and relevant to you
  • We work effectively with others providing you with treatment, support, advice or other health related services

Your information may also be used for:

  • Performance monitoring and quality assurance purposes to help us assess the quality and standard of our services to you and in order to help us meet contractual requirements with our delivery partners and commissioners
  • Conducting investigations in response to a complaint or enquiry
  • Accounting and record keeping e.g. keeping accounts related to business activities and financial management
  • Research and evaluation such as participating in feedback surveys

Research and evaluation

In order to ensure that we provide you and future participants with the best possible service, we may from time to time conduct research and evaluation. Sometimes we will do this by aggregating and anonymising the data, which means that no one can identify you. In addition, we may use your data for analytical purposes to generate and share insights that help us deliver improved services and outcomes not just for our participants but wider society as well.
On occasion we may ask you to take part in a new piece of research and provide additional information or share your personal information with a third party for the purpose of research, this will only ever be done with your knowledge and consent.

Sharing your Personal Information

The aim of this programme is to assist you as best as possible during your time on the programme. As such, we may work with other organisations to identify certain services that we think you could benefit from. In this way, you do not have to repeat yourself and provide the same information over again. We may therefore share information about you with the following partner organisations to support the service we provide and to assist with your care:
  • NHS England who are the commissioners of the programme and stipulate within our contracts with them what information is to be shared, how we share it and the information security requirements that must be adhered to.
  • Delivery Partners who we work with to provide the National Diabetes Prevention Programme, such as Oviva and Changing Health, who offer interested participants the opportunity to take part in the programme via a digital mobile phone application or online desktop platform. However, we will only provide the minimum information necessary to support you and will only do so with your explicit consent (see below for more information about consent).
  • Your GP regarding your ongoing progress on the programme.
  • If you agree, to support organisations such as Leicester Diabetes Centre, who are evaluating the service that we are providing you.
To ensure the appropriate people are involved in your care in line with your wishes, to protect the health of the general public or to check the quality of service we have given you; with your consent (and in line with strict information sharing protocols), we may also share your information with:
  • Carers, your partner or other family members
  • Social Services
  • Education Services
  • Local Authorities
We will not share information that identifies you to any third party, other than those listed above for any reason, unless:
  • You ask us to do so
  • We ask and you give us specific permission to do so
  • We are required to do this by law e.g. by request of a court order
  • We are required to share personal information with other organisations, such as the HRMC or law enforcement agencies for the detection and prevention of fraud and other crime
  • We are required to share information for financial or audit purposes
  • We have special permission because we believe that the reasons for sharing are so important that they override our obligation of confidentiality e.g. to communicate with emergency services or other organisations to prevent someone from being seriously harmed
We do not transfer your personal information outside the EEA.
Ingeus UK cannot process your personal information without having a valid, lawful reason for doing so. For further details about the organisations we share information with ad the legal basis for sharing this data please click here.
NOTE: if you first made contact with us through our website and completed the questionnaire, the personal data you submitted are retained in an application (MailChimp) whose data centres are in the United States. MailChimp is a trusted partner who secures data in accordance with GDPR.  The only data held in this application is your name and email address. 

How long will we keep your personal information?

We will only retain information for as long as contractually and legally necessary. Information is retained according to contractual requirements set by NHS England, Public Health England and Diabetes UK. Once we are no longer required to keep your personal information, it will be securely destroyed, in accordance with destruction guidelines. The following table provides you with information on how long we keep your information:
Type of Information Length of Time
Your participant file  Six years
Any video or audio recordings from sessions (used for quality and assurance purposes) One month
Information relating to fraud or any legal complaints you have made against us  For as long as we reasonably consider that you might legally bring an additional or repeat claim against us or to meet other statutory obligations
Financial information relating to payments we have made to you whilst on the programme Six years following the end of the tax year 

How the law protects you

The law protecting your personal information is the General Data Protection Regulation (GDPR) and Data Protection Act 2018. As custodians of your personal information, Ingeus UK are committed to ensuring that your personal data is processed lawfully and respectfully, and by ensuring that we are compliant with the law.
In accordance with the GDPR, Ingeus UK and its partners must have a valid lawful reason to process your information. If you want to know more about the legal basis for processing your information, please go to: https://www.ingeus.com/uk/privacy where you can find additional information.


Where we need your agreement to process your information, for example, to pass your contact details to someone offering a specific service, we will ask for your consent, and will clearly state why your information is needed and who we will share your information with. If you agree to your information being shared, we will record your consent on your record. We will regularly review consent to make sure that the relationships, and purposes for processing, have not changed.

Right to Withdraw Consent

Where you have provided consent for us to share your information with a specific organisation or individual, you have the right to withdraw your consent at any time. Should you wish to withdraw your consent, please tell an Ingeus member of staff, or, send a written request to the Data Protection Officer (address below), who will process your request.

Keeping your information safe

We are committed to taking all reasonable measures to ensure we maintain the confidentiality and security of personal data for which we are responsible, whether electronically or on paper. We do so to ensure that we are always compliant with data protection laws and information security standards, for example, the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA) and the Human Rights Act 1998 (HRA).
Ingeus UK have appropriate security measures in place to prevent personal information from being accidentally lost, used or accessed in an unauthorised way. We limit access to your personal data to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
All Ingeus UK staff are required to complete mandatory data protection and information security training to ensure they understand their responsibilities in relation to processing your personal information. Internal and external audits are also undertaken to ensure that data protection laws are being complied with.

In addition, all of our staff are required to work according to the Ingeus Health & Care Confidentiality Code of Conduct and are subject to the Common Law Duty of Confidence and the NHS Confidentiality Code of Conduct which requires us to protect your information, inform you of how your information will be used, and to allow you in most cases to decide if and how your information can be shared.
We have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents and a Caldicott Guardian who is responsible for the management of your information and its confidentiality.

Your rights

The GDPR and Data Protection Act 2018 grants you certain rights regarding your personal information and the way in which it is processed. This gives you more control over what organisations are doing with your information. These include the right to:
  • be informed of why and how we process your data
  • request a copy of the information we hold on you
  • have any incorrect information updated and put right
  • deletion of information, once we have no legal right to hold it
  • restrict processing in certain circumstances
  • object to unwarranted processing
  • ask us to transfer your personal information to another organization
  • object to any automated decision-making including profiling

The right to be informed

Ingeus UK Ltd is committed to ensuring that you are always aware of what we are doing with your information and are kept abreast of any changes to the processing of your information. We do so through this Privacy Notice, which is reviewed and updated as and when required.

The right of access

You have the right to ask for the personal information we hold about you. This is known as a Subject Access Request. However, while we will do our best to comply with your request, there may be circumstances where we are unable to fulfil your request, for example, where information we hold has been provided to us in confidence.
When requesting your personal information, you will need to include the following information:
  • your full name, address and contact telephone number;
  • any information used by the organisation to identify or distinguish you from others of the same name (account numbers, unique ID's etc);
  • details of the specific information you require and any relevant dates

The right to rectification

We endeavour to ensure that the information we hold about you is always accurate, however, there may be instances where the information we hold is no longer up to date. You can ask that we rectify any information about you that is incorrect. We would be happy to rectify such information but may need to verify the accuracy of the information first. Please speak to an Ingeus member of staff so that any inaccuracies can be investigated and corrected where necessary.

The right to erasure

You have the right to request that certain personal information be erased from our systems if you feel that there is an underlying legal issue to us processing your information, or, where you withdraw your consent.
While you may request for your information to be erased, this does not mean that we will necessarily be able to comply with your request, as there may be a legal reason that we are required to keep your information. As such, each request is considered on a case-by-case basis.

The right to restrict processing

You have the right to request us to ‘restrict’ the processing of your personal information, for example, if you are unsatisfied about the accuracy of the data and we undertake an investigation. We can continue to use your personal data following a request for restriction where we need to use it to establish, exercise or defend legal claims, or we need to use it to protect the rights of another individual or the company.

The right to data transfer to another organisation (portability)

You have the right to request us to provide you with a copy of the personal information that you have provided to us, and which we process electronically. The data must be in a machine-readable format that facilitates transmission from controller-to-controller. This allows you further use of the data and enables you to move between service providers without any loss of data.
While you may request data portability, this does not mean that we will be able to comply with your request, as there may be reasons that we are unable to comply your request. As such, each request is therefore considered on a case-by-case basis.

The right to object to how we use personal information

You have the right to object to us processing your personal information for the following reasons:
  • Direct marketing,
  • Scientific/historical research and statistics,
  • Legitimate interests and processing regarding the performance of a public interest or official authority task.
While you may object, this does not mean that we will necessarily be able to comply with your request, as there may be reasons that we are unable to comply, such as other legal obligations. Each request is therefore considered on a case-by-case basis.

The right to object to automated decision making, including profiling

Ingeus do not carry out any automated decision making or profiling regarding you or the personal information.
If you have any questions in relation to your rights, or if you would like to receive a copy of your records, correct or request erasure of your personal information, or object to the processing of your personal data, please contact the Data Protection Officer.
To make a request:
  • You can tell your key worker who will start the process for you
  • You can send your request in writing to: The Data Protection Officer, Ingeus UK Ltd, 18 Mansell Street, London, E1 8AA
  • You can email DataProtectionOfficer@ingeus.co.uk

Please note: Your request will need to include sufficient information to enable us to correctly identify your records (e.g. full name, address, date of birth, and NHS number if known) otherwise we may need to return to you for verification purposes before we can process your request.

Complaints and Disputes

If you raise a query or complaint in relation to your data rights, we will endeavour to respond as soon as possible. Requests for a copy of your information will be responded to within a one-month period. If you are still not satisfied with how Ingeus is processing your information, you can write to the Information Commissioner’s Office at:
Information Commissioners Office, Wycliffe House. Water Lane, Wilmslow, Cheshire, SK9 5AF

Review of this privacy notice

We review this Privacy Notice to ensure we keep you up to date about what we are doing with your personal information and any changes in processing. This privacy notice was last updated on 21st October 2021.
If you require this notice in a different format or you need further information or assistance, please contact the Ingeus Data Protection Officer via the contact details listed above.