Privacy Policy

Under General Data Protection Regulation (GDPR), everyone who has data held by an organisation is a 'data subject' and has rights regarding how their data is held, used and disposed of.

CDEP's Terms and Conditions and Privacy Policy comply with GDPR and the rights listed below.

  • The right to be informed - Data subjects must be told what personal data is being held, what it is being used for and why. They should also be informed timeously if any data breaches occur.
  • The right of access - Upon request, data subjects are allowed to see what data of theirs is being processed.
  • The right of rectification - If personal data held by organisations is incorrect; they have an obligation to correct it.
  • The right to erasure - Data subjects can demand that personal data held is deleted where there is no compelling reason for its ongoing storage.
  • The right to restrict processing – Data subjects have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances.
  • The right to data portability - At the data subject’s request, their data must be moved to another processor.
  • The right to object - If a data subject does not like the way their data is being used, they can request that the use is stopped. This must then be stopped unless there is an overriding, legitimate reason to continue using it.
  • Rights in relation to automated decision-making or profiling - Data subjects can demand that a human reviews any decision made by software alone.

Click here for more information on the GDPR and the rights it provides for individuals.

CDEP appreciates that your privacy is of utmost importance and that you are concerned about the way your information is used and shared. We respect and value all CDEP users’ privacy and only collect and use information that is useful to improving the learning opportunity offered to you, and in a manner consistent with your rights and our obligations under the law.

What is this Privacy Policy for?

This privacy policy is for Cambridge Diabetes Education Programme (CDEP). The policy sets out how we use personal data and what data we publish or share with other organisations.

General data protection statement

Any personal information you share with us will be processed in accordance with the UK Data Protection Act 1998.

Your data will be used for the purposes of managing CDEP (i.e. providing you with secure access to CDEP’s online diabetes education platform to complete your e-learning topics and access your reports, certificates and reflection documents).

Access to your CDEP account is password protected and passwords are account specific.

On request, we will share aggregate staffing cohort data with an organisation or wider commissioning bodies such as the Clinical Commissioning Group (CCG) or Clinical Networks, provided they have purchased bulk CDEP licences in order to monitor uptake and utilisation of CDEP within their region so as to support equality in diabetes education opportunities as well as target local diabetes education and training strategies. We also publish aggregated, anonymised data for audit and research purposes.

If you have given your consent for us to do so, CDEP will share your name and associated high-level training activity (topics started, topics completed and topic feedback) with your employing organisation for the purpose of updating local staff training records and supporting your role development. Your consent to do so is requested as part of the registration process and can be amended at any time via your CDEP account profile.

CDEP will, from time to time, contact you (via email) to invite you back to complete training you ahve alreayd started or to inform you of any new content or additions to the diabetes learning opportunities CDEP offers you. You may opt-out of these emails at any time.

CDEP has appropriate organisational and technical measures in place to look after your personal data and we will not keep it for any longer than is necessary.

For users who self-fund their own access to CDEP:

  • Identifiable personal data is retained for a period of 2 years after the user’s account has expired and all activity on the account has ceased.
  • This is to allow the user to return to access their training records and certificates for purposes of providing evidence for professional revalidation and appraisals (certificates expire at 2 years after completion so they will no longer be relevant after 2 years).
  • After this point, the user’s personal identifiable information will be automatically erased by CDEP.

For organisations that purchase bulk licences for staff training purposes:

  • All associated data is retained for as long as there is an agreement in place with the organisation to deliver online training services, unless otherwise instructed by the organisation.
  • Thereafter, identifiable personal data is retained for a period of 2 years after the staff member’s account has expired and all activity on the account has ceased.
  • This is to allow the user to return to access their training records and certificates for purposes of providing evidence for professional revalidation and appraisals (certificates expire at 2 years after completion so they will no longer be relevant after 2 years).
  • After this point, the user’s personal identifiable information will be automatically deleted by CDEP.
  • Should an individual request CDEP to delete their personal data prior to this date, as is their right under GDPR, but their data held falls within the control of their employing organisation, CDEP will liaise with their organisation prior to deleting this data.
  • Aggregated, anonymised data will be indefinitely stored to support ongoing audit and improvements to the learning platform and to track progress overtime.
  • CDEP reporting dashboard accounts, for monitoring of the organisation’s training activity, have no expiry data. Reporting Dashboard account information will be processed for the duration the training agreement is in place with the organisation. Should a staff member’s role change or they leave the organisation and it is no longer appropriate that they have access to the CDEP reporting dashboard, CDEP will immediately delete the account on the organisation request.

For the avoidance of doubt, if an organisation purchases CDEP licences for staff training purposes, they are the data controller and CDEP is the data processor of the data held for these CDEP users.

The CDEP and CDEP Reporting Dashboard websites

CDEP has taken all the necessary steps to protect your privacy. This is a fundamental part of CDEP’s design and functionality. This website complies with all UK national laws and requirements for user privacy. All personal data is held securely and in accordance with GDPR.

CDEP has no inbuilt, automated decision-making or profiling functionality. There are no advertising or sponsored links used on the website.

CDEP does not have access to or store any banking details. All online financial transactions are conducted directly on the PayPal website and fall within their security and privacy policies.

CDEP uses Google Analytics tracking software to better understand how you use the website and provide feedback to help us continually improve the user experience we offer. Google is certified under the EU-US Privacy Shield.

Electronic communications are by nature, not guaranteed to be 100% secure and CDEP urges you to make use of appropriate security tools on your local device.

How does CDEP use your personal data or CDEP activity and why?

We use your personal data (name and email address) for the following purposes:

  • to register and manage your CDEP account and associated learning acitivity,
  • to individualise your topic certficates and reflection documents,
  • to communicate with you, and
  • to troubleshoot any issues you report to us.

CDEP uses your anonymised, aggregated CDEP demographic and activity data for the following purposes:

  • Aggregated data is used for CDEP internal audit purposes to continually enrich the learning opportunity provided as well as external quality assurance to provide ongoing evidence of CDEP's quality training functionality.
  • For organisations, who have purchased bulk CDEP licences, aggregated learning activity data relating to their cohort of staff is provided to support them in monitoring uptake and utilisation of CDEP so as to ensure equality of education opportunities as well as help target local diabetes education and training strategies across their area.
  • For organisations, who have purchased bulk CDEP licences to utilise CDEP as a staff training tool, the names of consented staff with CDEP accounts and the associated high level training activity undertaken are also provided in order for them to update individual staff member's locally held training records.

Aggregated data provided in reports to organisations include:

  • Roles of the staff using CDEP (i.e. nurse, doctor, dietitian, paramedic, midwife, podiatrist, etc)
  • Name of the practice / trust / care home / etc. in which staff work
  • Healthcare sector (general practice, hospital trust, community service, ambulance trust, mental health trust, other)
  • Clinical commissioning group or health education area that organisation falls into (source: NHS Digital Data)
  • Total number of staff registered, the date registered and date that the account expires
  • CDEP registration level (core, intermediate, diabetes specialist, expert or consultant)
  • Total number of registered users active on CDEP (i.e. started a topic)
  • Total number of registered users with completed topics (i.e. certificates)
  • Total number of certificates generated and names of the topic certificates
  • Average number of attempts per topic and per competency
  • Which learning resources have been accessed
  • Average evaluation of the impact of undertaking CDEP
  • Anonymised verbatim feedback

Other than as set out in this policy, CDEP does not pass on your personal information to any third parties apart from when this is necessary to comply with the law.

Use of cookies

This website uses cookies to improve your experience when visiting the website. Cookies are small files saved to your device that track, save and store information about your interactions with and usage of the website. This allows the website, through its server, to provide you with a tailored experience within this website. If you don’t want cookies to be stored on your device, you should make the necessary changes to your device or the relevant browsers or apps.

Google Analytics tracking software will save a cookie to your device in order to track and monitor your engagement and usage of the website, but will not store, save or collect personal information.

Contact and Communication

CDEP attempts to ensure its email communication process is safe and secure, but the nature of electronic communications means this is not completely secure.

We use information you submit:

  • to gently prompt you to return to CDEP to make full use of the learning opportunities offered,
  • to provide you with further information about CDEP,
  • to assist you in answering any questions, address issues or troubleshoot any problems you may have and
  • to let you know when your CDEP acocunt has expired and how to access further CDEP training should you wish to do so.

Email newsletter

Emails will be sent to you (via Mailchimp) which contain tracking facilities within the actual email. Your email activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include; the opening of emails, forwarding of emails, the clicking of links within the email content, times, dates and frequency of activity, other activity around how you access and view the emails and tracking with the aim of improving your experience and how we present our email newsletter going forward. This information is used to refine future email campaigns and supply you with more relevant content based around your activity.

You will be able to unsubscribe from an email newsletter from us by clicking the applicable unsubscribe link in our email – or other instructions provided by us in the email.

External links

Although this website only looks to include quality, safe and relevant external links, take care before clicking any external web links. External links are clickable text / banner / image links to other websites.

We cannot guarantee or verify the contents of any externally linked website. We are not responsible for these external websites or how they use your personal data.

Embedded content

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if you have visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Privacy policies of other websites

CDEP's website contains links to other websites. Our privacy policy applies only to the CDEP website, so if you click on a link to another website, please read their Terms & Conditions. CDEP does not endorse or approve content and bears no responsibility for the accuracy or content of these other websites.

Social media platforms

CDEP participates with social media platforms subject to their privacy policies and terms. CDEP does not request personal data through social media platforms. CDEP recommends that social media platforms be used wisely and people should engage with them using due diligence and caution with regard to their own personal data.

The CDEP website uses social sharing buttons which help share web content directly from web pages to social media platforms. These buttons should be used with care. Please note that the social media platform may track and save requests to share a web page through your social media platform account.

URLs and shortened links

CDEP shares web links on social media. Sometimes, these links can be shortened. These shortened URLs or even the displayed URL can be hacked or otherwise changed against our wishes to divert you to another site. We are not responsible if you are redirected to the incorrect site

Changes to our privacy policy

CDEP regularly reviews its Privacy Policy. This privacy policy was last updated on 11th November 2021. For material or substantial changes to this policy, please note you may be contacted by email if we have your email on file.

Contact CDEP

If you have any questions about CDEP's privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact CDEP at email:

How to contact the appropriate authorities?

Should you wish to report a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you are welcoem to may contact the Information Commissioner’s Office via

Further reading and resources

General Data Protection Regulation (GDPR)
Data Protection Act 1998
Twitter Privacy Policy
Facebook Privacy Policy
Google Privacy Policy
LinkedIn Privacy Policy
MailChimp Privacy Policy
PayPal Privacy Policy