Privacy Policy

We understand, respect and recognise the importance of ensuring that you are made fully aware of how we use your personal data.

This privacy notice will explain:

  • the law and definitions
  • personal data
  • special category data
  • how and why we use your personal data
  • how we protect your data
  • sharing your data
  • your rights
  • our Data Protection Officer
  • Information Commissioner’s Office
  • our website

As our business changes from time to time, we will update and amend our data privacy notice and conditions of use. This is to ensure that we operate in a lawful, fair and transparent way. We may e-mail periodic reminders of our notices and terms and conditions and will e-mail customers of material changes thereto, but you should check our site frequently to see the current data privacy notice and conditions of use that are in effect and any changes that may have been made.  We reserve the right to amend this data privacy notice and conditions of use at any time, for any reason, without notice to you.  All updates will be made on this notice and is published on our public facing website.

The provisions contained herein supersede all previous notices or statements regarding our privacy practices and the terms and conditions that govern the use of this site.

The laws and definitions

You have the right to know what we are doing with your data. Where possible, we use simple and clear English to explain how we are doing this. However, sometimes we need to use certain words which may be difficult to understand.  The list below will explain some of the words that we use:

Data subject: An individual such as yourself

Data controller: An organisation who decides how data is used (processed)

Data processor: An organisation or person who processes data on a data controller’s behalf.

Data protection legislation: Laws which organisations must follow to protect and safely process your data. These laws are made by the UK government and the European Parliament.

DPA 2018: Data Protection Act 2018 (UK law)

GDPR: General Data Protection Regulation (EU law)

Processed or processing: How we use your data. This includes receiving, storing, using and deleting your data.

Identifier: Something which allows you to be identified. This includes anything such as your name, address or eye colour.  An identifier could be anything if someone can tell it is you that is being described.  

Anonymisation: Where identifiers have been removed so you cannot be identified by anyone. Further information on anonymisation can be obtained from the Information Commissioner’s website.

Pseudonymisation: Where an identifier has been changed so only those who know how it has been changed can identify you.

We: NHS Property Services Limited

Personal data

When we use your information, we will often refer to this as personal data.  Personal data is any information which allows us or someone else to identify you. The most common categories of personal data we process are:

  • names
  • addresses
  • email addresses
  • phone numbers and extensions
  • job titles
  • ID numbers

However, this list is not exhaustive. We understand that personal data can take many forms and records could include many different identifiers. Therefore, we look at all data on a case-by-case basis to decide whether the information is considered personal data. 

Data protection legislation tell us how and why we can use personal data of living people. Whilst data protection legislation does not apply to deceased persons, we maintain that we have a duty of confidentiality to our customers past or present. 

Special category data

Some categories of personal data require additional protection because it is considered highly sensitive.  This is called special category data. Special category data includes:

  • racial or ethnic origin
  • political opinions
  • religious beliefs or other beliefs of a similar nature
  • membership of a trade union
  • biometric data
  • genetic data
  • physical or mental health
  • sexual orientation and sex life
  • criminal data

We handle special category data with a high degree of care and attention. If we collect any special category data we will ensure that all appropriate technical measures and safeguards are taken to ensure that your data is safe.

If you have any concerns with how we are processing your special category data or the reasons why we are collecting special category data, please contact our Data Protection Officer at: DPO@property.nhs.uk

How and why we use your personal data?

NHS Property Services Ltd (NHSPS) provides property and facilities management expertise to the NHS. We provide services centred around four main business areas:

  • asset management
  • construction project management
  • facilities management
  • strategic estate planning.

For us to provide a service to you, we will be required to use your personal data. We can process your personal data if we meet one or more of the following legal reasons as set out in data protection legislation (article 6):

  • to fulfil a contract
  • to comply with a legal requirement
  • if a task is carried out in the public interest
  • to carry out our core business functions
  • to protection your vital interests
  • to protect your life (e.g. emergency medical care)
  • we have your consent

In addition, if we collect any special category data, we must also fulfil a second obligation. We must make sure at least one the of the following requirements is also met (article 9):

  • we have your consent
  • we require it for employment reasons
  • It is required to protect your life
  • you have made your personal data public
  • It is to establish, exercise or defend legal claims or judicial court action
  • there is substantial public interest
  • for health and social care purposes
  • for archiving, scientific or historical research or statistical purposes

We maintain a register of the legal bases for each of our processes, in accordance with the law.

How we protect your data

We are committed to protecting your data and we will always use your data in safe and secure ways. 

We protect your personal data by:

  • using systems that have appropriate technical measures, such as firewalls
  • regularly testing our IT systems
  • only giving authorised staff access to your data
  • encrypting (where possible) your information
  • regularly training our staff to develop their data protection and data handling knowledge
  • following clear and transparent processes
  • regularly reviewing our processes and data handling practices
  • carrying out audits on the data we hold
  • regularly deleting data that is no longer needed.

We store your data on United Kingdom of Great Britain and Northern Ireland (UK) and European Economic Area (EEA) servers.  Where possible, we will always endeavour to store your data on UK servers, however this is not always possible.  Where we cannot store your data within the UK, we will endeavour to use servers within the (EEA) with whom the UK has an adequacy agreement that ensures that your data and rights are protected throughout the (EEA) or ensure the appropriate security standards are met to remain compliant with GDPR, such as storing data in the United States of America with Privacy Shield coverage. When data is stored in third party servers, the information will only be accessed by officers authorised by NHS Property Services. Your personal data will not be read, accessed or used by the third party.

If you are concerned with how your data is being handled, please contact our Data Protection Officer at dpo@property.nhs.uk.

Sharing your data

To provide you with our services we may be required to share your personal data with other teams and external agencies to help provide you with the best service.  We will only share your data if one of the following applies:

  • a contract requires us to share your personal data
  • the law tells us we must share your personal data
  • an agreement allows us to share your personal data
  • we have your consent
  • it is an emergency or act of God
  • we need to address disputes, claims, or to persons demonstrating legal authority to act on your behalf

We may be required to share your data for many reasons such as to:

  • make our contractors are aware that your premises require a repair
  • update the lease details with HM Land Registry
  • maintain your information for billing purposes
  • resolving service requests

If we share your personal data, we will tell you what data is being shared, who it is being shared with and why it is being shared. If we receive your personal data from another data controller, we will contact you within one month to let you know that we now hold your data.

Police requests

In exceptional circumstances we may also be required to share your data with organisations such as the central government or the police.  We will always review each request on a case-by-case basis and only release personal data if it is required by law, or we believe that the request is justified, authorised, proportionate, auditable, and necessary. We will always try to tell you when your data has been shared, however in some circumstances this may not be possible.

Sharing with social media

Our website uses interfaces with social media sites such as Facebook , LinkedIn, Twitter and others. If you choose to “like” or share information from our website through these services, you should review the privacy policy of that service. If you are a member of a social media site, the interfaces may allow the social media site to connect your site interaction to your personal data.

Your rights

Data protection legislation provides you as an individual with many rights over how we may use your data. These are called the data subject rights.

You have the right:

  1. to be told what we are doing with your personal data
  2. to have copies of your personal data
  3. to amend any errors which we may have recorded
  4. to have your information deleted
  5. to restrict our use of your data
  6. to receive your information in a machine readable format
  7. to object to us processing your personal data (including direct marketing)
  8. to ask for a non-human made decision to be reviewed by a human

Whilst you have the above rights, please note that not all of these are absolute rights, and some may not be applicable. You will be informed if your request to apply your rights cannot be fulfilled and an explanation will be given with reasons why it could not be fulfilled.

To apply any of your data subject rights, please email dpo@property.nhs.uk

What we are doing with your personal data

You have the right to know what we are doing with your personal data; this is called the right to be informed. 

You have the right to know the following:

  • the name and contact details of NHS Property Services
  • the contact details of the Data Protection Officer
  • the reason we are collecting your personal data (including the legal basis)
  • our legitimate interest (where appropriate)
  • who we are sharing your data with or if anyone is using your data on our behalf
  • if your data has been shared or is intended to be shared to a country outside of the EEA
  • how long we keep your personal data for or the criteria we use to determine it
  • your data subject rights
  • how to lodge a complaint with the Information Commissioner’s Office
  • if automated decision making occurs
  • if we intend to use your data for other purposes

To view our processing activities, please visit our ‘records of processing’ database.

To receive copies of your personal data

Under data protection legislation, you have the right to have copies of the personal data which we hold about you. This is also called the right of access. Under this right, you can request copies of your data we hold including any records, emails and phone conversations.

Under this right, we will tell you:

  • the name of the record
  • where we obtained your personal data from
  • how long we keep your personal data for
  • categories of personal data
  • the reason we hold your personal data

If you submit a request for your information, we have one calendar month to comply.  However, in certain situations this can be extended by an additional two months, and we will inform you if it is applicable.

We always aim to provide you with copies of your data, but some records may be withheld in part or in full. This may be because:

  • it constitutes legal advice
  • it would affect our positions in negotiations
  • it would adversely affect the rights and freedoms of other people

If information cannot be released, we will inform you of this. Requesting copies of your personal information (subject access request) is free of charge and can be made by contacting the Data Protection Officer.

Amend any errors

The right of rectification provides you with the opportunity to tell us if any of the data we hold on you is incorrect.  Under this right, we can amend information that is factually incorrect such as:

  • names
  • addresses
  • email addresses

However, some records cannot be changed if we maintain that they are still correct.  This includes professional officer opinions or where we have substantial evidence that the information is correct. However, where this is the case, we will make a comment on the case file which reflects your objection.

To apply your right of rectification, please contact the Data Protection Officer.

Delete your data

Data protection legislation gives you the right to ask for your data to be deleted. This is called the right of erasure. This right is not just an ‘opt-out’ of you receiving a service.  It is a request for all information we hold on you to be deleted from our systems.

This is not an absolute right and can only be applied if certain conditions are met. 

You can apply the right of erasure if one of the following applies:

  • it is no longer necessary for the purpose it was collected or processed
  • we were processing under consent (and you’ve withdrawn consent)
  • if you object to the processing and there are no legitimate grounds for the processing
  • if we are legally required to delete the information
  • if the information has been collected for information society services

Restrict processing

The right of restriction is where you tell us to stop using your personal data.  This is not an absolute right and can only be used when one of the following applies:

  • you do not believe that the personal data we hold is accurate and we are verifying the accuracy
  • we did not have a legal reason to use your personal data
  • we no longer need the data, but you want us to keep it to establish, exercise or defend a legal claim
  • you have used your right of objection and we are considering our legitimate grounds

If you apply your right of restriction, we will store your personal information securely.  Once restricted, we can only use your personal information if:

  • we have your consent
  • there is a legal claim
  • need to protect the rights of others
  • there is a significant public interest to process

You can ask us to restrict processing across any one of our services where uses your personal data. We will tell you if your request has been approved however, please be aware that if you restrict our processing, this may cause serious delays and have a high impact on the service that we can provide for you.

Receive your personal data in a machine-readable format

You have the right to have copies of personal data that we hold about you transferred from us to you or another provider in a machine-readable format. This is also called your right to data portability.  This is not an absolute right and can be used in very limited scenarios. 

You can only apply this right if we are processing for one of the following:

  • you have given us your consent
  • it is necessary to fulfil a contract with you

In addition, the data must be:

  • automated (this includes decisions exclusively made by computers)
  • not held in a paper file
  • provided by you

Object to us processing (including direct marketing)

You have the right to object to us using your personal data if us processing your data is having a harmful and detrimental effect on your personal situation. 

This is not an absolute right and can only be applied if:

  • we are processing your data because it is in the public interest
  • or there is a legitimate interest to process your data which:
    • override your interests, rights and freedoms
    • or to establish, exercise or defend legal claims.

Your right of objection can also be used to stop direct marketing including when profiling occurs. Where you object to direct marketing, we will stop processing your personal data for direct marketing purposes. If you are a customer, you may continue to receive updates related to the service provided to you.

Profiling is where decisions are made about you based on certain pieces of your personal information. This could be things such as your age, gender or ethnicity. This is not an exhaustive list, and profiling could happen with any factor relating to personal data.  If we are using your personal data to profile you, we will tell you and inform you of your rights.  We will never profile you without your knowledge and will always explain any decision that is made.

Review a non-human made decision

You have the right not to be subject to a decision based solely on automated processing, including profiling, which may produce legal effects that could concern you or significantly affect you.  This is not an absolute right.

You cannot use this right if the decision:

  • is to enter into, or may affect the performance of, a contract between us and you
  • is permitted to fulfil a legal obligation and there are suitable safeguards to your rights, freedoms, and legitimate interests
  • is made with your explicit consent

We accept that you may not always be satisfied with a decision made, and where possible we will always endeavour to have a computer made decision reviewed by an officer.  Whilst this may not possible, we will always note your opinion and if you have challenged the decision.

Our Data Protection Officer

Data protection legislation requires certain organisations to appoint a Data Protection Officer (DPO).  We aren’t required to appoint a DPO under the UK GDPR but we have decided to do so voluntarily.

The role of the DPO is to:

  • inform and advise us of our data protection processing obligations
  • to monitor our data protection compliance
  • to monitor our data protection policies
  • to assign data protection responsibilities
  • to raise data protection awareness
  • to ensure staff are trained in data protection
  • to audit or facilitate and audit of the organisation
  • to provide advice on and monitor data protection impact assessments
  • to liaise and cooperate with the Information Commissioner’s Office (ICO)
  • to act as a single point of contact for the ICO

Our Data Protection Officer be contacted by:

Email: dpo@property.nhs.uk

Telephone: 07584 445804

Address:      
NHS Property Services, Regent House, Heaton Lane, Stockport, Cheshire, SK4 1BS.

Information Commissioner’s Office

NHS Property services is registered as a data controller with the Information Commissioner’s Office (ICO).  

Our registration number is: Z3611517

To view our registration, please visit: https://ico.org.uk/ESDWebPages/Entry/Z3611517

For independent advice about data protection, privacy and data sharing issues, you can contact the ICO on their website. You can also call them on 0303 123 1113.

You have the right to lodge a complaint to the ICO if you remain unhappy with how we have handled:

  • your personal data
  • your data subject request (e.g. access)
  • a data breach

Please note that the ICO will not normally a look into a decision or a case until this has been reviewed by our Data Protection Officer.  If you wish to raise a complaint, please contact the DPO by emailing dpo@property.nhs.uk

Our website

By using our website, you agree to the terms and conditions contained in this Privacy Notice and Conditions of Use and/or any other agreement that we might have with you. If you do not agree to any of these terms and conditions, you should not use this Site or any of our services. You agree that any dispute over privacy or the terms contained in this Privacy Notice and Conditions of Use, or any other agreement we have with you, will be governed by the laws of the United Kingdom.

As is true of most other websites, our website collects certain information automatically and stores it in log files. The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about the use of our website, including a history of the pages you view. We use this information to help us design our site to better suit our users’ needs. We may also use your IP address to help diagnose problems with our server and to administer our website, analyse trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences. Our website also uses cookies. It does not track users when they cross to third party websites, does not provide targeted advertising to them, and therefore does not respond to Do Not Track (DNT) signals. 

Cookies

Cookies are pieces of data that a Web site transfers to a user’s hard drive for record-keeping purposes. The Site uses cookies to aggregate traffic data (e.g., what pages are the most popular). These cookies may be delivered in a first-party or third-party context. We may also use cookies in association with e-mails delivered by us.

Our Site also captures limited information (such as user-agent, HTTP referrer, last URL requested by the user, client-side and server-side clickstream) about visits to our Site; we may use this information to analyse general traffic patterns and to perform routine system maintenance. You have many choices with regards to the management of cookies on your computer. All major browsers allow you to block or delete cookies from your system. To learn more about your ability to manage cookies, please consult the privacy features in your browser.

This website uses Google Analytics, a web analytics service provided by Google, LLC. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States.

Google will use this information for the purposes of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

By using our website, you consent to the processing of data about you by Google in the manner and for the purposes set out above. If we ask you for other personal information, we will explain what it is for.

Social media

We offer content on our website related to the work we do. We also provide the ability for you to push this content into your Twitter and Facebook feeds.  This means you may find yourself on our website or reading an email from us, and we will offer you a link to another organisation’s website. If you click on these links, we are not responsible or liable for content provided by these third-party websites or personal information they may happen to gather from you.

We do not share this information with any third party other than to store the information in our cloud-hosted databases which are predominantly based in the UK.

We use tools on our websites to track how often people gain access to or read our content. We use this information in the aggregate to understand what content our customers find useful or interesting, so we can tailor our content and services to meet your needs.

You may manage your subscriptions to our newsletters by subscribing or unsubscribing at any time. If you have any difficulties managing your email or other communication preferences with NHS Property Services Ltd please contact us at DPO@property.nhs.uk.