Introduction
This privacy notice will explain:
We may update this notice from time to time to reflect changes in our services, legal requirements or how we use personal data.
The latest version will be published on our website.
The laws and definitions
Key terms used in this notice are explained below.
Data subject
An individual such as yourself
Data controller
An organisation who decides how data is used (processed)
Data processor
An organisation or person who processes data on a data controller’s behalf.
Data protection legislation
Laws which organisations must follow to protect and safely process personal data. In this notice, data protection legislation means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (DPA) 2018, the Privacy and Electronic Communications Regulations 2003, and any other applicable UK data protection law, including changes made by the Data (Use and Access) Act 2025.
Processed or processing
How we use your data. This includes receiving, storing, using and deleting your data.
We
NHS Property Services Limited
Personal data
When we use your information, we will often refer to this as personal data. Personal data is any information which allows us or someone else to identify you. The most common categories of personal data we process are:
This list is not exhaustive. Personal data can include any information that identifies you or could reasonably be linked to you.
Data protection legislation tells us how and why we can use personal data about living people. While data protection legislation does not apply to deceased people, we maintain that we have a duty of confidentiality to our past and present customers.
Special category data
Some categories of personal data require additional protection because it is considered highly sensitive. This is called special category data. Special category data includes:
Criminal offence data is not special category data, but it is also sensitive and has separate legal protections. If we process criminal offence data, we will only do so where UK data protection law allows it and where appropriate safeguards are in place.
We apply additional safeguards when processing special category data or criminal offence data.
If you have any concerns with how we are processing your special category data or the reasons why we are collecting special category data, please contact our Data Protection Officer at: DPO@property.nhs.uk
How and why we use your personal data?
NHS Property Services Ltd (NHSPS) provides property and facilities management expertise to the NHS. We provide services centred around four main business areas:
For us to provide services to you, we may need to use your personal data. We will only do this where we have a valid lawful basis under Article 6 of the UK GDPR. Depending on the circumstances, this may include:
In addition, if we collect any special category data, we must also meet a condition under Article 9 of the UK GDPR. Depending on the circumstances, this may include:
We maintain a register of the legal bases for each of our processes, in accordance with the law.
We will provide clear privacy information about each processing activity, including the purposes of processing, the categories of personal data involved, the lawful basis relied on, any special category or criminal offence condition where relevant, who the data may be shared with, whether it may be transferred outside the UK, and how long it will be retained.
We will only keep personal data for as long as necessary for the purpose for which it was collected, to meet legal, regulatory, audit, accounting or reporting requirements, or to establish, exercise or defend legal claims. Where we cannot state a fixed retention period in this notice, we will explain the criteria used to decide how long the information is kept.
How we protect your data
We are committed to protecting your data and we will always use your data in safe and secure ways.
We protect personal data by using appropriate technical and organisational measures, including:
We usually store and process personal data in the UK. Some of our suppliers or technology providers may process personal data outside the UK. Where this happens, we will make sure that appropriate safeguards are in place before the transfer takes place. These safeguards may include UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, transfer risk assessments, contractual controls, security measures and any other safeguards required by UK data protection law.
If you are concerned with how your data is being handled, please contact our Data Protection Officer at dpo@property.nhs.uk.
Sharing your data
We may share personal data where necessary to provide our services, meet legal obligations, protect vital interests, manage claims or disputes, or where we have consent or another valid legal basis.
Examples of when we may share personal data include:
Where appropriate, we will tell you what data is being shared, who it is being shared with, and why. We may share personal data with categories of recipients including NHS organisations, public authorities, regulators, professional advisers, courts or tribunals, law enforcement bodies, contractors, suppliers, IT and cloud service providers, debt recovery and billing providers, insurers, auditors and organisations involved in property, facilities management, repairs, leases or service delivery.
If we receive your personal data from another source, we will provide privacy information within a reasonable period and no later than one month, unless an exemption applies, you already have the information, or providing it would involve disproportionate effort under UK data protection law.
Police requests
In exceptional circumstances we may also be required to share your data with organisations such as the central government or the police. We will always review each request on a case-by-case basis and only release personal data if it is required by law, or we believe that the request is justified, authorised, proportionate, auditable, and necessary. We will always try to tell you when your data has been shared, however in some circumstances this may not be possible.
Sharing with social media
Our website uses interfaces with social media sites such as Instagram, LinkedIn, Twitter and others. If you choose to “like” or share information from our website through these services, you should review the privacy policy of that service. If you are a member of a social media site, the interfaces may allow the social media site to connect your site interaction to your personal data.
Your rights
Data protection legislation provides you as an individual with many rights over how we may use your data. These are called the data subject rights.
You have the right:
Whilst you have the above rights, please note that not all of these are absolute rights, and some may not be applicable. You will be informed if your request to apply your rights cannot be fulfilled and an explanation will be given with reasons why it could not be fulfilled.
To apply any of your data subject rights, please email dpo@property.nhs.uk
We will respond to rights requests within one calendar month unless the law allows us to extend the deadline. Your rights are not absolute and may not apply in every situation. If we cannot fulfil a request, we will explain why.
Automated decision-making, profiling and AI
If we use automated decision-making, profiling or AI-enabled tools, we will explain this clearly where it is relevant to you. This will include meaningful information about the logic involved, why the decision is being made, the likely consequences for you and the safeguards available.
Where a decision is made solely by automated processing and has a legal or similarly significant effect on you, we will only do this where UK data protection law allows it and appropriate safeguards are in place. These safeguards may include giving you information about the decision, allowing you to make representations, allowing you to challenge the decision and enabling you to obtain human intervention.
We will not make significant solely automated decisions about you using special category data unless UK data protection law permits this and additional safeguards apply. If we do not use significant solely automated decision-making for a particular service, we will make this clear in the relevant privacy information.
Our Data Protection Officer
We have appointed a Data Protection Officer to advise us on data protection compliance and act as a contact point for individuals and the Information Commissioner’s Office.
Our Data Protection Officer can be contacted by email at dpo@property.nhs.uk or postal address: NHS Property Services, Regent House, Heaton Lane, Stockport, Cheshire, SK4 1BS.
Data protection complaints
If you are unhappy with how we have handled your personal data, a data protection rights request, a data breach, direct marketing, profiling, automated decision-making or any other data protection matter, you can raise a complaint with us.
You can complain by emailing our Data Protection Officer, writing to us, using our website contact routes or contacting us through any other channel. You do not need to use legal wording for us to treat your concern as a data protection complaint.
We will acknowledge receipt of your complaint within 30 days. We will take appropriate steps to investigate and respond without undue delay, including making appropriate enquiries, keeping you informed where appropriate and telling you the outcome. If we need further information to understand your complaint or confirm your identity or authority to act for someone else, we will explain what we need and why.
If you remain dissatisfied after we have responded, or if you do not think we have handled your complaint properly, you can complain to the ICO. The ICO will expect you to have raised the matter with us first and given us a reasonable opportunity to respond.
Information Commissioner’s Office
Our registration number is: Z3611517
If you remain dissatisfied after we have responded, you can contact the ICO on their website or call 0303 123 1113.
Our website
This section explains how we use personal data collected through our website. Use of our website is governed by applicable UK law. Where we collect personal data through the website, we will process it in accordance with this privacy notice and any additional privacy information provided at the point of collection.
Our website may collect limited technical information, such as IP address, browser type, device information and pages viewed, to operate, secure and improve the website. Where this involves cookies or similar technologies that are not strictly necessary, we will only use them where permitted by PECR and UK data protection law.
Cookies
Cookies and similar technologies are small files or identifiers placed on, or accessed from, your device. We use strictly necessary cookies where required to operate our website. We may also use analytics, functionality or other optional cookies where permitted by law. Where consent is required, we will ask for your consent before setting those cookies and will give you a way to change your preferences.
Where enabled, we may use Google Analytics or similar tools to understand how visitors use the site. We will only set analytics cookies or use similar analytics technologies where we have obtained your consent, unless a PECR exception applies.
This website uses the following cookies and third-party services:
Google Analytics
This website uses Google Analytics, a web analytics service provided by Google LLC. Google Analytics uses cookies to help the website analyse how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purposes of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf.
Google Advertising Services
This website uses cookies associated with Google advertising services, including DoubleClick, provided by Google LLC. These cookies are used to measure the effectiveness of advertising campaigns. Data may be transferred to and stored by Google on servers in the United States.
Microsoft Clarity
This website uses Microsoft Clarity, a behavioural analytics tool provided by Microsoft Corporation. Microsoft Clarity uses cookies to record how users interact with the website, including mouse movements, clicks and scrolling behaviour. This information is used to improve the usability, accessibility and performance of the website. Data collected may be transferred to and stored on Microsoft servers in the United States. Session recording data collected through Microsoft Clarity is retained for 30 days. You can request deletion of your data at any time by contacting us at dpo@property.nhs.uk
Vimeo
This website embeds video content hosted by Vimeo LLC. When you interact with embedded video content, Vimeo may set cookies on your device and collect information about your interaction with the video. Please refer to Vimeo's privacy policy for further information.
If analytics tools are used, information may be processed by the analytics provider to produce reports about website activity and related services. Where personal data is transferred outside the UK, we will make sure appropriate safeguards are in place.
Where any of the above services require your consent, this will be requested via the cookie preferences tool on the website before any cookies are set.
You can refuse or withdraw consent for optional analytics cookies using the cookie controls provided on the website or through your browser settings. However, doing so may affect the full functionality of this website.
We will not rely on your use of the website alone as consent for optional cookies. Where consent is required, optional cookies will not be set unless you actively choose to allow them. We will provide clear information about what the technology does, who provides it, how long the information is kept and how you can change your choices.
Social media
Our website may include links or sharing features for third-party websites or social media platforms. If you use those services, their own privacy notices will apply.
You may manage your subscriptions to our newsletters by subscribing or unsubscribing at any time. If you have any difficulties managing your email or other communication preferences with NHS Property Services Ltd, please contact us at DPO@property.nhs.uk