We understand, respect and recognise the importance of ensuring that you are made fully aware of how we use your personal data.
This privacy notice will explain:
As our business changes from time to time, we will update and amend our data privacy notice and conditions of use. This is to ensure that we operate in a lawful, fair and transparent way. We may e-mail periodic reminders of our notices and terms and conditions and will e-mail customers of material changes thereto, but you should check our site frequently to see the current data privacy notice and conditions of use that are in effect and any changes that may have been made. We reserve the right to amend this data privacy notice and conditions of use at any time, for any reason, without notice to you. All updates will be made on this notice and is published on our public facing website.
The provisions contained herein supersede all previous notices or statements regarding our privacy practices and the terms and conditions that govern the use of this site.
The laws and definitions
You have the right to know what we are doing with your data. Where possible, we use simple and clear English to explain how we are doing this. However, sometimes we need to use certain words which may be difficult to understand. The list below will explain some of the words that we use:
Data subject: An individual such as yourself
Data controller: An organisation who decides how data is used (processed)
Data processor: An organisation or person who processes data on a data controller’s behalf.
Data protection legislation: Laws which organisations must follow to protect and safely process your data. These laws are made by the UK government and the European Parliament.
DPA 2018: Data Protection Act 2018 (UK law)
GDPR: General Data Protection Regulation (EU law)
Processed or processing: How we use your data. This includes receiving, storing, using and deleting your data.
Identifier: Something which allows you to be identified. This includes anything such as your name, address or eye colour. An identifier could be anything if someone can tell it is you that is being described.
Anonymisation: Where identifiers have been removed so you cannot be identified by anyone. Further information on anonymisation can be obtained from the Information Commissioner’s website.
Pseudonymisation: Where an identifier has been changed so only those who know how it has been changed can identify you.
We: NHS Property Services Limited
Personal data
When we use your information, we will often refer to this as personal data. Personal data is any information which allows us or someone else to identify you. The most common categories of personal data we process are:
However, this list is not exhaustive. We understand that personal data can take many forms and records could include many different identifiers. Therefore, we look at all data on a case-by-case basis to decide whether the information is considered personal data.
Data protection legislation tell us how and why we can use personal data of living people. Whilst data protection legislation does not apply to deceased persons, we maintain that we have a duty of confidentiality to our customers past or present.
Special category data
Some categories of personal data require additional protection because it is considered highly sensitive. This is called special category data. Special category data includes:
We handle special category data with a high degree of care and attention. If we collect any special category data we will ensure that all appropriate technical measures and safeguards are taken to ensure that your data is safe.
If you have any concerns with how we are processing your special category data or the reasons why we are collecting special category data, please contact our Data Protection Officer at: DPO@property.nhs.uk
How and why we use your personal data?
NHS Property Services Ltd (NHSPS) provides property and facilities management expertise to the NHS. We provide services centred around four main business areas:
For us to provide a service to you, we will be required to use your personal data. We can process your personal data if we meet one or more of the following legal reasons as set out in data protection legislation (article 6):
In addition, if we collect any special category data, we must also fulfil a second obligation. We must make sure at least one the of the following requirements is also met (article 9):
We maintain a register of the legal bases for each of our processes, in accordance with the law.
How we protect your data
We are committed to protecting your data and we will always use your data in safe and secure ways.
We protect your personal data by:
We store your data on United Kingdom of Great Britain and Northern Ireland (UK) and European Economic Area (EEA) servers. Where possible, we will always endeavour to store your data on UK servers, however this is not always possible. Where we cannot store your data within the UK, we will endeavour to use servers within the (EEA) with whom the UK has an adequacy agreement that ensures that your data and rights are protected throughout the (EEA) or ensure the appropriate security standards are met to remain compliant with GDPR, such as storing data in the United States of America with Privacy Shield coverage. When data is stored in third party servers, the information will only be accessed by officers authorised by NHS Property Services. Your personal data will not be read, accessed or used by the third party.
If you are concerned with how your data is being handled, please contact our Data Protection Officer at dpo@property.nhs.uk.
Sharing your data
To provide you with our services we may be required to share your personal data with other teams and external agencies to help provide you with the best service. We will only share your data if one of the following applies:
We may be required to share your data for many reasons such as to:
If we share your personal data, we will tell you what data is being shared, who it is being shared with and why it is being shared. If we receive your personal data from another data controller, we will contact you within one month to let you know that we now hold your data.
Police requests
In exceptional circumstances we may also be required to share your data with organisations such as the central government or the police. We will always review each request on a case-by-case basis and only release personal data if it is required by law, or we believe that the request is justified, authorised, proportionate, auditable, and necessary. We will always try to tell you when your data has been shared, however in some circumstances this may not be possible.
Sharing with social media
Our website uses interfaces with social media sites such as Instagram, LinkedIn, Twitter and others. If you choose to “like” or share information from our website through these services, you should review the privacy policy of that service. If you are a member of a social media site, the interfaces may allow the social media site to connect your site interaction to your personal data.
Your rights
Data protection legislation provides you as an individual with many rights over how we may use your data. These are called the data subject rights.
You have the right:
Whilst you have the above rights, please note that not all of these are absolute rights, and some may not be applicable. You will be informed if your request to apply your rights cannot be fulfilled and an explanation will be given with reasons why it could not be fulfilled.
To apply any of your data subject rights, please email dpo@property.nhs.uk
What we are doing with your personal data
You have the right to know what we are doing with your personal data; this is called the right to be informed.
You have the right to know the following:
To view our processing activities, please visit our ‘records of processing’ database.
To receive copies of your personal data
Under data protection legislation, you have the right to have copies of the personal data which we hold about you. This is also called the right of access. Under this right, you can request copies of your data we hold including any records, emails and phone conversations.
Under this right, we will tell you:
If you submit a request for your information, we have one calendar month to comply. However, in certain situations this can be extended by an additional two months, and we will inform you if it is applicable.
We always aim to provide you with copies of your data, but some records may be withheld in part or in full. This may be because:
If information cannot be released, we will inform you of this. Requesting copies of your personal information (subject access request) is free of charge and can be made by contacting the Data Protection Officer.
Amend any errors
The right of rectification provides you with the opportunity to tell us if any of the data we hold on you is incorrect. Under this right, we can amend information that is factually incorrect such as:
However, some records cannot be changed if we maintain that they are still correct. This includes professional officer opinions or where we have substantial evidence that the information is correct. However, where this is the case, we will make a comment on the case file which reflects your objection.
To apply your right of rectification, please contact the Data Protection Officer.
Delete your data
Data protection legislation gives you the right to ask for your data to be deleted. This is called the right of erasure. This right is not just an ‘opt-out’ of you receiving a service. It is a request for all information we hold on you to be deleted from our systems.
This is not an absolute right and can only be applied if certain conditions are met.
You can apply the right of erasure if one of the following applies:
Restrict processing
The right of restriction is where you tell us to stop using your personal data. This is not an absolute right and can only be used when one of the following applies:
If you apply your right of restriction, we will store your personal information securely. Once restricted, we can only use your personal information if:
You can ask us to restrict processing across any one of our services where uses your personal data. We will tell you if your request has been approved however, please be aware that if you restrict our processing, this may cause serious delays and have a high impact on the service that we can provide for you.
Receive your personal data in a machine-readable format
You have the right to have copies of personal data that we hold about you transferred from us to you or another provider in a machine-readable format. This is also called your right to data portability. This is not an absolute right and can be used in very limited scenarios.
You can only apply this right if we are processing for one of the following:
In addition, the data must be:
Object to us processing (including direct marketing)
You have the right to object to us using your personal data if us processing your data is having a harmful and detrimental effect on your personal situation.
This is not an absolute right and can only be applied if:
Your right of objection can also be used to stop direct marketing including when profiling occurs. Where you object to direct marketing, we will stop processing your personal data for direct marketing purposes. If you are a customer, you may continue to receive updates related to the service provided to you.
Profiling is where decisions are made about you based on certain pieces of your personal information. This could be things such as your age, gender or ethnicity. This is not an exhaustive list, and profiling could happen with any factor relating to personal data. If we are using your personal data to profile you, we will tell you and inform you of your rights. We will never profile you without your knowledge and will always explain any decision that is made.
Review a non-human made decision
You have the right not to be subject to a decision based solely on automated processing, including profiling, which may produce legal effects that could concern you or significantly affect you. This is not an absolute right.
You cannot use this right if the decision:
We accept that you may not always be satisfied with a decision made, and where possible we will always endeavour to have a computer made decision reviewed by an officer. Whilst this may not possible, we will always note your opinion and if you have challenged the decision.
Our Data Protection Officer
Data protection legislation requires certain organisations to appoint a Data Protection Officer (DPO). We aren’t required to appoint a DPO under the UK GDPR but we have decided to do so voluntarily.
The role of the DPO is to:
Our Data Protection Officer be contacted by:
Email: dpo@property.nhs.uk
Telephone: 07584 445804
Address:
NHS Property Services, Regent House, Heaton Lane, Stockport, Cheshire, SK4 1BS.
Information Commissioner’s Office
NHS Property services is registered as a data controller with the Information Commissioner’s Office (ICO).
Our registration number is: Z3611517
To view our registration, please visit: https://ico.org.uk/ESDWebPages/Entry/Z3611517
For independent advice about data protection, privacy and data sharing issues, you can contact the ICO on their website. You can also call them on 0303 123 1113.
You have the right to lodge a complaint to the ICO if you remain unhappy with how we have handled:
Please note that the ICO will not normally a look into a decision or a case until this has been reviewed by our Data Protection Officer. If you wish to raise a complaint, please contact the DPO by emailing dpo@property.nhs.uk
Our website
Our website uses cookies to differentiate you from other visitors. This ensures that you have a positive browsing experience and helps us improve our site. By continuing to use our website, you consent to our use of cookies. If you want to change your cookie consent preferences at a later stage, you can do so by visiting our Cookie Policy page.
By using our website, you agree that any dispute over privacy or the terms contained in this Privacy Notice and Conditions of Use, or any other agreement we have with you, will be governed by the laws of the United Kingdom.
As is true of most other websites, our website collects certain information automatically and stores it in log files. The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about the use of our website, including a history of the pages you view. We use this information to help us design our site to better suit our users’ needs. We may also use your IP address to help diagnose problems with our server and to administer our website, analyse trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences. Our website also uses cookies. It does not track users when they cross to third party websites, does not provide targeted advertising to them, and therefore does not respond to Do Not Track (DNT) signals.
Cookies
Cookies are pieces of data that a Web site transfers to a user’s hard drive for record-keeping purposes. The Site uses cookies to aggregate traffic data (e.g., what pages are the most popular). These cookies may be delivered in a first-party or third-party context. We may also use cookies in association with e-mails delivered by us.
Our Site also captures limited information (such as user-agent, HTTP referrer, last URL requested by the user, client-side and server-side clickstream) about visits to our Site; we may use this information to analyse general traffic patterns and to perform routine system maintenance. We also use performance cookies that track patterns of use on the website to understand user’s needs, without collecting any personal identifiable information about you. This information is used to monitor and improve the functionality of our website only.
You have many choices with regards to the management of cookies on your computer. All major browsers allow you to block or delete cookies from your system. To learn more about your ability to manage cookies, please consult the privacy features in your browser.
This website uses Google Analytics, a web analytics service provided by Google, LLC. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States.
Google will use this information for the purposes of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.
By using our website, you consent to the processing of data about you by Google in the manner and for the purposes set out above. If we ask you for other personal information, we will explain what it is for.
Social media
We offer content on our website related to the work we do. We also provide the ability for you to push this content into your Twitter, Instagram and LinkedIn feeds. This means you may find yourself on our website or reading an email from us, and we will offer you a link to another organisation’s website. If you click on these links, we are not responsible or liable for content provided by these third-party websites or personal information they may happen to gather from you.
We do not share this information with any third party other than to store the information in our cloud-hosted databases which are predominantly based in the UK.
We use tools on our websites to track how often people gain access to or read our content. We use this information in the aggregate to understand what content our customers find useful or interesting, so we can tailor our content and services to meet your needs.
You may manage your subscriptions to our newsletters by subscribing or unsubscribing at any time. If you have any difficulties managing your email or other communication preferences with NHS Property Services Ltd please contact us at DPO@property.nhs.uk.