Skip to content
Scottish Procurement Alliance
Privacy policy

Privacy policy

LHC Procurement Group manages the activities of LHC LSE, SWPA, NPA, WPA and SPA. The company understands privacy as important. LHC is committed to protecting the confidentiality of personal data and information which the company collects and processes.

LHC Procurement Group Limited (company limited by guarantee) is a Data Controller under the terms of the Data Protection Act 2018.

All data controllers must notify the Information Commissioner’s Office (ICO) of all personal data and information processing activities. Our ICO Data Protection Register number is ZB542860 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.

This notice explains how LHC collects, uses, shares, manages, retains, and disposes of personal data and information. This notice applies to personal data and information that is collected and processed:

In relation to company websites at lse.lhcprocure.org.uk, swpa.org.uk, northernprocurement.org.uk, scottishprocurement.scot and welshprocurement.cymru (each a “Site”).

In relation to the day to day operation of the company, which includes personal data and information obtained from other sources for the purposes of direct marketing of our services.

In relation to job applications made to the company for the purposes of employment with the company

For the avoidance of doubt, data is a group of facts or statistics, whereas information offers context. Should certain data and information be requested or collected by which an individual can be identified specifically when using this website, then this data and/or information will only be used in accordance with this privacy notice. Personal data and information in the majority is processed within the UK, though some may be processed in other EU countries subject to individual contracting and processing arrangements.

LHC may change this policy from time to time by updating this page.. This policy is kept up regular review and is effective from 28 February 2025

This policy notice is not exhaustive, but is otherwise deemed to be compliant with the General Data Protection regulation (GDPR) into effect from 25 May 2018.

Our Data Protection Officer

LHC has a Data Protection Officer who is a designated person with responsibility for protection of personal data and information. The officer makes sure that the organisation follows the law.

LHC’s Data Protection Officer can be contacted using the following email address: dpo@lhcprocure.org.uk

This may be required in the event of:

Enacting individual rights set out in the General Data Protection Regulation (GDPR) over how organizations use personal data and information. This includes the right to be informed, simply explained by the Information Commissioners Office. This may extend to complaint about the use of personal data and information, and withdrawal of consent to process it.

A Subject Access Request (SAR)

A query as to retention periods for personal data and information documented on a schedule of retention and disposal arrangements.

Additional information or explanation needed as regards to the content of this privacy notice, such as further details on request as regards to further specific third party processors of personal data and information (aka data processors) where sub-contracted by LHC (i.e. Register of Processing Activities – ROPA).

Further complaint could also be lodged with a supervisory authority, in this case the UK Information Commissioners Office.

What LHC collects

The company may collect the following information: 

  • Name, company and job title
  • Contact data including email address
  • Demographic data such as postcode, preferences and interests
  • Other data relevant to customer surveys and/or events  
  • Ownership and structure
  • Data in relation to specific specialist roles such as data security and protection and whistleblowing  

This collection and processing shall relate to: 

  • Visitors to this website.
  • Client partner organisations as existing customers of LHC procurement frameworks
  • Appointed companies as contractors who will be contracted to deliver works, goods and services under said procurement frameworks.  
  • Potential client partner organisations and appointed companies where personal data and information is collected and processed through events and conferences for which specific consent is required
  • Job applicants 
     

This includes personal data and information as is provided when an individual: 

  • Completes contact forms on this website or use  interactive features of this website (such as requesting a contact), including your‎ name, postal address, email address, and telephone number;
  • Contacts LHC to report a problem with this website
  • make a whistleblowing disclosure 

LHC requires this information to understand needs and provide  better services, and in particular for the following reasons: 

  • Internal record keeping.
  • Management of and response to complaints and in the event of incidents and Subject Access Requests.
  • LHC may use the information to improve our products and services.
  • LHC may periodically send promotional emails about new frameworks, events, or other information which its considers may be interesting. In doing so it shall use contact email addresses  provided directly by individuals or obtained from other sources as shown below.
  • From time to time, LHC may also use information collected and processed to make contact for market research purposes. This may be through email, phone or postal mail. LHC may use the information to customise the website according to surveyed interests.

Where sought for the purposes of market research and/or direct marketing (i.e. the personal data and information is not obtained from the individual it relates to), then LHC may use sources including but not limited to the following: 

  • Open source contact data for potential leads for new business, such as corporate websites of Local Authorities and Housing Associations as potential client partner organisations  
  • Government Open Source Databases such as the UK Government’s Find a Tender service
  • Other Open Source Databases such as Locarla, a public sector centred built environment specialist which makes available a resource of social housing, housing association, & local government information.
  • Contact details obtained as a result of attending conferences and exhibitions organised by national and other bodies. 

Under the requirements of the General Data Protection Regulation (GDPR), all processing for the purposes described above requires lawful basis. Thus this is deemed to be legitimate interests where done in the interests of the company.  

In other circumstances, LHC shall collect and process data and information about individuals separate to the above, such as in relation to submission of job applications. The same principles as are described within this notice are deemed to apply. The legal basis for processing data and information in such circumstances under Article 6 (personal data) and Article 9 (special category data) is consent by virtue of submission of an application. 

It is important that the personal data and information held is accurate and current. Individuals are asked to keep LHC informed if personal data and information changes during the relationship held with it.  

Legitimate Interest: as specified in the GDPR under Article 6.1.(f) and Recital 47 - there is a legitimate interest for us in processing data to provide marketing information about relevant products and services to potential client partner organisations through direct marketing campaigns.  

On a case by case basis a balancing test is performed called a Legitimate Interest Assessment (LIA). This is to ensure that LHC always balances the legitimate interests of ourselves to carry out direct marketing, against the potential impact on individuals and their rights before LHC carries out any processing. Having thoroughly carried out this due diligence to ensure it applies correctly, LHC will process data using Legitimate Interest as our lawful basis. 

Under the GDPR there are five additional lawful bases for processing, none of which currently apply to the business with which LHC is involved. However, it is possible at some time in future, for a specific reason that LHC will need to apply one of these lawful bases. In those circumstances LHC will clearly record and highlight such an application. Those additional lawful bases are: 

  • Consent - whereby an individual has given their clear consent for their personal data to be processed for one or more specific purposes which may include marketing
  • Processing is necessary for the performance of a contract to which the data subject is a party
  • Processing is necessary for compliance with a legal obligation
  • Processing is necessary in order to protect the vital interests of a data subject
  • Processing is necessary for the performance of a task carried out in the public interest

Automated decision making: 

The EU General Data Protection Regulation (GDPR) includes provisions to reflect an increasing use of profiling and automated decision-making across a wide range of applications. These provisions are designed to protect individuals from the potential risks that this type of processing can create. 

Automated decision-making including profiling takes place when an electronic system uses personal data and information to make a decision without human intervention. LHC does use software to review the personal data and information of individuals submitted in application for job roles. This is undertaken through our sub-contractor for this service (see under Register of Processing Activities) 

Where an automated decision is required in relation to any particularly sensitive personal data and information, LHC and its data processor must have explicit written consent or it must be justified in the public interest. LHC must also put in place appropriate measures to safeguard individual rights. 

This is discharged through consent included as part of the application process which requires explicit opt-in consent in response to the statement: Please note: Automated decision making is being used on this initial pre-application page to determine if you meet the minimum requirements of the vacancy. Please confirm you are happy to proceed with this process. 

Where LHC, and by association its sub-contracted data processor, does use software to assist in the assessment of suitability for a particular job role and an applicant considers that any such assessment has been made wrongly or incorrectly, they may ask for an explanation. 

Further details are also included in the Privacy Notice for our sub-contractor/data processor, Hireful Ltd – please click here. 

LHC, through its sub-contractor and data processor, will also ask for Equal Opportunities information. This is not mandatory, and it will not affect an application where not provided. If it is provided, it will not be shared with anyone outside of the Recruitment team. Any information provided will solely be used to monitor Equal Opportunities statistics, and all information will be made anonymous where reported within the company, for example to its Board of Directors. 

Retention periods for personal data and information 

This is documented on a schedule of retention and disposal arrangements.  

A default principle is that the majority of company records are retained for a period of seven years in line with the GDPR 

However, there is further variation to this related to requirements of individual legal frameworks that the company applies through its schedule.  

For example, the default retention period for documents related to frameworks and tenders is eleven years after the end of the contract. 

This can be up to eight years for open frameworks as legalised through the Procurement Act 2023 into effect as of 24 February 2025. The lifespan of the Framework is the absolute minimum for which documents and records shall be held. 

The company understands that penalties for non compliance can vary between the different legislative requirements. 

Register of Processing Activities

Article 30 of GDPR sets out requirements as regards to a Register of Processing Activities. For the purposes of transparency, the table below makes publicly available key details as regards to third party suppliers/vendors who process data on behalf of LHC for the purpose of the day to day operations of LHC. LHC has a separate version of the table below in relation to third party suppliers/vendors of its employee data

Data Processors: 

  • Microsoft 

    • Purpose of data processing: Dynamics Customer Relationship Management – leads, opportunities, clients, income, turnover
    • Evidence of fee payment: Z6296785 

  • Intend 

    • Purpose of data processing: e-Tendering, e-Evaluations and contract management for procurement frameworks 
    • Evidence of fee payment: Z1660551 

  • Hireful

    • Purpose of data processing: Recruitment and applicant tracking 
    • Evidence of fee payment: Z8069187 

  • Civic

    • Purpose of data processing: Cookie consent management 
    • Evidence of fee payment: Z6406137
    • Note : The company has a separate cookie policy accessible from the homepage of this website

The company also uses a service for which it is data processor and a third party is data controller. Creditsafe is a global business intelligence provider that offers online company credit reports and scores. LHC uses this provider to conduct financial due diligence when appointing contractors and subcontractors to its frameworks. This involves initial checking of a Bidders financial status and help inform the subsequent assessments carried out by LHCPG. Should any financial risk or low score be flagged within the Creditsafe information, LHCPG may also review independent reports from other credit referencing agencies such as Equifax, Dunn and Bradstreet.

Creditsafe are ISO27001 certified, regulated by the FCA and registered as a data controller with the UK Information Commissioner's office.

As regards to the related data flow that the company receives from such agencies, this is deemed to include personal about the directors of those companies along with date of birth (month and year). This data flow is no different from what is already open source by virtue of publication on Companies House.

Where potential or actual appointed companies are sole traders or Limited Liability Partnerships (LLPs) this could include personal data by virtue of the trader or LLP name reflecting the owner name, along with other data such as Unique Taxpayer Reference (UTR) which may be included. A UTR (unique taxpayer reference) is a 10-digit number completely unique to each and every UK taxpayer. The legal basis in this context is deemed to be Article 6(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; This personal data flow is not deemed to include any special category data which requires legal basis under GDPR Article 9. In addition, the company has no other means to re-identify the UTR, though this is a moot point given the company would already know the individual identity

Subject Access Requests 

Individuals hold a right to make a Subject Access Request (SAR) under the Data Protection Act 2018. Where personal data and information is held, then by reply within one calendar month LHC will:

  • Give a description of it;
  • Say why LHC is holding it;
  • Say who could be disclosed to; and
  • Provide a copy in an intelligible form

To submit a SAR, please refer to the Data Protection Officer contact details elsewhere within this notice.

Security 

LHC is committed to ensuring that personal data and  information is secure. In order to prevent unauthorised access or disclosure, LHC has  put in place suitable physical, electronic and managerial procedures to safeguard and secure the information LHC collects collect online.