Privacy Policy

LHC Procurement Group manages the activities of LHC LSE, SWPA, CPC, WPA and SPA. The company understands privacy as important. LHC is committed to protecting the confidentiality of personal data and information which the company collects and processes.

LHC Procurement Group Limited (company limited by guarantee) is a Data Controller under the terms of the Data Protection Act 2018.

All data controllers must notify the Information Commissioner’s Office (ICO) of all personal data and information processing activities. Our ICO Data Protection Register number is ZB542860 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.

This notice explains how LHC collects, uses, shares, manages, retains, and disposes of personal data and information. This notice applies to personal data and information that is collected and processed:

In relation to company websites at lse.lhcprocure.org.uk, swpa.org.uk, cpconstruction.org.uk, scottishprocurement.scot and welshprocurement.cymru (each a “Site”).

In relation to the day to day operation of the company, which includes personal data and information obtained from other sources for the purposes of direct marketing of our services.

In relation to job applications made to the company for the purposes of employment with the company

For the avoidance of doubt, data is a group of facts or statistics, whereas information offers context. Should certain data and information be requested or collected by which an individual can be identified specifically when using this website, then this data and/or information will only be used in accordance with this privacy notice. Personal data and information in the majority is processed within the UK, though some may be processed in other EU countries subject to individual contracting and processing arrangements.

LHC may change this policy from time to time by updating this page.. This policy is kept up regular review and is effective from 28 February 2025

This policy notice is not exhaustive, but is otherwise deemed to be compliant with the General Data Protection regulation (GDPR) into effect from 25 May 2018.

Our Data Protection Officer

LHC has a Data Protection Officer who is a designated person with responsibility for protection of personal data and information. The officer makes sure that the organisation follows the law.

LHC’s Data Protection Officer can be contacted using the following email address: dpo@lhcprocure.org.uk

This may be required in the event of:

Enacting individual rights set out in the General Data Protection Regulation (GDPR) over how organizations use personal data and information. This includes the right to be informed, simply explained by the Information Commissioners Office. This may extend to complaint about the use of personal data and information, and withdrawal of consent to process it.

A Subject Access Request (SAR)

A query as to retention periods for personal data and information documented on a schedule of retention and disposal arrangements.

Additional information or explanation needed as regards to the content of this privacy notice, such as further details on request as regards to further specific third party processors of personal data and information (aka data processors) where sub-contracted by LHC (i.e. Register of Processing Activities – ROPA).

Further complaint could also be lodged with a supervisory authority, in this case the UK Information Commissioners Office.

What LHC collects

The company may collect the following information:

Name, company and job title

Contact data including email address

Demographic data such as postcode, preferences and interests

Other data relevant to customer surveys and/or events

Ownership and structure

Data in relation to specific specialist roles such as data security and protection and whistleblowing

This collection and processing shall relate to:

Visitors to this website.

client partner organisations as existing customers of LHC procurement frameworks

appointed companies as contractors who will be contracted to deliver works, goods and services under said procurement frameworks.

Potential client partner organisations and appointed companies where personal data and information is collected and processed through events and conferences for which specific consent is required

Job applicants

This includes personal data and information as is provided when an individual:

Completes contact forms on this website or use interactive features of this website (such as requesting a contact), including your‎ name, postal address, email address, and telephone number;

Contacts LHC to report a problem with this website

make a whistleblowing disclosure

LHC requires this information to understand needs and provide better services, and in particular for the following reasons:

Internal record keeping.

Management of and response to complaints and in the event of incidents and Subject Access Requests.

LHC may use the information to improve our products and services.

LHC may periodically send promotional emails about new frameworks, events, or other information which its considers may be interesting. In doing so it shall use contact email addresses provided directly by individuals or obtained from other sources as shown below.

From time to time, LHC may also use information collected and processed to make contact for market research purposes. This may be through email, phone or postal mail. LHC may use the information to customise the website according to surveyed interests.

Where sought for the purposes of market research and/or direct marketing (i.e. the personal data and information is not obtained from the individual it relates to), then LHC may use sources including but not limited to the following:

Open source contact data for potential leads for new business, such as corporate websites of Local Authorities and Housing Associations as potential client partner organisations

Government Open Source Databases such as the UK Government’s Find a Tender service

Other Open Source Databases such as Locarla, a public sector centred built environment specialist which makes available a resource of social housing, housing association, & local government information.

Contact details obtained as a result of attending conferences and exhibitions organised by national and other bodies.

Under the requirements of the General Data Protection Regulation (GDPR), all processing for the purposes described above requires lawful basis. Thus this is deemed to be legitimate interests where done in the interests of the company.

In other circumstances, LHC shall collect and process data and information about individuals separate to the above, such as in relation to submission of job applications. The same principles as are described within this notice are deemed to apply. The legal basis for processing data and information in such circumstances under Article 6 (personal data) and Article 9 (special category data) is consent by virtue of submission of an application.

It is important that the personal data and information held is accurate and current. Individuals are asked to keep LHC informed if personal data and information changes during the relationship held with it.

Legitimate Interest: as specified in the GDPR under Article 6.1.(f) and Recital 47 - there is a legitimate interest for us in processing data to provide marketing information about relevant products and services to potential client partner organisations through direct marketing campaigns.

On a case by case basis a balancing test is performed called a Legitimate Interest Assessment (LIA). This is to ensure that LHC always balances the legitimate interests of ourselves to carry out direct marketing, against the potential impact on individuals and their rights before LHC carries out any processing. Having thoroughly carried out this due diligence to ensure it applies correctly, LHC will process data using Legitimate Interest as our lawful basis.

Under the GDPR there are five additional lawful bases for processing, none of which currently apply to the business with which LHC is involved. However, it is possible at some time in future, for a specific reason that LHC will need to apply one of these lawful bases. In those circumstances LHC will clearly record and highlight such an application. Those additional lawful bases are:

Consent - whereby an individual has given their clear consent for their personal data to be processed for one or more specific purposes which may include marketing

Processing is necessary for the performance of a contract to which the data subject is a party

Processing is necessary for compliance with a legal obligation

Processing is necessary in order to protect the vital interests of a data subject

Processing is necessary for the performance of a task carried out in the public interest

Automated decision making:

The EU General Data Protection Regulation (GDPR) includes provisions to reflect an increasing use of profiling and automated decision-making across a wide range of applications. These provisions are designed to protect individuals from the potential risks that this type of processing can create.

Automated decision-making including profiling takes place when an electronic system uses personal data and information to make a decision without human intervention. LHC does use software to review the personal data and information of individuals submitted in application for job roles. This is undertaken through our sub-contractor for this service (see under Register of Processing Activities)

Where an automated decision is required in relation to any particularly sensitive personal data and information, LHC and its data processor must have explicit written consent or it must be justified in the public interest. LHC must also put in place appropriate measures to safeguard individual rights.

This is discharged through consent included as part of the application process which requires explicit opt-in consent in response to the statement: Please note: Automated decision making is being used on this initial pre-application page to determine if you meet the minimum requirements of the vacancy. Please confirm you are happy to proceed with this process.

Where LHC, and by association its sub-contracted data processor, does use software to assist in the assessment of suitability for a particular job role and an applicant considers that any such assessment has been made wrongly or incorrectly, they may ask for an explanation.

Further details are also included in the Privacy Notice for our sub-contractor/data processor, Hireful Ltd – please click here.

LHC, through its sub-contractor and data processor, will also ask for Equal Opportunities information. This is not mandatory, and it will not affect an application where not provided. If it is provided, it will not be shared with anyone outside of the Recruitment team. Any information provided will solely be used to monitor Equal Opportunities statistics, and all information will be made anonymous where reported within the company, for example to its Board of Directors.

Retention periods for personal data and information

This is documented on a schedule of retention and disposal arrangements.

A default principle is that the majority of company records are retained for a period of seven years in line with the GDPR

However, there is further variation to this related to requirements of individual legal frameworks that the company applies through its schedule.

For example, the default retention period for documents related to frameworks and tenders is eleven years after the end of the contract.

This can be up to eight years for open frameworks as legalised through the Procurement Act 2023 into effect as of 24 February 2025. The lifespan of the Framework is the absolute minimum for which documents and records shall be held.

The company understands that penalties for non compliance can vary between the different legislative requirements.

Register of Processing Activities

Article 30 of GDPR sets out requirements as regards to a Register of Processing Activities. For the purposes of transparency, the table below makes publicly available key details as regards to third party suppliers/vendors who process data on behalf of LHC for the purpose of the day to day operations of LHC. LHC has a separate version of the table below in relation to third party suppliers/vendors of its employee data

Data Processor	Purpose of data processing	Evidence of fee payment
Microsoft	Dynamics Customer Relationship Management – leads, opportunities, clients, income, turnover	Z6296785
Intend	e-Tendering, e-Evaluations and contract management for procurement frameworks	Z1660551
APPIUS	Website hosting	Z2170182
Hireful	Recruitment and applicant tracking	Z8069187
Onetrust	Cookie consent management	ZA103861

The company also uses a service for which it is data processor and a third party is data controller. Creditsafe is a global business intelligence provider that offers online company credit reports and scores. LHC uses this provider to conduct financial due diligence when appointing contractors and subcontractors to its frameworks. This involves initial checking of a Bidders financial status and help inform the subsequent assessments carried out by LHCPG. Should any financial risk or low score be flagged within the Creditsafe information, LHCPG may also review independent reports from other credit referencing agencies such as Equifax, Dunn and Bradstreet.

Creditsafe are ISO27001 certified, regulated by the FCA and registered as a data controller with the UK Information Commissioner's office.

As regards to the related data flow that the company receives from such agencies, this is deemed to include personal about the directors of those companies along with date of birth (month and year). This data flow is no different from what is already open source by virtue of publication on Companies House.

Where potential or actual appointed companies are sole traders or Limited Liability Partnerships (LLPs) this could include personal data by virtue of the trader or LLP name reflecting the owner name, along with other data such as Unique Taxpayer Reference (UTR) which may be included. A UTR (unique taxpayer reference) is a 10-digit number completely unique to each and every UK taxpayer. The legal basis in this context is deemed to be Article 6(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; This personal data flow is not deemed to include any special category data which requires legal basis under GDPR Article 9. In addition, the company has no other means to re-identify the UTR, though this is a moot point given the company would already know the individual identity.

Subject Access Requests

Individuals hold a right to make a Subject Access Request (SAR) under the Data Protection Act 2018. Where personal data and information is held, then by reply within one calendar month LHC will:

Give a description of it;
Say why LHC is holding it;
Say who could be disclosed to; and
Provide a copy in an intelligible form

To submit a SAR, please refer to the Data Protection Officer contact details elsewhere within this notice.

Security

LHC is committed to ensuring that personal data and information is secure. In order to prevent unauthorised access or disclosure, LHC has put in place suitable physical, electronic and managerial procedures to safeguard and secure the information LHC collects collect online.

How LHC uses cookies

A cookie is a small file which asks permission to be placed on a computer's hard drive. The file is added and the cookie helps analyse web traffic or lets individuals know when they visit a particular site. Cookies allow web applications to respond to individuals

Overall, cookies on this website help provide a better website by enabling monitoring of pages which are useful and those which are not.

A cookie in no way gives access to individual computers to share information other than the data and information about individuals already shared. The web application can tailor its operations to individual needs, likes and dislikes by gathering and remembering information about individual preferences.

LHC uses traffic log cookies to identify which pages are being used. This helps to analyse data about webpage traffic and improve the website in order to tailor it to customer needs. LHC only uses this information for statistical analysis purposes and then the data is removed from the system.

Individual website visitors can choose to accept or decline cookies..

Use of cookies in the manner described above shall relate to visitors to this website.

Use of cookies in the manner described above also enacts compliance with the Privacy and Electronic Communications Regulations.

This notice therefore informs individuals as to the use of cookies, what they and why – as required under regulation 6. As regards to consent actively and clearly given, this website provides a prompt for opt in to cookies.

The company recognises it cannot show consent if only providing information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read. Similarly, it understands it cannot set non-essential cookies on the website’s homepage before user has consented to them.

Therefore the settings on this website allow for:

Explicit opt in consent for cookies

Ability to see and manage cookie preferences

Ability to reject cookies

The method for this is through what is termed a cookie banner, cookie notice or cookie popup. This is the notification often displayed on a user's first visit to a website that informs them about the cookies and trackers the site uses and asks for the user's consent to store cookies on their device.

ICO guidelines for cookie consent management can be found here Cookies and similar technologies | ICO

Links to other websites

This website may contain links to other websites of interest. However, once you have used these links to leave our site, individuals should note that LHC does not have any control over that other website. Therefore, LHC cannot be responsible for the protection and privacy of any information which individuals provide whilst visiting such sites and such sites are not governed by this privacy notice. Individuals should exercise caution and look at the privacy statement applicable to the website in question.

Controlling personal data and information

You may choose to restrict the collection or use of personal data and information in the following ways:

whenever you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes

if you have previously agreed to LHCPG using personal data and information for direct marketing purposes, individuals may change their minds at any time by contacting the company. Details for the company Data Protection Officer are shown elsewhere in this notice.

LHC will not sell, distribute or lease personal data and information to third parties unless LHC has permission or is required by law to do so. LHC may use personal data and information to send you promotional information about third parties which LHC thinks individuals may find interesting if you tell LHC that individuals wish this to happen.

Individuals may request details of personal data and information which LHC holds under GDPR. If individuals would like a copy of the information held on them, then they can make contact.

Information from social networking sites

Our Site includes interfaces that allows individuals to connect with social networking sites (each a “SNS”). If any individual wants to connect to a SNS through this Site they shall authorise the company to access, use and store the information that they agreed the SNS could provide to the company based on the settings on that SNS.

LHC will access, use and store that information in accordance with this Notice. Individuals can revoke access to the data and information provided in this way at any time by amending the appropriate settings from within account settings on the applicable SNS.

Information obtained from others

LHC may also get information about you from other sources; for example, LHC retains service providers to identify the organisation associated with the IP from which individuals visit this website, and LHC may add this to the other information it obtains from this website.

Date of last update to this notice – Monday 3 March 2025