Jump to content
Logo: NHS East of England Collaborative Procurement Hub

Privacy Notice


Our website contains links to websites run by other organisations. This statement applies only to our website and we are not responsible for the policies and practices of other sites. The purpose of this Privacy Notice is to explain:

  • What information we might collect about you;
  • How we might use that information;
  • When we might use your details to contact you;
  • What information we might share with others;
  • Your choices about the personal information you provide to us;
  • How we will store and manage your data and keep it secure.


The East of England NHS Collaborative Procurement Hub (the Hub) was formed in April 2007 and currently:

  • provides strategic procurement services to NHS and public-sector organisations across the UK;
  • participates in strategic partnerships primarily with other NHS and public-sector procurement organisations to reduce duplication of effort;
  • organises conferences and events on topics which are relevant to procurement and the NHS.

The Hub is hosted by West Suffolk NHS Foundation Trust (WSFT).  WSFT provide the legal framework through which the Hub operates.  For the purposes of data protection, the Hub is governed by the West Suffolk NHS FT Data Protection Policy and Data Protection Officer.

Legal basis for processing personal data

The law on data protection sets out several different reasons for which an organisation may collect and process your data, including:

Contractural arrangements

In certain circumstances, we need your personal data to comply with our contractual obligations.  For example:

  • if we provide a service to your organisation we will collect personal data for the organisation’s nominated representative(s) to deliver the service and communicate about benefits delivery; project management; opportunities and development related to the service and service fees.

  • if your organisation submits a bid or is appointed to be a supplier on a framework agreement managed by the Hub, we will need to collect personal data for the organisation’s nominated representative(s) to communicate about the procurement process and contract management related issues.

  • If you register to attend a conference or event we will need to collect your personal data to communicate with you about the event.

Legitimate interests

In specific situations, we will use your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests.  For example:

  • we may send you marketing information about new services and opportunities that may be of interest to you.

You can inform us if you do not wish to receive this type of information and we must always comply with your request.


In specific circumstances we can collect and process your data with your consent.  For example, if you register to attend a conference or event and positively opt in to receive communications about events and services organised by the Hub.  When collecting your personal data, we will always make clear to you which data is necessary.  You can withdraw your consent at any time. 

Legal compliance

If the law requires us to, we may need to collect and process your data.  For example, we can pass on details of people involved in fraud or other criminal activity affecting the NHS to law enforcement.

When do we collect your personal data?

We will collect your personal data when you/your employing organisation:

  • commission the Hub to provide a service and nominate you as a key contact;
  • are a contact for a project managed by the Hub;
  • request an account to access the restricted area of our website;
  • submit a tender to become a supplier on a framework managed by the Hub;
  • are the nominated representative for a framework to which your organisation has been appointed as a supplier or service provider.
  • register to attend an event or conference organised by the Hub;
  • choose to complete any surveys that we send you;
  • engage with us on social media;
  • request information under the Freedom of Information act;
  • contact us with queries, complaints or request information about our services;

What sort of personal data do we collect?

We will collect the minimum information required to communicate with you, normally your: name; email address; employing organisation name; job title; the department you work in and a contact telephone number. If you register to attend a conference or event we will also ask you to inform us if we need to make specific provision to accommodate dietary requirements or disabilities. This information will be anonymised, aggregated and deleted after the event: Your social media user name if you interact with us through those channels to help us respond to your comments questions or feedback. Information gathered using cookies in your web browser. Internet Protocol (IP) addresses.

We do match IP addresses to an individual.

How and why do we use your personal data?

We will store personal data with information on the products and services your organisation holds or have shown an interest in or the frameworks your organisation participates in.

Services commissioned by you/your organisation

To communicate with you as a nominated representative about the services you/your organisation have requested for example to:

  • provide performance reports;
  • report on project progress;
  • inform you about changes to our services;
  • ask you to participate in stakeholder consultation exercises;
  • invite you to attend meetings relevant to the services/projects commissioned.
  • make you aware of conferences and events provided as part of our services which may be of interest to you or colleagues.

This contact will be by email, phone, or by prior appointment, face to face.  We would be unable to fulfil our contractual duties and provide our services without this type of contact.

Framework suppliers/bidders

To communicate with you as a nominated supplier representative.  This contact is necessary to:

  • communicate throughout the procurement process;
  • enable both parties to undertake effective contract management;
  • ask you to participate in stakeholder consultation exercises;
  • make you aware of training courses and events provided as part of our services which may be of interest to you or colleagues.

This contact will be by email, phone or, by prior appointment, face to face.  We would be unable to progress procurement processes or fulfil our contractual duties without this contact.

Our website

To administer requests for access to the protected customer area of our website, which require a password, and to communicate with you about that access. 

We use information collected anonymously through our website to analyse user behaviour and inform service development.

  • Our website uses technology commonly referred to as ‘cookies’. Cookies are small pieces of information sent by an organisation to your computer and stored on your hard drive to allow that website to recognise you when you visit. Cookies make it possible for your browser to remember your setting and preferences.  Cookies also collect statistical data about your browsing but do not identify you as an individual.  This helps us to improve our website and deliver a more personalised service for you.  We do not pass on your personal details to others in this way.  It is possible to switch off cookies in your browser preferences. 
  • We may use IP addresses in conjunction with other software to plan our services and provide information on what topics specific organisations may be interested in. 

Event management 

To communicate with you when you have registered to attend a conference or event.  This contact is necessary to update you about arrangements; communicate any changes; monitor attendance and provide information after the event. 

This contact will be by email and occasionally by phone.  We would be unable to progress your booking or fulfil our contractual duties without contact.

Marketing and communications

We may communicate with you about opportunities, including services and events you may be interested in, we will use your personal data to send you information and may also ask you to participate in surveys. 

We sometimes use third party databases to access contact information for marketing purposes.  We primarily use this information to communicate with the wider NHS and public sector about events and sometimes services. 

Contact will be by email and occasionally by phone.  You can withdraw your consent for the Hub to use your data for marketing purposes at any time including when we send this type of information on the basis of our legitimate interests.

Who has access to your personal data?

  • Hub staff will have controlled access to your information to enable us to provide the services commissioned and to undertake supporting business activities. 
  • We may pass your information to third-party service providers, subcontractors and other associated organisations to provide services on our behalf (for example to send you mailings). However, when we use third parties, we disclose only the personal information that is necessary to deliver the service and we require them to keep your information secure and not to use it for their own direct marketing purposes.

Who do we share your personal data with?

We sometimes share your personal data with trusted parties.  These are primarily our NHS and public-sector strategic partner organisations with whom we collaborate to reduce duplication of effort.  The policy we apply to those organisations to keep your data safe and protect your privacy is:

  • We provide only the information they need to perform their specific services or functions;
  • They may only use your data for the exact purposes we specify in our agreement with them.
  • We will not sell or rent your information to third parties. 
  • We will not share your information with third parties for them to market to you. 

The Hub currently partners with the following organisations:

  • Crown Commercial Service
  • NHS Commercial Solutions
  • NHS London Procurement Partnership
  • North of England NHS Commercial Procurement Collaborative

How do we protect your personal data?

We take several steps to protect your data.  This includes robust IT security.  All staff receive data security training and our premises are secured.  We have contracts with providers requiring them to protect your information.  If we transfer your data outside of the EU, we will ensure that extra checks are in place. 

How long will we keep your personal data?

Whenever we collect or process your personal data, we will only keep it for as long as necessary for the purposes for which it was collected.

At the end of the retention period, your data will either be deleted completely or anonymised and aggregated with other data sets in a non-identifiable way for statistical analysis and business planning.

What are your rights over your personal data?

You have the right to request:

  • access to the personal data we hold about you, free of charge in most cases;
  • we correct your personal data when incorrect, out of date or incomplete;
  • we delete your personal data: for example, if you withdraw your consent or object and we have no legitimate overriding interest once the purpose for which we hold the data has come to an end.
  • In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected with your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
  • we stop using your personal data for direct marketing activity, we must always comply with your request.
  • we stop any consent-based processing of your personal data after you have withdrawn that consent.
  • Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.

To ask for a copy of your information or to ask for your information to be amended or deleted; to withdraw your consent or ask us to stop using your personal data for direct marketing please contact:

  • cphenquiries@eoecph.nhs.uk
  • or write to Business Manager, East of England NHS CPH, NHS Victoria House, Capital Park, Fulbourn, Cambridge, CB21 5XB.

If we choose not to action your request, we will explain to you the reasons for our refusal.

Checking your identity

To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice.  If you have authorised a third party to submit a request on your behalf we will ask them to prove they have your permission to act. 

How to contact the regulator

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data you have the right to lodge a complaint with the Information Commissioner’s Office.  You can contact them by calling 0303 123 1113 or online at www.ico.or.uk/concerns.

Related files

pdfPrivacy Notice (0.71 MB)