Privacy

Supply Chain Coordination Limited ( the management function of the NHS Supply Chain ) procures and delivers goods and services to NHS trusts and other non-trust healthcare providers.

During the course of providing these services, Supply Chain Coordination Limited may have acquired your personal data, either provided to us by your organisations or collected directly from you when you have expressed an interest in receiving further details about the services we provide.

The purpose of this notice is to make you aware of how we use your personal information.

It is important that the personal information we hold about you is accurate and current. Therefore, please keep us informed if your personal information changes (such as address, contact details, etc.).

We will comply with data protection law which says that the personal information we hold must be:

1. Used lawfully, fairly and in a transparent way;
2. Collected only for valid purposes and not used in any way that is incompatible with those purposes;
3. Relevant to the purposes we have told you about and limited only to those purposes;
4. Accurate and kept up to date;
5. Kept only as long as necessary for the purposes we have told you about;
6. Kept securely.

The kind of information we hold about you

We only collect information about you that is necessary in order to facilitate the provision of services to your organisation and to inform you about the services we provide, which is typically the following information:

• Personal contact details such as your title, name, job title, reporting manager, workplace address, workplace email address, workplace telephone number; organisation name, organisation address;
• Information about your use of our information and communications systems, including your IP address;
• Any information provided in relation to your delivery, sample request or returns;
• Your signature, when you confirm a delivery with our driver.

We typically collect the information:

• When you share your information with our account managers, customer service and support teams, whether face to face, over the phone, email or in writing;
• When you complete forms to request a customer account or access to our online ordering system;
• When you complete forms on the www.supplychain.nhs.uk website requesting services, marketing communications, signing up for an event or reporting a problem about the website;
• When you or your organisation on your behalf, requests via email, access to any of our systems (where appropriate);
• When you use the www.supplychain.nhs.uk website we may collect information about your computer, including where available your IP address, operating system and browser type.

How we will use information about you

We will only use your personal information when the law allows us to, for example, to allow us to carry out our obligations arising from any contracts entered into between your organisation and us and to enable us to comply with our legal obligations.

We may use your information:

• To identify you;
• To approve and create a new customer account;
• To set up an online ordering account or access to other system(s) for example billing, etc.;
• To ensure communication between our account managers, customer service and support teams with key contacts within your organisation to deliver the service(s) you require;
• To facilitate a samples, delivery and returns service;
• To provide you with a satisfactory service in relation to – emergency supply; complaints and resolution of your queries; Keeping you updated on any product and supply issues affecting our services to your organisation.
• To ensure proof of delivery by signature;
• To invite you to give feedback on our performance in providing the services to your organisation;
• To record your preference if you have opted out of receiving marketing communications;
• If required by your organisation, to provide reports of its users of our systems;
• To ensure that content from www.supplychain.nhs.uk website is presented in the most effective manner for you and for your computer;
• To understand our users’ browsing actions and patterns but not to identify any individual;
• To send you, where you have given and not withdrawn consent – communications about our service offering and any new products/services available; invitations to events and webinars.

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

We may also process information where we need to protect your interests (or someone else’s interest) or where it is required in the public interest or for an official purpose.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. We will not share your information for marketing purposes or with any other third party other than to provide the services.

Cookies

When you use the www.supplychain.nhs.uk website, we may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive. They help us to improve the www.supplychain.nhs.uk website and to deliver a better and more personalised service. They enable us:

• To estimate our audience size and usage pattern.
• To store information about your preferences, and so allow us to customise the www.supplychain.nhs.uk website according to your individual interests.
• To speed up your searches.
• To recognise you when you return to the www.supplychain.nhs.uk website.

You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you select this setting you may be unable to access certain parts of the www.supplychain.nhs.uk website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you log on to the www.supplychain.nhs.uk website.

We use Hotjar with carefully selected pages only, in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (for example how much time they spend on which pages, which links they choose to click, what users do and don’t like) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.

For further details, please see the ‘about Hotjar’ section of Hotjar’s support website (click here).

Automated decision-making

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

Data sharing

We may have to share your data with third parties where it is required by law or where it is necessary to provide you and your organisation with the services (e.g. product suppliers, couriers to facilitate samples requests, market research companies to send you an invitation to provide feedback on services received, (where you have given consent for such communication)). However, we will not disclose your personal data unless we are satisfied that they are legally entitled to view the data. Where we do disclose your personal data, we require third parties to respect the security of your data and to treat it in accordance with the law.

Data security and retention

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Once we are no longer contracted to provide the service to your organisation we will retain and securely destroy your personal information in accordance with applicable laws.

Your rights in connection with personal information

Under certain circumstances, by law you have the right to:

• Request access to your personal information (commonly known as a ‘data subject access request’). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
• Request correction of the personal information that we hold about you;
• Request the erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it;
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
• Request the transfer of your personal information to another party;
• Withdraw consent to receive marketing communications, if given.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact Our Chief Information Officer (CIO) in writing (contact details below).

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Information Commissioner’s Office (ICO)

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

Changes to this privacy notice

This privacy notice may be updated at any time. If we do update it we will inform you of any changes when we make any substantial updates.

For any queries regarding this Privacy Notice, or any other concerns around the use of your data please contact:

SCCL Data Protection Officer: dpo@supplychain.nhs.uk

Company Details for Data Protection issues

Name and address of Group company:
FAO Company Secretary Supply Chain Coordination Limited, Wellington House, 133-155 Waterloo Road, London SE1 8UG.

Data Protection Officer To whom initial issues should be addressed
Data Protection Officer (DPO) Supply Chain Coordination Limited, Wellington House, 133-155 Waterloo Road, London SE1 8UG.

Competent supervisory authorities:
For UK: Information Commissioner Office, tel: 0303 123 1113
or https://www.gov.uk/data-protection/make-a-complaint