Toggle navigation
LHC Procurement Group manages the activities of LHC LSE, SWPA, NPA, WPA and SPA. The company understands privacy as important. LHC is committed to protecting the confidentiality of personal data and information which the company collects and processes.
LHC Procurement Group Limited (company limited by guarantee) is a Data Controller under the terms of the Data Protection Act 2018.
All data controllers must notify the Information Commissioner’s Office (ICO) of all personal data and information processing activities. Our ICO Data Protection Register number is ZB542860 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.
This notice explains how LHC collects, uses, shares, manages, retains, and disposes of personal data and information. This notice applies to personal data and information that is collected and processed:
In relation to company websites at lse.lhcprocure.org.uk, swpa.org.uk, northernprocurement.org.uk, scottishprocurement.scot and welshprocurement.cymru (each a “Site”).
In relation to the day to day operation of the company, which includes personal data and information obtained from other sources for the purposes of direct marketing of our services.
In relation to job applications made to the company for the purposes of employment with the company
For the avoidance of doubt, data is a group of facts or statistics, whereas information offers context. Should certain data and information be requested or collected by which an individual can be identified specifically when using this website, then this data and/or information will only be used in accordance with this privacy notice. Personal data and information in the majority is processed within the UK, though some may be processed in other EU countries subject to individual contracting and processing arrangements.
LHC may change this policy from time to time by updating this page.. This policy is kept up regular review and is effective from 28 February 2025
This policy notice is not exhaustive, but is otherwise deemed to be compliant with the General Data Protection regulation (GDPR) into effect from 25 May 2018.
LHC has a Data Protection Officer who is a designated person with responsibility for protection of personal data and information. The officer makes sure that the organisation follows the law.
LHC’s Data Protection Officer can be contacted using the following email address: dpo@lhcprocure.org.uk
This may be required in the event of:
Enacting individual rights set out in the General Data Protection Regulation (GDPR) over how organizations use personal data and information. This includes the right to be informed, simply explained by the Information Commissioners Office. This may extend to complaint about the use of personal data and information, and withdrawal of consent to process it.
A Subject Access Request (SAR)
A query as to retention periods for personal data and information documented on a schedule of retention and disposal arrangements.
Additional information or explanation needed as regards to the content of this privacy notice, such as further details on request as regards to further specific third party processors of personal data and information (aka data processors) where sub-contracted by LHC (i.e. Register of Processing Activities – ROPA).
Further complaint could also be lodged with a supervisory authority, in this case the UK Information Commissioners Office.
The company may collect the following information:
This collection and processing shall relate to:
This includes personal data and information as is provided when an individual:
LHC requires this information to understand needs and provide better services, and in particular for the following reasons:
Where sought for the purposes of market research and/or direct marketing (i.e. the personal data and information is not obtained from the individual it relates to), then LHC may use sources including but not limited to the following:
Under the requirements of the General Data Protection Regulation (GDPR), all processing for the purposes described above requires lawful basis. Thus this is deemed to be legitimate interests where done in the interests of the company.
In other circumstances, LHC shall collect and process data and information about individuals separate to the above, such as in relation to submission of job applications. The same principles as are described within this notice are deemed to apply. The legal basis for processing data and information in such circumstances under Article 6 (personal data) and Article 9 (special category data) is consent by virtue of submission of an application.
It is important that the personal data and information held is accurate and current. Individuals are asked to keep LHC informed if personal data and information changes during the relationship held with it.
Legitimate Interest: as specified in the GDPR under Article 6.1.(f) and Recital 47 - there is a legitimate interest for us in processing data to provide marketing information about relevant products and services to potential client partner organisations through direct marketing campaigns.
On a case by case basis a balancing test is performed called a Legitimate Interest Assessment (LIA). This is to ensure that LHC always balances the legitimate interests of ourselves to carry out direct marketing, against the potential impact on individuals and their rights before LHC carries out any processing. Having thoroughly carried out this due diligence to ensure it applies correctly, LHC will process data using Legitimate Interest as our lawful basis.
Under the GDPR there are five additional lawful bases for processing, none of which currently apply to the business with which LHC is involved. However, it is possible at some time in future, for a specific reason that LHC will need to apply one of these lawful bases. In those circumstances LHC will clearly record and highlight such an application. Those additional lawful bases are:
Automated decision making:
The EU General Data Protection Regulation (GDPR) includes provisions to reflect an increasing use of profiling and automated decision-making across a wide range of applications. These provisions are designed to protect individuals from the potential risks that this type of processing can create.
Automated decision-making including profiling takes place when an electronic system uses personal data and information to make a decision without human intervention. LHC does use software to review the personal data and information of individuals submitted in application for job roles. This is undertaken through our sub-contractor for this service (see under Register of Processing Activities)
Where an automated decision is required in relation to any particularly sensitive personal data and information, LHC and its data processor must have explicit written consent or it must be justified in the public interest. LHC must also put in place appropriate measures to safeguard individual rights.
This is discharged through consent included as part of the application process which requires explicit opt-in consent in response to the statement: Please note: Automated decision making is being used on this initial pre-application page to determine if you meet the minimum requirements of the vacancy. Please confirm you are happy to proceed with this process.
Where LHC, and by association its sub-contracted data processor, does use software to assist in the assessment of suitability for a particular job role and an applicant considers that any such assessment has been made wrongly or incorrectly, they may ask for an explanation.
Further details are also included in the Privacy Notice for our sub-contractor/data processor, Hireful Ltd – please click here.
LHC, through its sub-contractor and data processor, will also ask for Equal Opportunities information. This is not mandatory, and it will not affect an application where not provided. If it is provided, it will not be shared with anyone outside of the Recruitment team. Any information provided will solely be used to monitor Equal Opportunities statistics, and all information will be made anonymous where reported within the company, for example to its Board of Directors.
Retention periods for personal data and information
This is documented on a schedule of retention and disposal arrangements.
A default principle is that the majority of company records are retained for a period of seven years in line with the GDPR
However, there is further variation to this related to requirements of individual legal frameworks that the company applies through its schedule.
For example, the default retention period for documents related to frameworks and tenders is eleven years after the end of the contract.
This can be up to eight years for open frameworks as legalised through the Procurement Act 2023 into effect as of 24 February 2025. The lifespan of the Framework is the absolute minimum for which documents and records shall be held.
The company understands that penalties for non compliance can vary between the different legislative requirements.
Article 30 of GDPR sets out requirements as regards to a Register of Processing Activities. For the purposes of transparency, the table below makes publicly available key details as regards to third party suppliers/vendors who process data on behalf of LHC for the purpose of the day to day operations of LHC. LHC has a separate version of the table below in relation to third party suppliers/vendors of its employee data
|
Data Processor |
Purpose of data processing |
Evidence of fee payment |
|
Microsoft |
Dynamics Customer Relationship Management – leads, opportunities, clients, income, turnover |
|
|
Intend |
e-Tendering, e-Evaluations and contract management for procurement frameworks |
|
|
APPIUS |
Website hosting |
|
|
Hireful |
Recruitment and applicant tracking |
|
|
Civic* |
Cookie consent management |
*The company has a separate cookie policy accessible from the homepage of this website
The company also uses a service for which it is data processor and a third party is data controller. Creditsafe is a global business intelligence provider that offers online company credit reports and scores. LHC uses this provider to conduct financial due diligence when appointing contractors and subcontractors to its frameworks. This involves initial checking of a Bidders financial status and help inform the subsequent assessments carried out by LHCPG. Should any financial risk or low score be flagged within the Creditsafe information, LHCPG may also review independent reports from other credit referencing agencies such as Equifax, Dunn and Bradstreet.
Creditsafe are ISO27001 certified, regulated by the FCA and registered as a data controller with the UK Information Commissioner's office.
As regards to the related data flow that the company receives from such agencies, this is deemed to include personal about the directors of those companies along with date of birth (month and year). This data flow is no different from what is already open source by virtue of publication on Companies House.
Where potential or actual appointed companies are sole traders or Limited Liability Partnerships (LLPs) this could include personal data by virtue of the trader or LLP name reflecting the owner name, along with other data such as Unique Taxpayer Reference (UTR) which may be included. A UTR (unique taxpayer reference) is a 10-digit number completely unique to each and every UK taxpayer. The legal basis in this context is deemed to be Article 6(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; This personal data flow is not deemed to include any special category data which requires legal basis under GDPR Article 9. In addition, the company has no other means to re-identify the UTR, though this is a moot point given the company would already know the individual identity.
Individuals hold a right to make a Subject Access Request (SAR) under the Data Protection Act 2018. Where personal data and information is held, then by reply within one calendar month LHC will:
To submit a SAR, please refer to the Data Protection Officer contact details elsewhere within this notice.
LHC is committed to ensuring that personal data and information is secure. In order to prevent unauthorised access or disclosure, LHC has put in place suitable physical, electronic and managerial procedures to safeguard and secure the information LHC collects collect online.
A cookie is a small file which asks permission to be placed on a computer's hard drive. The file is added and the cookie helps analyse web traffic or lets individuals know when they visit a particular site. Cookies allow web applications to respond to individuals
Overall, cookies on this website help provide a better website by enabling monitoring of pages which are useful and those which are not.
A cookie in no way gives access to individual computers to share information other than the data and information about individuals already shared. The web application can tailor its operations to individual needs, likes and dislikes by gathering and remembering information about individual preferences.
LHC uses traffic log cookies to identify which pages are being used. This helps to analyse data about webpage traffic and improve the website in order to tailor it to customer needs. LHC only uses this information for statistical analysis purposes and then the data is removed from the system.
Individual website visitors can choose to accept or decline cookies..
Use of cookies in the manner described above shall relate to visitors to this website.
Use of cookies in the manner described above also enacts compliance with the Privacy and Electronic Communications Regulations.
This notice therefore informs individuals as to the use of cookies, what they and why – as required under regulation 6. As regards to consent actively and clearly given, this website provides a prompt for opt in to cookies.
The company recognises it cannot show consent if only providing information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read. Similarly, it understands it cannot set non-essential cookies on the website’s homepage before user has consented to them.
Therefore the settings on this website allow for:
The method for this is through what is termed a cookie banner, cookie notice or cookie popup. This is the notification often displayed on a user's first visit to a website that informs them about the cookies and trackers the site uses and asks for the user's consent to store cookies on their device.
ICO guidelines for cookie consent management can be found here Cookies and similar technologies | ICO
This website may contain links to other websites of interest. However, once you have used these links to leave our site, individuals should note that LHC does not have any control over that other website. Therefore, LHC cannot be responsible for the protection and privacy of any information which individuals provide whilst visiting such sites and such sites are not governed by this privacy notice. Individuals should exercise caution and look at the privacy statement applicable to the website in question.
You may choose to restrict the collection or use of personal data and information in the following ways:
Individuals may request details of personal data and information which LHC holds under GDPR. If individuals would like a copy of the information held on them, then they can make contact.
Our Site includes interfaces that allows individuals to connect with social networking sites (each a “SNS”). If any individual wants to connect to a SNS through this Site they shall authorise the company to access, use and store the information that they agreed the SNS could provide to the company based on the settings on that SNS.
LHC will access, use and store that information in accordance with this Notice. Individuals can revoke access to the data and information provided in this way at any time by amending the appropriate settings from within account settings on the applicable SNS.
LHC may also get information about you from other sources; for example, LHC retains service providers to identify the organisation associated with the IP from which individuals visit this website, and LHC may add this to the other information it obtains from this website.
Date of last update to this notice – Monday 3 March 2025
This site uses cookies to store information on your computer and enhance your browsing experience.
Some of these cookies are essential for the site to function properly, while others help us improve your experience by providing insights into how the site is being used. We also use cookies to personalise content and help our marketing. You can choose which types of cookies you allow below.
Necessary cookies enable core functionality such as page navigation and access to secure areas. The website cannot function properly without these cookies, and can only be disabled by changing your browser preferences.
Cookie Name
Description |
Retention Period |
Third Party |
|
|---|---|---|---|
.ASPXANONYMOUS |
Created by ASP.Net. This cookie configures anonymous identification for application authorization. This is required to identify entities that are not authenticated when authorization is required. |
2 months |
No |
.ASPXAUTH |
Created by ASP.Net. .ASPXAUTH is a cookie to identify if the user is authenticated( As user's identity has been verified) |
session |
No |
ARRAffinity |
When using Microsoft Azure as a hosting platform and enabling load balancing, this cookie ensures that requests from one visitor's browsing session are always handled by the same server in the cluster. |
Session |
No |
ARRAffinitySameSite |
When using Microsoft Azure as a hosting platform and enabling load balancing, this cookie ensures that requests from one visitor's browsing session are always handled by the same server in the cluster. |
Session |
No |
ASLBSA |
Microsoft App Service and Front Door Affinity Cookies. These cookies are used to direct your browser to use the appropriate backend server. |
Session |
No |
ASLBSACORS |
Microsoft App Service and Front Door Affinity Cookies. These cookies are used to direct your browser to use the appropriate backend server. |
Session |
No |
ASP.NET_SessionId |
ASP.Net_SessionId is a cookie which is used to identify the users session on the server. The session being an area on the server which can be used to store session state in between http requests. |
Session |
No |
ASPSESSIO |
Browsing session: the asterisks identify an alphanumerical code that varies from session to session in automatic mode. |
Session |
No |
ApplicationGatewayAffinity |
This cookie is used by Azure Apps to keep a user session on the same server. |
Session |
No |
ApplicationGatewayAffinityCORS |
This cookie is used by Azure Apps to keep a user session on the same server. |
Session |
No |
RpsContextCookie |
This cookie is used by Microsoft to securely verify your Sharepoint login information |
session |
Yes |
VisitorStorageGuid |
This cookie is used by Azure Apps to keep a user session on the same server. |
Session |
No |
__AntiXsrfToken |
This cookie is used to prevent Cross-site request forgery (often abbreviated as CSRF) attacks of the website. CSRF attacks exploit the trust that a site has in a user's browser. |
session |
No |
buid |
This cookie is used by Microsoft to securely verify your login information |
30 days |
No |
esctx |
This cookie is used by Microsoft to securely verify your login information |
Session |
No |
fpc |
This cookie is used by Microsoft to securely verify your login information |
30 days |
No |
nSGt- |
This cookie is used by Microsoft to securely verify your Sharepoint login information |
session |
Yes |
stsservicecookie |
Cookie for Azure Active Directory B2C-verification |
Session |
No |
Analytical cookies help us improve our website by collecting and reporting information on its usage. These cookies allow us to understand how visitors navigate the site and where we can make improvements. The data collected is aggregated and anonymized, ensuring that no PII is stored or shared.
Cookie Name |
Description |
Retention Period |
Third Party |
|---|---|---|---|
.AspNetCore.Antiforgery. |
Anti-forgery cookie is a security mechanism to defend against cross-site request forgery (CSRF) attacks. |
Session |
No |
AMP_TOKEN |
Contains a token code that is used to read out a Client ID from the AMP Client ID Service. By matching this ID with that of Google Analytics, users can be matched when switching between AMP content and non-AMP content. |
1 year |
No |
ASP.NET_Sessio |
General purpose platform session cookie, used by sites written with Microsoft .NET based technologies. Usually used to maintain an anonymised user session by the server. |
Session |
No |
ASP.NET_Sessio_Fallback |
Fallback session cookie to support older browsers that haven't implemented the Secure flag, in modern evergreen browsers this cookie is never set as it haven't got the Secure flag. |
Session |
No |
CLID |
The cookie is set by embedded Microsoft Clarity scripts. The purpose of this cookie is for heatmap and session recording. |
1 years |
No |
FPAU |
Assigns a specific ID to the visitor. This allows the website to determine the number of specific user-visits for analysis and statistics. |
session |
No |
FPID |
Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator. |
1 years |
No |
FPLC |
This FPLC cookie is the cross-domain linker cookie hashed from the FPID cookie. It’s not HttpOnly, which means it can be read with JavaScript. It has a relatively short lifetime, just 20 hours. |
20 hours |
No |
MicrosoftApplicationsTelemetryDeviceId |
Used to store a unique device ID for tracking behavior and usage of the website |
1 year |
No |
SM |
This is a Microsoft cookie used to measure the use of the website for internal analytics |
Session |
No |
__RequestVerificationToken |
This is an anti-forgery cookie set by web applications built using ASP.NET MVC technologies. It is designed to stop unauthorised posting of content to a website, known as Cross-Site Request Forgery. |
Session |
No |
__utma |
ID used to identify users and sessions |
2 years |
No |
__utmb |
Used to distinguish new sessions and visits. This cookie is set when the GA.js javascript library is loaded and there is no existing __utmb cookie. The cookie is updated every time data is sent to the Google Analytics server. |
30 minutes |
No |
__utmc |
Used only with old Urchin versions of Google Analytics and not with GA.js. Was used to distinguish between new sessions and visits at the end of a session. |
session |
No |
__utmt |
Used to monitor number of Google Analytics server requests |
10 minutes |
No |
__utmv |
Contains custom information set by the web developer through the _setCustomVar method in Google Analytics. This cookie is updated each time new data is sent to the Google Analytics server. |
2 years |
Unknown |
__utmx |
Used to determine whether a user is included in an A / B or Multivariate test. |
18 months |
No |
__utmxx |
Used to determine when the A / B or Multivariate test in which the user participates ends |
18 months |
No |
__utmz |
Contains information about the traffic source or campaign that directed user to the website. The cookie is set when the GA.js javascript is loaded and updated when data is sent to the Google Anaytics server |
6 months |
No |
_clck |
This cookie is installed by Microsoft Clarity to store information of how visitors use a website and help in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form. |
1 years |
No |
_clsk |
This cookie is installed by Microsoft Clarity to store information of how visitors use a website and help in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form. |
24 hours |
No |
_dc_gtm_ |
Used to monitor number of Google Analytics server requests |
1 minute |
No |
_ga |
ID used to identify users |
1 years |
No |
_ga_* |
Used to identify and track an individual user session. |
2 years |
No |
_gac_ |
Contains information related to marketing campaigns of the user. These are shared with Google AdWords / Google Ads when the Google Ads and Google Analytics accounts are linked together. |
90 days |
No |
_gat |
Used to monitor number of Google Analytics server requests when using Google Tag Manager |
58 seconds |
No |
_gat_* |
Used to set and get tracking data |
1 hour |
No |
_gid |
ID used to identify users for 24 hours |
24 hours |
No |
_clck |
This cookie is installed by Microsoft Clarity to store information of how visitors use a website and help in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form. |
1 years |
No |
__Secure-ROLLOUT_TOKEN |
Registers a unique ID to keep statistics of what videos from YouTube the user has seen. |
180 days |
No |
_gcl_gs |
Used by Google AdSense for experimenting with advertisement efficiency across websites using their services. |
3 months |
No |
_gcl_aw |
Used by Google AdSense for experimenting with advertisement efficiency across websites using their services. |
3 months |
No |
GCL_AW_P |
Used by Google Ads to provide ad delivery or retargeting |
3 months |
No |
We use marketing cookies to help us improve the relevancy of advertising campaigns you receive. These cookies track help us to measure the effectiveness of marketing campaigns.
Cookie Name |
Description |
Retention Period |
Third Party |
|---|---|---|---|
ACLK_DATA |
This cookie is used to help improve advertising. This targets advertising based on what's relevant to a user, to improve reporting on campaign performance. |
5 minutes |
No |
GED_PLAYLIST_ACTIVITY |
Improves targeting/advertising within the website |
session |
No |
__gpi |
Collects information on user behaviour on multiple websites. This information is used in order to optimize the relevance of advertisement on the website. |
1 years |
No |
__gpi_optout |
Collects information on user behaviour on multiple websites. This information is used in order to optimize the relevance of advertisement on the website. |
13 months |
No |
__gsas |
Provides ad delivery or retargeting. |
3 months |
No |
_gcl_au |
Used by Google AdSense for experimenting with advertisement efficiency across websites using their services. |
3 months |
No |
_gcl_dc |
Used by Google AdSense for experimenting with advertisement efficiency across websites using their services. |
3 months |
No |
APC |
This cookie is used for targeting, analyzing and optimisation of ad campaigns in DoubleClick/Google Marketing Suite |
6 months |
No |
DEVICE_INFO |
Used to detect if the visitor has accepted the marketing category in the cookie banner. This cookie is necessary for GDPR-compliance of the website. |
6 months |
Yes |
DSID |
This cookie is used for targeting, analyzing and optimisation of ad campaigns in DoubleClick/Google Marketing Suite |
60 minutes |
Yes |
FLC |
This cookie is used to link your activity across devices if you’ve previously signed in to your Google Account on another device. We do this to coordinate that the ads you see across devices and measure conversion events. |
10 seconds |
Yes |
GPS |
Registers a unique ID on mobile devices to enable tracking based on geographical GPS location. |
1 day |
No |
GoogleAdServingTest |
Used to register what ads have been displayed to the user. |
session |
No |
ID |
This cookie is used for targeting, analyzing and optimisation of ad campaigns in DoubleClick/Google Marketing Suite |
2 months |
Yes |
IDE |
This cookie is used for targeting, analyzing and optimisation of ad campaigns in DoubleClick/Google Marketing Suite |
1 years |
No |
LOGIN_INFO |
This cookie is used to play YouTube videos embedded on the website. |
2 years |
Yes |
PREF |
This cookie stores your preferences and other information, in particular preferred language, how many search results you wish to be shown on your page, and whether or not you wish to have Google’s SafeSearch filter turned on. |
10 years |
Yes |
RUL |
Used by DoubleClick to determine if the website ad was properly displayed. This is done to make their marketing efforts more efficient. |
1 year |
Yes |
VISITOR_INFO1_LIVE |
Tries to estimate the users' bandwidth on pages with integrated YouTube videos. Also used for marketing |
6 Months |
No |
VISITOR_PRIVACY_METADATA |
Youtube visitor privacy metadata cookie |
6 Months |
No |
YSC |
Registers a unique ID to keep statistics of what videos from YouTube the user has seen. |
Session |
No |
__gads |
This cookie is used by Google for a variety of purposes (e.g., ensuring Frequency Caps work correctly). It includes AdSense if you have AdSense enabled. This cookie is associated with the DoubleClick for Publishers service from Google. Its purpose is to monitor the showing of advertisements on the site, for which the owner may earn some revenue. The main purpose of this cookie is targeting/advertising. |
1 years |
No |
ar_debug |
Store and track conversions |
1 years |
No |
test_cookie |
This cookie is set by DoubleClick (which is owned by Google) to determine if the website visitor's browser supports cookies. |
15 minutes |
No |
