Guidance

Crown Commercial Service privacy notice

Updated 26 September 2022

Your data

This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR) which specify what individuals have the right to be informed about.

Purpose

The purpose(s) for which we are processing your personal data is:


Activity

Purpose

Contact us

To enable Crown Commercial Service to route messages to the relevant team, and to respond to your queries.



Contact us call recordings are used to quality assure inbound calls and to help train our staff.

Third Party Verifications


To allow verification of information such as registered address, previous company names, directors’ details, accounts, annual returns and company reports, or to make assessments on credit, risk, marketing or sales.

Third party sources used include (but are not limited to) information which is available on Companies House, Charity Commission and other charity registers.

Net Promoter Score (NPS)

User Research

To capture your feedback on our and our suppliers’ service, including Net Promoter Score survey.

This feedback helps us identify areas for improvement.

Procurement

Supplier Questionnaire (SQ)

To allow you to buy from a Crown Commercial Service route to market.

To allow you to supply to a Crown Commercial Service route to market.

To analyse framework utilisation.

To charge a levy.

To perform spend analytics.

To produce Data Insight and Management Information (MI) on buyer, supplier and operational performance.

To perform due diligence on government suppliers.

To publish public sector contracts on publicly accessible websites.

Marketing

To capture your marketing preferences.

To send you marketing information, such as newsletters and surveys.

To capture website traffic statistics.

Training, Webinars and Virtual Meetings

To provide video conference webinars.

To manage and analyse attendance of those webinars.

To provide training both internally and for users of CCS services

Webinars may be recorded, and posted onto publicly accessible webpages.

Moderns Slavery Assessment Tool (MSAT)

To provide access to the Modern Slavery Assessment Tool, which captures supply chain information and processes, and makes recommendations for improvements.

To conduct data matching exercises for the purposes of the prevention and detection of fraud

To verify companies with which Crown Commercial Service has a business relationship are still active and trading, and that bank account details provided are valid.

Provision of a route to report fraud, bribery or corruption

To capture information on potential fraud bribery or corruption for investigation.

Health Assurance

To capture in collaboration with NHS Procurement information and pre-employment checks for a pool of health care staff for employment at health care bodies and NHS Trusts.

Your data

We will process the following personal data:


Activity

Data

Contacting us

Net Promoter Score (NPS)

User Research

Procurement

Marketing

Training, Webinars and Virtual Meetings

MSAT

Name

Email address

Address

Telephone number

Job Title

Organisation

Dun & Bradstreet Data Universal Numbering System (DUNS number)

IP Address of website visitors

Contact us call recordings

Contact details of contract publisher

Contact details of contract awardee

Contact details of review and mediation bodies

Supplier Questionnaire

Company Registration Number

Charity Registration Number

VAT Number

Professional Trade Registration Numbers

Person of Significant Control (PSC) name

PSC Addresses

PSC Nationality

PSC Criminal Conviction Check (date and nature of conviction)

User Research, Training, Webinars and Virtual Meetings

Video or Audio recordings of individuals including staff, customers, suppliers and the public

Procurement

Bank account numbers

e-Payment card details

Marketing

Social Media usernames

Prevention and Detection of Fraud

Reference Number (Customer ID)

Bank Sort Code

Bank Account Number

Company Name

Company Registration Number

Company Address, County and Postcode

Dates at which to check if company was active

Proprietor Forename and Surname

Proprietor Date of Birth

Data sets as described by the National Fraud Initiative service in the Cabinet Office data public sector data specifications

Health Assurance

Employee information to NHS Employers CHECK standards which includes special category personal data.

The legal basis for processing your personal data is:


Activity

Legal Basis

Contacting us

Net Promoter Score (NPS)

Marketing

MSAT

SQ

Health Assurance

Prevention and Detection of Fraud

For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The Statutory Instrument 2009 No.81 Sets out the Crown Commercial Service official authority; The procurement of goods and services for the public sector, and tasks incidental to this, such as promoting new services and incidental information to existing services to public sector buyers.


Procurement

It is necessary for the performance of, or to enter into a contract to which you are a party, for example, where we hold your contact details in relation to a business matter, it will be based on the contract you have with your employer.

For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The Statutory Instrument 2009 No.81 Sets out the Crown Commercial Service official authority. The procurement of goods and services for the public sector, and tasks incidental to this, such as promoting new services and incidental information to existing services to public sector buyers.

User Research, Training, Webinars and Virtual Meetings, Contact us phone call recordings

Because you consent to us doing so

Sensitive (special category) personal:

  • Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The legal bases for processing your sensitive personal data are:

  • UK GDPR Article 6(1)(a), and Article 9(2)(a)
    The data subject has given explicit consent.
  • UK GDPR Article 6(1)(e)
    For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The Statutory Instrument 2009 No.81 Sets out the Crown Commercial Service official authority. The procurement of goods and services for the public sector, and tasks incidental to this, such as promoting new services and incidental information to existing services to public sector buyers.
  • UK GDPR Article 9(2)(g)
    The processing is necessary for reasons of substantial public interest, on the basis of domestic law and shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Criminal convictions personal data:

  • The processing by us of personal data relating to criminal convictions and offences or related security measures is carried out only under official authority.

The legal bases for the processing by us of personal data relating to criminal convictions and offences or related security measures are:

  • UK GDPR Article 6(1)(e): which permits processing where necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • UK GDPR Article 9(2)(g) the processing is necessary for reasons of substantial public interest.
  • Data Protection Act 2018 Schedule 2(1)(2) Crime and Taxation.

Recipients


Activity

Recipient

All Activities


As your personal data will be stored on our IT infrastructure it may be shared with our data processors who provide email, document management and storage services.

Your data may also be shared with one of our IT suppliers. These include:

- customer relationship management software suppliers

- procurement software providers

- supplier registration system providers

- travel, venue and hotel booking systems

- social media systems

- email marketing systems

- video conferencing, and ticketing systems

- feedback and survey systems

- management Information systems

- e-marketplace systems

- finance and forecasting systems

- energy management and forecasting systems

- call recording systems

Procurement

Framework suppliers, in the case that you are buying from that framework.

Potential buyers, by listing framework supplier contact information on the publicly accessible purchasing websites.

Public Sector contract opportunities are published on a publicly accessible website.

MSAT

Data is shared as required with Cabinet Office and Home Office




Prevention and Detection of Fraud

Data sets as described National Fraud Initiative service. The National Fraud Initiative privacy notice can be found here: National Fraud Initiative privacy notice.

Counter Fraud Bribery and Corruption

Where we are required by legislation the information will be shared with appropriate bodies

Health Assurance

Data is shared with the NHS Workforce Alliance

Where personal data have not been obtained directly from you

It will have been obtained from your employer.

It will have been obtained from an organiser of an event you attended.

It will be obtained from external publicly available sources

We periodically purchase public sector mailing lists of corporate subscribers only. Where we engage in email marketing to businesses we will ask for your marketing preferences, and give you an easy way to opt out.

Retention


Activity

Retention Schedule

General Enquiry details

3 years

Complaint information

3 years

NPS data

3 years

User Research data

3 years

Procurement, SQ & MSAT

7 years

Marketing

3 years

Webinar

3 years

Contact us call recording

1 month

Prevention and detection of fraud

6 years after legal proceedings are completed

Counter Fraud Bribery and Corruption

3 years – whistleblowing
3 years for fraud investigation reports and working papers

Health Assurance

7 years

Irrespective of these retention periods, where appropriate, personal data will be anonymised or deleted as soon as practically possible.

Automated decision making

Your personal data will not be subject to automated decision making, except in some cases to deliver targeted marketing information, for example a newsletter in relation to a framework you are part of.

Your rights

You have the right to request information about how your personal data are processed, and to request a copy of that personal data.

You have the right to request that any inaccuracies in your personal data are rectified without delay.

You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.

You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.

You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.

You have the right to object to the processing of your personal data where it is processed for direct marketing purposes.

You have the right to object to the processing of your personal data.

In relation to video or audio recordings

You have the right to withdraw consent to the processing of your personal data at any time.

In relation to all activities other than Marketing and Net Promoter Score (NPS):

You have the right to request a copy of any personal data you have provided, and for this to be provided in a structured, commonly used and machine-readable format.

In relation to automated profiling of your data for marketing purposes:

You have the right, in relation to automatic profiling, to obtain human intervention in the outcome, to express your point of view, and to contest the decision reached by automatic profiling.

International transfers


Activity

Transfer

Document storage and management

Non-EEA. The supplier uses model contract clauses

Other IT Suppliers

Where data is held outside the UK it will be subject to equivalent legal protection through an adequacy decision or the use of Standard Contractual Clauses or International Data Transfer Agreements.

Questions and Complaints

Contact Crown Commercial service if you:

  • have any questions
  • think that your personal data has been misused or mishandled
  • want to make a data subject request

Email: gdprgeneralenquiries@crowncommercial.gov.uk

The data controller for Crown Commercial Service is the Cabinet Office – a data controller determines how and why personal data is processed.

The contact details for the Data Protection Officer are:

Data Protection Officer
Cabinet Office 
70 Whitehall
London
SW1A 2AS

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.