By using the Open Space website, you agree to the terms and conditions contained in this Privacy Notice and Conditions of Use and/or any other agreement that we might have with you. If you do not agree to any of these terms and conditions, you should not use this Site or any of our services. You agree that any dispute over privacy or the terms contained in this Privacy Notice and Conditions of Use, or any other agreement we have with you, will be governed by the laws of the United Kingdom.
We understand, respect and recognise the importance of ensuring that you are made fully aware of how we use your personal data.
This privacy notice will explain:
- the law and definitions
- personal data
- special category data
- how and why we use your personal data
- how we protect your data
- sharing your data
- your rights
- our Data Protection Officer
- Information Commissioner's Office
As our business changes from time to time, we will update and amend our data privacy notice and conditions of use. This is to ensure that we operate in a lawful, fair and transparent way. We may e-mail periodic reminders of our notices and terms and conditions and will e-mail customers of material changes thereto, but you should check our site frequently to see the current data privacy notice and conditions of use that are in effect and any changes that may have been made. We reserve the right to amend this data privacy notice and conditions of use at any time, for any reason, without notice to you. All updates will be made on this notice and is published on our public facing website.
The provisions contained herein supersede all previous notices or statements regarding our privacy practices and the terms and conditions that govern the use of this site.
The laws and definitions
You have the right to know what we are doing with your data. Where possible, we use simple and clear English to explain how we are doing this. However, sometimes we need to use certain words which may be difficult to understand. The list below will explain some of the words that we use:
Data subject: An individual such as yourself
Data controller: An organisation who decides how data is used (processed)
Data processor: An organisation or person who processes data on a data controller's behalf.
Data protection legislation: Laws which organisations must follow to protect and safely process your data. These laws are made by the UK government and the European Parliament.
DPA 2018: Data Protection Act 2018 (UK law)
GDPR: General Data Protection Regulation (EU law)
Processed or processing: How we use your data. This includes receiving, storing, using and deleting your data.
Identifier: Something which allows you to be identified. This includes anything such as your name, address or eye colour. An identifier could be anything if someone can tell it is you that is being described.
Anonymisation: Where identifiers have been removed so you cannot be identified by anyone. Further information on anonymisation can be obtained from the Information Commissioner's website.
Pseudonymisation: Where an identifier has been changed so only those who know how it has been changed can identify you.
We: NHS Property Services Limited
When we use your information, we will often refer to this as personal data. Personal data is any information which allows us or someone else to identify you. The most common categories of personal data we process are:
- email addresses
- phone numbers and extensions
However, this list is not exhaustive. We understand that personal data can take many forms and records could include many different identifiers. Therefore, we look at all data on a case-by-case basis to decide whether the information is considered personal data.
Data protection legislation tells us how and why we can use personal data of living people. Whilst data protection legislation does not apply to deceased persons, we maintain that we have a duty of confidentiality to our customers past or present.
Special category data
Some categories of personal data require additional protection because it is considered highly sensitive. This is called special category data. Open Space does not use any special category data.
How and why we use your personal data?
NHS Property Services Ltd (NHSPS) provides property and facilities management expertise to the NHS. We provide services centred around four main business areas:
- asset management
- construction project management
- facilities management
- strategic estate planning.
Open Space Website
Open Space is a booking platform jointly owned by NHSPS and Kajima Partnership Ltd, for which the platform is fully managed by Kajima. It enables Landlords to promote their properties and available sessional space; and provides a booking system that allows clients (service providers) to search for, book and pay for space for any Landlord properties, as well as mechanisms to manage their bookings and accounts. It allows Landlords visibility of all booking and payment transactions made in relation to their own specific properties. All data collected is stored on servers hosted by Amazon Web Services located in the UK. Payments are processed through our payment service providers Worldpay and GoCardless who store payment card details and bank details on their own servers also located in the UK.
We take the privacy of your data very seriously and have outlined below how we collect data, and what we do with it. For clarification, NHSPS is a data controller that decides how data is used (processed) and Kajima, along with our Payment service providers, are Data processors that process data on our behalf.
For us to provide a service to you, we will be required to use your personal data. We can process your personal data if we meet one or more of the following legal reasons as set out in data protection legislation (article 6):
- to fulfil a contract
- to comply with a legal requirement
- if a task is carried out in the public interest
- to carry out our core business functions
- to protection your vital interests
- to protect your life (e.g. emergency medical care)
- we have your consent
What personal information do we collect and store for Open Space?
In respect of customer information:
- When you first register to use Open Space as a customer we collect the contact details (name, email address and telephone number(s) of the primary user that has registered your organisation along with your organisation details.
- We collect similar contact details when you add further users (additional primary users, bill payers or bookers) to your organisation's customer account for the purposes of making bookings for your organisation or managing your organisation's account, and when you add host details to your account for associating with your bookings (a host being an individual that delivers the service in the rooms that your organisation has booked).
- We collect, but do not store, payment card details and/or bank account details that your organisation's primary or bill payer nominated user registers against your customer account to pay for your bookings. Payment card details and bank account details are only stored by our payment service providers in their own secure systems.
- When you add new bookings, we store financial data related to bookings, prices, invoices/credit notes, payments/refunds made and account balances.
- When a client makes a payment via one of the payment provider options in Open Space, we store the payment reference, the name of the person paying, and the status of the payment, which may include reasons as to why the payment failed.
In connection with Landlord users of the Open Space system:
- We collect and store your administrators' name and e-mail addresses when you add administrators to the system to maintain your property details, or to access and manage booking and financial information relating to bookings made for your properties
In connection with all users of the Open Space system:
- For the purposes of improving the Open Space product, we collect information about a user's computer and about their visits to and use of this website including their IP address, geographical location, browser type, referral source, length of visit and number of page views
How we use your personal information
As a data processor, we may use the contact details held against your customer account to:
- Provide you with access to Open Space
- Enable NHSPS and other Landlords that have properties registered on Open Space to provide a helpdesk service to you, and to deal with any enquiries/complaints made by you with regards to the use of open space or the onsite service that you have experienced
- Notify on-site staff of any hosts that have not previously used a specific property to ensure that they receive appropriate induction before using Open Space rooms
- Send to you email notifications/newsletters solely related to the use of Open Space such as new product features, to enable you to make the most of Open Space
- Include booking confirmation e-mail links to a feedback survey, for the purposes of improving the Open Space service, but this is entirely optional as to whether you complete it.
- Improve your browsing experience by personalising the website
As a data processor, we will also pass your clients' payment method details to your chosen payment provider (Worldpay and/or GoCardless), for the purposes of payment processing only. In all cases, the client will have had to review the data on the online form, submit it, and provide strong customer authentication details when requested by their card issuer or bank before the details are stored and can be used by us to process payments and refunds relating to your bookings.
As a data processor, we may use Landlord administrators' personal info to:
- Provide them with access to Open Space
- Provide our helpdesk service in relation to use of Open Space and any business and technical issues arising
- Provide our account management service and keep your details up-to-date
- Send you email notifications/newsletters regarding new product features to enable them to make the most of Open Space and its Landlord portal
- Improve browsing experience by personalising the website.
In connection with all users of the Open Space system:
- We will not add, delete or modify their data in any way, except where requested by the data controller, or where required to in law.
- We will obtain statistical information about our users, to help us manage our business, but this information will be anonymised and will not be used to identify any individual user.
- A cookie consists of information sent by a web server to a web browser and stored by the browser. The information is then sent back to the server each time the browser request a page from the server. This enables the web server to identify and track the web browser.
- We may use both session cookies and persistent cookies on the website. We will use the session cookies to keep track of you whilst you navigate the website. We will use the persistent cookies to enable our website to recognise you when you visit.
- This website uses Google Analytics, a web analytics service provided by Google, LLC. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States.
- By using our website, you consent to the processing of data about you by Google in the manner and for the purposes set out above. If we ask you for other personal information, we will explain what it is for.
How we protect your data
We are committed to protecting your data and we will always use your data in safe and secure ways.
We protect your personal data by:
- using systems that have appropriate technical measures, such as firewalls
- regularly testing our IT systems
- only giving authorised staff access to your data
- encrypting (where possible) your information
- regularly training our staff to develop their data protection and data handling knowledge
- following clear and transparent processes
- regularly reviewing our processes and data handling practices
- carrying out audits on the data we hold
- regularly deleting data that is no longer needed.
We store your data on United Kingdom of Great Britain servers. Where possible, we will always endeavour to store your data on UK servers, however this is not always possible. Where we cannot store your data within the UK, we will endeavour to use servers within the (EEA) with whom the UK has an adequacy agreement that ensures that your data and rights are protected throughout the (EEA) or ensure the appropriate security standards are met to remain compliant with GDPR, such as storing data in the United States of America with Privacy Shield coverage. When data is stored in third party servers, the information will only be accessed by officers authorised by NHS Property Services. Your personal data will not be read, accessed or used by the third party.
If you are concerned with how your data is being handled, please contact our Data Protection Officer at firstname.lastname@example.org.
Sharing your data
To provide you with our services we may be required to share your personal data with other teams and external agencies to help provide you with the best service. We will only share your data if one of the following applies:
- a contract requires us to share your personal data
- the law tells us we must share your personal data
- an agreement allows us to share your personal data
- we have your consent
- it is an emergency or act of God
- we need to address disputes, claims, or to persons demonstrating legal authority to act on your behalf
We may be required to share your data for many reasons such as to:
- make our contractors aware that premises you have booked require a repair
- maintain your information for booking purposes
- resolving service requests
- carrying out induction of new hosts that have not visited or used a particular property before
If we share your personal data, we will tell you what data is being shared, who it is being shared with and why it is being shared. If we receive your personal data from another data controller, we will contact you within one month to let you know that we now hold your data.
In exceptional circumstances we may also be required to share your data with organisations such as the central government or the police. We will always review each request on a case-by-case basis and only release personal data if it is required by law, or we believe that the request is justified, authorised, proportionate, auditable, and necessary. We will always try to tell you when your data has been shared, however in some circumstances this may not be possible.
Sharing with social media
Data protection legislation provides you as an individual with many rights over how we may use your data. These are called the data subject rights.
You have the right:
- to be told what we are doing with your personal data
- to have copies of your personal data
- to amend any errors which we may have recorded
- to have your information deleted
- to restrict our use of your data
- to receive your information in a machine readable format
- to object to us processing your personal data (including direct marketing)
- to ask for a non-human made decision to be reviewed by a human
Whilst you have the above rights, please note that not all of these are absolute rights, and some may not be applicable. You will be informed if your request to apply your rights cannot be fulfilled and an explanation will be given with reasons why it could not be fulfilled.
To apply any of your data subject rights, please email email@example.com
What we are doing with your personal data
You have the right to know what we are doing with your personal data; this is called the right to be informed.
You have the right to know the following:
- the name and contact details of NHS Property Services
- the contact details of the Data Protection Officer
- the reason we are collecting your personal data (including the legal basis)
- our legitimate interest (where appropriate)
- who we are sharing your data with or if anyone is using your data on our behalf
- if your data has been shared or is intended to be shared to a country outside of the EEA
- how long we keep your personal data for or the criteria we use to determine it
- your data subject rights
- how to lodge a complaint with the Information Commissioner's Office
- if automated decision making occurs
- if we intend to use your data for other purposes
To receive copies of your personal data
Under data protection legislation, you have the right to have copies of the personal data which we hold about you. This is also called the right of access. Under this right, you can request copies of your data we hold including any records, emails and phone conversations.
Under this right, we will tell you:
- the name of the record
- where we obtained your personal data from
- how long we keep your personal data for
- categories of personal data
- the reason we hold your personal data
If you submit a request for your information, we have one calendar month to comply. However, in certain situations this can be extended by an additional two months, and we will inform you if it is applicable.
We always aim to provide you with copies of your data, but some records may be withheld in part or in full. This may be because:
- it constitutes legal advice
- it would affect our positions in negotiations
- it would adversely affect the rights and freedoms of other people
If information cannot be released, we will inform you of this. Requesting copies of your personal information (subject access request) is free of charge and can be made by contacting the Data Protection Officer.
Amend any errors
The right of rectification provides you with the opportunity to tell us if any of the data we hold on you is incorrect. Under this right, we can amend information that is factually incorrect such as:
- email addresses
To apply your right of rectification, please login into your Open Space account or contact the Data Protection Officer.
Delete your data
Data protection legislation gives you the right to ask for your data to be deleted. This is called the right of erasure. This right is not just an ‘opt-out' of you receiving a service. It is a request for all information we hold on you to be deleted from our systems.
This is not an absolute right and can only be applied if certain conditions are met.
You can apply the right of erasure if one of the following applies:
- it is no longer necessary for the purpose it was collected or processed
- we were processing under consent (and you've withdrawn consent)
- if you object to the processing and there are no legitimate grounds for the processing
- if we are legally required to delete the information
- if the information has been collected for information society services
The right of restriction is where you tell us to stop using your personal data. This is not an absolute right and can only be used when one of the following applies:
- you do not believe that the personal data we hold is accurate and we are verifying the accuracy
- we did not have a legal reason to use your personal data
- we no longer need the data, but you want us to keep it to establish, exercise or defend a legal claim
- you have used your right of objection and we are considering our legitimate grounds
If you apply your right of restriction, we will store your personal information securely. Once restricted, we can only use your personal information if:
- we have your consent
- there is a legal claim
- need to protect the rights of others
- there is a significant public interest to process
You can ask us to restrict processing across any one of our services where uses your personal data. We will tell you if your request has been approved however, please be aware that if you restrict our processing, this may cause serious delays and have a high impact on the service that we can provide for you.
Receive your personal data in a machine-readable format
You have the right to have copies of personal data that we hold about you transferred from us to you or another provider in a machine-readable format. This is also called your right to data portability. This is not an absolute right and can be used in very limited scenarios.
You can only apply this right if we are processing for one of the following:
- you have given us your consent
- it is necessary to fulfil a contract with you In addition, the data must be:
- automated (this includes decisions exclusively made by computers)
- not held in a paper file
- provided by you
Object to us processing (including direct marketing)
You have the right to object to us using your personal data if us processing your data is having a harmful and detrimental effect on your personal situation.
This is not an absolute right and can only be applied if:
- we are processing your data because it is in the public interest
- or there is a legitimate interest to process your data which:
- override your interests, rights and freedoms
- or to establish, exercise or defend legal claims.
Your right of objection can also be used to stop direct marketing including when profiling occurs. Where you object to direct marketing, we will stop processing your personal data for direct marketing purposes. If you are a customer, you may continue to receive updates related to the service provided to you.
Profiling is where decisions are made about you based on certain pieces of your personal information. This could be things such as your age, gender or ethnicity. This is not an exhaustive list, and profiling could happen with any factor relating to personal data. If we are using your personal data to profile you, we will tell you and inform you of your rights. We will never profile you without your knowledge and will always explain any decision that is made.
You can view and amend the personal contact details we hold for you, in your online account at openspace.nhs.uk.
You can also contact us at firstname.lastname@example.org to request we delete or modify your personal data.
You may also contact our Data Protection Officer at email@example.com
Our Data Protection Officer
Data protection legislation requires certain organisations to appoint a Data Protection Officer (DPO). We aren't required to appoint a DPO under the UK GDPR but we have decided to do so voluntarily.
Our Data Protection Officer be contacted by:
Telephone: 07584 445804
Address: NHS Property Services, 10 South Colonnade, Canary Wharf, E14 4PU.
Information Commissioner's Office
NHS Property Services is registered as a data controller with the Information Commissioner's Office (ICO).
Our registration number is: Z3611517
To view our registration, please visit: https://ico.org.uk/ESDWebPages/Entry/Z3611517
For independent advice about data protection, privacy, and data sharing issues, you can contact the ICO on their website. You can also call them on 0303 123 1113.