Magnifying glass
Navigation openNavigation close

Search Rooms

Privacy Policy

This privacy notice explains how NHS Property Services Limited (NHSPS) collects, uses, shares and protects personal data in connection with the NHS Open Space website and booking platform. It also explains your rights, how to contact us, and how to make a complaint about the handling of your personal data.

NHSPS processes personal data in accordance with applicable UK data protection and privacy law, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and any relevant amendments or successor legislation, including relevant provisions of the Data (Use and Access) Act 2025 (DUAA).

We may update this privacy notice from time to time to reflect changes in the law, changes to NHS Open Space, changes to the way personal data is used, or changes to the organisations that support delivery of the service. The latest version will always be made available on the relevant NHS Open Space website or platform.

Where we make material changes to this privacy notice, we will take reasonable steps to bring those changes to your attention where appropriate.

About NHS Open Space

NHS Open Space is a platform designed to advertise, discover, book and manage spaces. It enables landlords to promote available properties and spaces, while allowing customers and service providers to search for suitable space, make bookings, manage their accounts and, where applicable, process payments. The platform is operated with the support of Kajima, alongside other providers responsible for hosting, development, payments, maintenance, support and analytics.

NHSPS is the controller for personal data processed for the purposes of operating, governing, securing and improving NHS Open Space where we determine the purposes and means of processing. Kajima and certain other suppliers support delivery of the platform under contractual arrangements and may process personal data on our behalf where they act under our instructions. Some service providers, including payment providers, may act as separate controllers for certain elements of processing where they determine their own purposes and means or are subject to their own legal and regulatory obligations.

We only process personal data where we have a lawful basis for doing so. The main lawful bases we rely on in connection with NHS Open Space are:

  • Contract – where processing is necessary to provide NHS Open Space services, manage bookings, administer accounts, process payments or refunds, and provide related support.
  • Legitimate interests – where processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights and freedoms. These legitimate interests include operating and improving NHS Open Space, maintaining platform security, preventing misuse, managing service communications, investigating incidents, and supporting the effective administration of bookings and accounts.
  • Legal obligation – where processing is necessary for compliance with legal, regulatory, audit, accounting, tax, fraud prevention or reporting obligations.
  • Consent – where consent is required by law, including for certain non-essential cookies and similar technologies under PECR.
  • Public task or vital interests – only where applicable in the particular circumstances.

Where we rely on consent, you may withdraw it at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before consent was withdrawn.

What personal information do we collect and store for NHS Open Space?

We may collect personal data directly from you, from your organisation, or from another authorised user acting on behalf of your organisation or landlord account.

In respect of customer information:

  • When you first register to use NHS Open Space as a customer, we collect the contact details (name, email address and telephone number(s) of the primary user that has registered your organisation along with your organisation details.
  • We collect similar contact details when you add further users (additional primary users, bill payers or bookers) to your organisation's customer account for the purposes of making bookings for your organisation or managing your organisation's account, and when you add host details to your account for associating with your bookings (a host being an individual that delivers the service in the rooms that your organisation has booked).
  • We collect, but do not store, payment card details and/or bank account details that your organisation's primary or bill payer nominated user registers against your customer account to pay for your bookings. Payment card details and bank account details are only stored by our payment service providers in their own secure systems.
  • When you add new bookings, we store financial data related to bookings, prices, invoices/credit notes, payments/refunds made and account balances.
  • When a customer makes a payment via one of the payment provider options in NHS Open Space, we store the payment reference, the name of the person paying, and the status of the payment, which may include reasons as to why the payment failed.

In connection with Landlord users of the NHS Open Space system:

  • We collect and store your administrators' name and e-mail addresses when you add administrators to the system to maintain your property details, or to access and manage booking and financial information relating to bookings made for your properties

In connection with all users of the NHS Open Space system:

  • For the purposes of improving the NHS Open Space product, we collect information limited technical and usage information about use of the website or platform, such as IP address, device and browser information, pages viewed, referral source, session activity, approximate location information derived from IP address, and related usage data. Where this information is collected through cookies or similar technologies that are not strictly necessary, we will do so only in accordance with PECR and the choices you make through the cookie settings tool.

How we use your personal information

We use personal data submitted through NHS Open Space or generated through use of the service for the purposes set out in this notice. Depending on the circumstances, this may include:

  • providing access to NHS Open Space and administering user accounts
  • delivering helpdesk, customer support and account management services
  • managing bookings, availability, inductions, account administration and related operational communications
  • sending service-related communications, such as booking confirmations, account notifications, product updates and operational messages relevant to your use of NHS Open Space
  • requesting optional feedback about the NHS Open Space service
  • maintaining, securing, troubleshooting and improving the website and platform, including through analytics and performance monitoring where lawful

Where payments are made through NHS Open Space, payment card or bank account details are entered directly into the secure systems of the relevant payment provider. NHSPS and NHS Open Space do not store full payment card details. We may receive limited payment-related information, such as payment reference, payer name, payment status and related transaction information, to manage bookings, accounts, refunds, reconciliation and support.

We may also use landlord administrator details and other authorised user details for access management, operational support, account administration and related platform communications.

  • send service-related product or platform updates relevant to their use of NHS Open Space and its landlord portal

In connection with all users of NHS Open Space:

  • we will only access, use, amend or disclose personal data where this is necessary for the purposes described in this notice, where instructed by the relevant controller, or where required or permitted by law
  • we may generate aggregated or anonymised statistics about use of the service to help us manage, improve and monitor NHS Open Space, provided those statistics do not identify individual users

Cookies

NHS Open Space uses cookies and other storage and access technologies, such as pixels, scripts, tags and local storage, that store information on, or access information from, a user's device.

Some of these technologies are strictly necessary to provide the website or platform, support security, maintain network management, remember essential settings, or enable services requested by the user. Other technologies may be used for analytics, service improvement, functionality, measurement, session insight or embedded media.

Where a cookie or similar technology is not exempt under PECR, we will ask for consent before using it. Non-essential technologies are not activated until the relevant choice has been made. You can accept, reject or change your preferences at any time using the cookie settings tool made available on the website.

The cookie settings tool or related cookie information describe the categories of technologies in use, their purposes, who provides them, and how long they operate for. If our use of these technologies changes materially, we will update the cookie information and, where required, request fresh consent.

Where personal data is processed following the use of cookies or similar technologies, that processing will also be handled in accordance with UK GDPR and this privacy notice.

This website uses the following cookies and third-party services:

Google Analytics

This website uses Google Analytics, a web analytics service provided by Google LLC. Google Analytics uses cookies to help the website analyse how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purposes of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf.

Google Advertising Services

This website uses cookies associated with Google advertising services, including DoubleClick, provided by Google LLC. These cookies are used to measure the effectiveness of advertising campaigns. Data may be transferred to and stored by Google on servers in the United States.

Microsoft Clarity

This website uses Microsoft Clarity, a behavioural analytics tool provided by Microsoft Corporation. Microsoft Clarity uses cookies to record how users interact with the website, including mouse movements, clicks and scrolling behaviour. This information is used to improve the usability, accessibility and performance of the website. Data collected may be transferred to and stored on Microsoft servers in the United States. Session recording data collected through Microsoft Clarity is retained for 30 days. You can request deletion of your data at any time by contacting us at dpo@property.nhs.uk

Vimeo

This website embeds video content hosted by Vimeo LLC. When you interact with embedded video content, Vimeo may set cookies on your device and collect information about your interaction with the video. Please refer to Vimeo's privacy policy for further information.

Where any of the above services require your consent, this will be requested via the cookie preferences tool on the website before any cookies are set. You may refuse non-essential cookies at any time by updating your preferences through the cookie tool or by adjusting your browser settings. However, doing so may affect the full functionality of this website.

How we protect your data

We are committed to protecting your data and we will always use your data in safe and secure ways. We take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures are designed to ensure a level of security appropriate to the risk.

These measures may include access controls, role-based permissions, security monitoring, system testing, encryption where appropriate, staff training, supplier due diligence, contractual controls, retention management and incident handling processes.

We store your data on United Kingdom of Great Britain servers. Where possible, we will always endeavour to store your data on UK servers, however this is not always possible. Where we cannot store your data within the UK, we will endeavour to use servers within the (EEA) with whom the UK has an adequacy agreement that ensures that your data and rights are protected throughout the (EEA) or ensure that appropriate safeguards are in place in line with UK GDPR requirements — such as Standard Contractual Clauses or the UK-US Data Bridge — to ensure that your data and rights are protected. Where third-party suppliers host, maintain, support or secure systems used for NHS Open Space, access to personal data is restricted, controlled and permitted only where necessary for the relevant service and under appropriate contractual, confidentiality and security obligations.

How long we keep personal data

We keep personal data only for as long as necessary for the purposes for which it was collected, including to provide NHS Open Space, manage accounts and bookings, process payments and refunds, deal with support queries, meet legal, regulatory, tax, accounting and audit requirements, and establish, exercise or defend legal claims.

Retention periods vary depending on the type of information and the purpose for which it is used. For example, account, booking, payment, support and technical records may be retained for different periods depending on operational need and legal or regulatory requirements. Where specific retention periods apply, these will be determined in accordance with our retention arrangements and relevant legal obligations.

When personal data is no longer needed, we will securely delete it, anonymise it, or retain it in a form that no longer identifies individuals.

Sharing your data

We may share personal data, where necessary and lawful, with internal NHSPS teams; Kajima and other service providers that host, maintain, support or secure NHS Open Space; payment service providers; landlords; customer organisations; authorised customer or landlord representatives involved in managing bookings and access; professional advisers; auditors; insurers; regulators; law enforcement agencies; courts; and other parties where disclosure is required or permitted by law, or is necessary to establish, exercise or defend legal claims.

Where another organisation processes personal data on our behalf, we require it to act only on documented instructions, keep personal data secure, and meet the contractual and legal obligations applicable to its role. Where another organisation acts as a separate controller, it will be responsible for complying with its own data protection obligations in relation to the personal data it controls.

Your rights

Under data protection law, you may have rights to be informed about how your personal data is used, to request access to your personal data, to ask for inaccurate data to be corrected, to request erasure or restriction in certain circumstances, to object to certain processing, and to receive personal data in a portable format where applicable.

Where we rely on consent, you have the right to withdraw that consent at any time. Where we send direct marketing, you have the right to object to direct marketing at any time.

You may also have rights in relation to significant decisions made solely by automated means. NHS Open Space is not intended to make solely automated decisions that have legal or similarly significant effects on individuals. If this changes, we will update this notice and provide the safeguards required by law, including information about the decision, the right to make representations, the right to seek human intervention, and the right to challenge the decision where applicable.

To exercise your rights, please contact us using the details below. We may need to verify your identity and may ask for information necessary to locate the records relevant to your request. In some circumstances, the law allows us to refuse or limit a request where an exemption applies.

Complaints

If you are unhappy with how your personal data has been handled, you can make a complaint to us using the contact details below. We will handle data protection complaints in accordance with our complaints process and applicable legal requirements. We aim to acknowledge complaints and respond appropriately within the timescales required by law.

If you remain dissatisfied after we have responded, you may complain to the Information Commissioner's Office.

Contacting us

NHSPS has appointed a Data Protection Officer (DPO) who can be contacted about this privacy notice, your rights, or any concerns about how personal data is handled. You can also contact the NHS Open Space team for operational queries about your account or use of the platform.

You can contact us using the detals below:

Data Protection Officer email: dpo@property.nhs.uk

NHS Open Space team email: openspace@property.nhs.uk

Postal address: NHS Property Services, 10 South Colonnade, Canary Wharf, London, E14 4PU.

Information Commissioner's Office

NHS Property Services is registered with the Information Commissioner's Office (ICO). Our registration number is: Z3611517

If you are unhappy with how we have handled your personal data or your complaint, you can contact the ICO for independent advice or to raise a concern. You can also call them on 0303 123 1113.