Skip to main content

Privacy policy and cookies on the Buying Catalogue

A description of the information NHS Digital collects as part of our operation of the Buying Catalogue website. We want you to understand why we hold and process this information, and your choices.

This page covers the information we collect about you as part of our operation of the Buying Catalogue website. We want you to understand why we hold and process this information, and your choices.

We always collect, hold and process information securely and lawfully.

What personal data are you collecting from me?

Personal data means any information relating to an identified or identifiable individual. We collect, use, and store different kinds of personal data about you. Here is a list of the types of personal data that we process about you through the operation of the Buying Catalogue website:

Identity Data

Your first and last name, username, and organisation's ODS code.

Contact Data

Your email address and telephone number.

Technical Data

Data collected through use of cookies on the Buying Catalogue website, as listed in the cookies policy below. We also log your internet protocol (IP) address when you access the Buying Catalogue website.

We will only process the minimum personal data necessary to achieve our purposes.

How do we collect your personal data?

We use different methods to collect personal data from and about you including:

Direct interactions

You may give us your Identity Data and Contact Data when you create an account on the Buying Catalogue website or when you enter your personal details into the order form.

Automated interactions

As you interact with the Buying Catalogue website, we will automatically collect personal data.

How is my personal data used?

When using the Buying Catalogue website, we will process your personal data for the following reasons:

  • to establish the authority that you are ordering for and using the website from
  • to enable each part of the Buying Catalogue website to work with each other part
  • to ensure that the Buying Catalogue website can operate in a secure manner
  • to authenticate users that log in to the Buying Catalogue website
  • to capture personal data of authenticated users on the Buying Catalogue website to facilitate the ordering process
  • to enable us to contact authenticated users for the purposes of user research with their explicit consent to help us improve the Buying Catalogue website

See the lawful basis section of this policy below to find out about the types of lawful basis that we rely on to process your personal data for these purposes.

What cookies are used on the Buying Catalogue website?

What are cookies?

Cookies are files saved on your phone, tablet, or computer when you visit a website. They store information about how you use a website, such as the pages you visit.

Cookies are not viruses or computer programs. They are very small so do not take up much space.

Find out more information about cookies.

How we use cookies

All but one of the cookies used are essential to the operation of the Buying Catalogue website and only persist while a user's browser is open. Our one non-essential cookie lets us know if you dismissed our cookie banner and persists for 1 year.

If you do nothing other than use the Buying Catalogue website, we will capture and store some information about your visit to make our website work and keep it secure. The information collected in these cookies relates to:

  • establishing the authority that you are ordering for and using the website from
  • enabling each part of the Buying Catalogue website to work with each other part
  • ensuring that the Buying Catalogue website can operate in a secure manner
  • checking that the user has the correct permissions

We do not know (and do not wish to know) the identities of individuals who visit the Buying Catalogue website, other than those users who have registered accounts with us. The information collected through the cookies in operation is not shared with anyone and we do not merge this information with other personal data.

List of cookies that make our website work

All but one of the cookies we use are essential to allow you to use the Buying Catalogue website. Our one non-essential cookie lets us know if you dismissed our cookie banner.

Name Expires Necessary Purpose of cookie
Name buyingcatalogue-cookie-consent Expires When you close the browser (if you do not dismiss the banner) or 1 year (if you dismiss the banner) Necessary No Purpose of cookie Remembers if you dismissed our cookies banner
Name io Expires When you close the browser Necessary Yes Purpose of cookie This cookie is generated by an identity server as part of the authentication/authorisation mechanisms.
Name token Expires When you close the browser Necessary Yes Purpose of cookie This cookie enables authorisation that is passed to our API's to verify that the current user is authorised to use the areas of the site that are being requested.
Name .AspNetCore.Antiforgery Expires When you close the browser Necessary Yes Purpose of cookie This cookie provides vital security information that enables APIs/User Interfaces to remain trusted between each other and prevent external attacks via strange media.
Name _csrf Security Expires When you close the browser Necessary Yes Purpose of cookie This cookie provides vital security information focussed on the Cross Site Request Forgery (i.e. fake scripts/redirects that could be injected).
Name .AspNetCore.Identity.Application Expires When you close the browser Necessary Yes Purpose of cookie This cookie enables Authorisation confirmation that is used by the token cookie and the User Interface to determine the current authenticated user and their claims (permissions/other necessary information) within the application.

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that the Buying Catalogue website may become inaccessible or not function properly.

Is my personal data used for user research purposes?

We would like to contact you about taking part in user research panels and surveys to improve the Buying Catalogue website and connected services. We will ask you if you would like to join our user research panel when you register for a Buying Catalogue account and log in for the first time.

If you agree to join, we may ask you to:

  • try new features
  • answer questions or surveys by email
  • talk to our researchers about your experience of using the Buying Catalogue website or connected services

You can always say no to our requests, and you can leave the user research panel at any time.

We will only use your information to contact you about the Buying Catalogue website user research panel. It will not be shared with anyone else. You can unsubscribe at any time by contacting the Buying Catalogue Team.

What lawful basis are you using to process my personal data?

The lawful basis we use to process your personal data is as follows:

Performance of a contact

We will process your personal data as we provide you with products and services through the operation of the Buying Catalogue website. This includes processing your personal data to facilitate the ordering process.

Legitimate Interests

We will process your personal data as it is within the legitimate interests of NHS Digital to process this personal data for the operation of the Buying Catalogue website. Legitimate interest means the interest of NHS Digital in conducting and managing the Buying Catalogue website to enable us to give you the best service and most secure experience.

Consent

For users that have registered accounts on the Buying Catalogue website, we may contact you for user research purposes. The lawful basis for this activity will be consent. We will only contact you for these purposes when you have given us informed and explicit consent. You can withdraw this consent at any time by contacting the Buying Catalogue Team.

Where will my personal data be stored and processed?

We will only store and process your personal data within the UK.

What are my data processing rights?

Data protection laws give you the right:

  • to request a copy of the information we hold about you. You can do this by making a subject access request
  • to know how your personal data will be collected, processed, and stored, and for what purposes
  • to correct your personal data errors or omissions
  • to request that we delete your personal data
  • to restrict our use of your personal data (for example, if you think it is inaccurate and needs to be corrected before it is used)
  • to object to us processing your personal data at any time
  • to be subject to a decision based solely on automated decision making, including profiling
  • to withdraw your consent, which applies to your participation in user research activities

Find more information on these rights.

If you wish to exercise any of the rights set out above, please contact us using the contact details at the bottom of this page.

Can my personal data be processed for unrelated purposes not listed in this policy?

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to gain an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the lawful basis which allows us to do so in an updated privacy and cookies policy.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How is my personal data protected?

We have organisational technical controls in place to ensure that your personal data is not lost, accidently destroyed, misused, or disclosed, and is not accessed except by our employees in the performance of their duties in operating the Buying Catalogue website. We have set up security measures, policies, and procedures such as:

  • training all staff annually in data and security protection
  • monitoring our platform to keep your personal information secure
  • following good practice guidance provided by the National Technical Authority
  • always using legally binding agreements with all organisations we use
  • having security and confidentiality policies in place across the organisation, to which staff must agree before they are given access to personal information
  • restricting access to personal information to only those staff who need access to perform their role

How long is my personal data retained for?

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for. Listed below are the different types of personal data that NHS Digital process in the operation of the Buying Catalogue website and the period this data is retained for:

Identity Data and Contact Data

We retain this personal data for as long as you have an active user account on the Buying Catalogue website. Once an account has been requested closed, we delete all the data associated with the account within 30 days.

Technical Data

Data collected from the cookies in use is destroyed as soon as you close the browser. The IP addresses that we process when you access the Buying Catalogue website are retained for 30 days, after which they are overwritten and destroyed.

Does this policy apply to other websites?

This privacy notice only relates to information obtained through use of the Buying Catalogue website.

If you visit a website operated by a third party through a link included on this website, your information may be used differently by the operator of the linked website. These third parties may include, for example, suppliers that are listed on the Buying Catalogue website.

When you are moving to another site you are advised to read the privacy policy relating to that website.

How can I contact NHS Digital?

You can contact us by:
Email: enquiries@nhsdigital.nhs.uk
Telephone: 0300 303 5678

Or by writing to us:

Information Governance Compliance Team
NHS Digital
7 and 8 Wellington Place
Leeds
West Yorkshire
LS1 4AP

Your enquiry will be answered by our contact centre.

We collect the information that you give us, and use it to help resolve your query, to contact you about your query, and to improve our services.

We keep this information for 3 years from the date of your enquiry.

Our Data Protection Officer is Kevin Willis, whose duties include monitoring internal compliance and advising the organisation on its data protection obligations and can be contacted via enquiries@nhsdigital.nhs.uk.

How can I lodge a complaint?

If you wish to raise a complaint concerning NHS Digital's processing activity, visit our Feedback and Complaints page.

You also have the right to raise a concern with the Information Commissioner's Office (ICO) at any time. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

The contact details for the ICO are:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF

Visit the Information Commissioner's Office website.