Privacy Notice (January 2022)
Who are we?
In this notice, whenever you see the words ‘we’, ‘us’, ‘our’, it refers to the London Universities Purchasing Consortium (LUPC), a company limited by guarantee registered in England 04784719.
LUPC members are predominantly not-for-profit institutions in the arts, sciences, education and cultural fields as well as the wider public sector. The principal activity of the company is to deliver procurement services for its membership.
What personal data we collect and how we use it?
When you visit the website
Some information is collected automatically by us, this may include:
- Technical information, including [the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions and operating system and platform; and
- Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), what you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs) and methods used to browse away from the page.
When members register on our website, or information transferred from our previous CRM system1
We collect your name, job title, organisation, contact details, and other profile related data, such as marketing preferences and areas of interest to you.
If you are booking onto an event, we may ask you for any special dietary or access requirements.
This data is available and can be amended by you in the My LUPC section of the website accessed by your login details.
Why we need it
We collect your personal data to provide the best possible membership service to our members. If you choose to withhold requested information, we may not be able to provide you with certain services.
We will also hold information about you so that we can respect your preferences for being contacted by us.
We will use the data provided to make our communications relevant to you.
You can change your preferences at any point by using your login to access the site.
Any special dietary or access requirements are only used to provide you with the best experience at an event or meeting.
When do we collect your personal data?
When you register on our website, or if we have historic data from our previous CRM system that we may have transferred over in January 2022.
1All historic data will have been transferred over from our previous CRM system in January 2022. It was collected in accordance with Data Protection law and is available for you to amend or delete by using your login provided.
What lawful basis will we use to process the data?
Under data protection law, we have a number of lawful reasons that we can process your personal information. One of those lawful bases is Legitimate Interests, which means:
We can process your personal information if we have a genuine and legitimate reason, and we are not harming any of your rights and interests.’
This means when you provide your personal details to us, we use your information for our legitimate business interests to carry out our work supporting our members. Before doing this, we will carefully consider and balance any potential impact on you and your rights.
Sometimes, with your consent, we will process your personal data to provide you with information about our work or our activities that you have requested or are expecting. You can control your interests and preferences by using your login on the website.
On other occasions, we may process personal data when we need to do this to fulfil a contract (for example, if you have booked a ticket from our website) or where we are required to do this by law or other regulations.
How do we protect your personal data?
Information system and data security is extremely important to us, to ensure that we are keeping our members, suppliers and employees safe. We will treat your data with the utmost care and take all appropriate steps to protect it.
LUPC is a Cyber Essentials accredited organisation. This requires us to maintain rigorous security protocols and treat all data with care.
We minimise the risk of unauthorised access or disclosure.
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff.
Our staff complete mandatory data protection training on employment and annually thereafter to reinforce responsibilities and requirements set out in our information security policies.
We may need to disclose your details if required to the police, regulatory bodies or legal advisors.
We will only ever share your data in other circumstances if we have your explicit and informed consent.
How long will we keep your personal data?
Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected.
At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
If you decide you no longer wish for us to use your data, you may login to the website and cancel your account.
We will, on occasion, check with your employer that the data we hold is up to date and cleanse the system of old data.
Who do we share your personal data with?
Where we use an external service provider to act on our behalf, we will disclose only the personal information necessary to deliver the service and will have an agreement in place that requires the provider to comply with our data protection and information security requirements.
We may share your personal information with the following third parties, where relevant:
- Our members – to enable members to contact each other and facilitate collaboration (providing we have your consent);
- Our suppliers (providing we have your consent);
- Our staff, agents and contractors – to enable us to deliver the core business of procurement frameworks; and
- The other purchasing consortia that are, like LUPC, members of the UK Universities Purchasing Consortia (UKUPC) UKUPC website.
We do not sell or share your personal information for any other organisations to use.
What are your rights?
Data protection laws give everyone a number of very important rights. These include the right to:
- Demand transparency over how we use your personal information (right to be informed).
- Request a copy of the information we hold about you, which will be provided to you within one month (right of access).
- Update or amend the information we hold about you if it is wrong (right of rectification).
- Ask us to stop using your information (right to restrict processing).
- Ask us to remove your personal information from our records (right to be 'forgotten').
- Object to the processing of your information for marketing purposes (right to object).
- Obtain and reuse your personal data for your own purposes (right to data portability).
- Not be subject to a decision when it is based on automated processing (automated decision making and profiling).
If you would like to know more about your rights under the data protection law, see the Information Commissioner's Office website.
Remember, you can change your data, or the way you hear from us by using your Login to access your preferences on this website.
Changes to the privacy notice
We may change this Privacy Notice from time to time. If we make any significant changes in the way we treat your personal information we will make this clear on our website or by contacting you directly.
How to contact us
If you have any questions in relation to this privacy notice or how we use your personal data, please email firstname.lastname@example.org.
If you are not satisfied with our response, or believe we are not processing your personal data in accordance with the law, you can complain to the Information Commissioner’s Office (ICO).