Toggle mobile menu visibility

Procurement Service privacy notice

What this document is for

This privacy notice provides details on how we, Norfolk County Council, use your personal information for the purposes of our procurement department and the services they provide.

By ‘use’ we mean the various ways your personal information may be processed including storing and sharing the information.

Further details

We also provide the following details in our general privacy notice on our website:

  • Who we are
  • How long we use your information for
  • Your rights under the UK General Data Protection Regulation (the UK GDPR) and
  • How to exercise them 

You can also ask us for a copy of this information.

What we use your information for

We may use the information about you to:

  • Administering procurement exercises
  • Evaluating bidder submissions and tenders
  • Permitting audit and legal review of tender processes and contracts
  • Reviewing, managing and enforcing contracts
  • Making and receiving supplier payments
  • Dealing with concerns and complaints
  • Ensuring compliance with the relevant laws, including the Public Contracts Regulations 2015 and the Local Government Transparency Code 2015
  • Considering requests made under the Freedom of Information Act 2000 and the Environmental Information Regulations 2004

We also use this information to assess the quality of our services and evaluate and improve our policies and procedures.

We may also use personal information about incumbent suppliers’ workforces to allow tenderers to price for replacement contracts.

We may also use information in other ways compatible with the above.

What personal data we collect and use about you

We may collect and use:

  • Name
  • Work contact details and, where provided, emergency out of hours contact details
  • Job/profession and other information about employment history and current employment and details of professional qualifications
  • Photographs, should a supplier provide them (for example, on a CV)
  • Information about suppliers’ financial capacity and solvency
  • Information about payments made to and received from suppliers
  • Information suppliers have provided about breach of the grounds for exclusion set out in regulation 57 of the Public Contracts Regulations 2015
  • Information about complaints and allegations of misconduct made during the course of a procurement exercise or subsequent delivery of a contract.
  • Salary, age, pension, length of service and other workforce information needed to enable tenderers to price their bids for replacement contracts when the Transfer of Undertakings (Protection of Employment) Regulations apply

We may also collect and use information about:

  • Health (such as disabilities, when applicable to reasonable adjustments)

This information is classed as “special category data” under the UK GDPR. We may only collect these data when it is relevant and for the purposes described above.

We also collect information concerning criminal convictions and offences.

The UK GDPR includes safeguards to protect the use of your special category data and criminal conviction data. Further details can be found on our website in the document named ‘Special category data and criminal offences data policy’ which sets out our procedures for compliance with the principles of the UK GDPR and the retention and erasure of this information.

Who provides this information

We receive most of this information from you, but we may also obtain some of this data from:

  • Information suppliers have provided to us, directly or via a prime contractor or consortium that has bid for or secured a contract. 
  • People and organisations that have been nominated as referees by suppliers
  • Other customers of suppliers
  • Our service users who receive services from suppliers, and the people who care for them
  • Enforcers and regulators, including the Care Quality Commission, Ofsted and the Health and Safety Executive
  • Other businesses or employers
  • Trade and/or sector associations
  • Other local authorities and other public bodies
  • Credit reference agencies (in respect of suppliers’ finances)
  • Witnesses, including expert witnesses
  • Consultants and technical specialists
  • Auditors and inspectors

Who we share your information with

We may need to share your information with:

  • The public, if we enter a contract with you, we may need to publish details about the contract, your company, and any beneficiaries. This may include information about you, such as your name.
  • Other departments within the County Council
  • Other organisations that are jointly procuring or managing a contract with us
  • People and organisations that suppliers have nominated as referees
  • People and organisations that suppliers have asked us to provide a reference to
  • Consultants, technical specialists, lawyers, expert witnesses, accountants and similar advisers in respect of bid evaluation, contract management and review, strategy review, performance review, review of complaints and disputes and similar purposes
  • Suppliers’ other customers, and central purchasing bodies, for supplier stability monitoring and performance management purposes
  • Our service users who receive services from suppliers, and the people who care for them, as far as this is necessary to allow service delivery
  • Enforcers and regulators, including the Local Government Ombudsman, the Care Quality Commission, Ofsted, HMRC and the Health and Safety Executive
  • Internal and external auditors and inspectors
  • Professional bodies such as the General Medical Council or the Law Society, in respect of alleged misconduct
  • Debt recovery services, bailiffs and investigators where necessary to recover a debt owed to us
  • The Disclosure and Barring Service, Disclosure Scotland and their equivalents in other countries (where a basic disclosure or DBS check is required in respect of a particular role) and agents who submit details to such organisations on our behalf
  • In respect of anonymised workforce information, tenderers and potential tenderers for replacement contracts

Any information which is shared will only be shared on a need-to-know basis, with appropriate individuals. Only the minimum information for the purpose will be shared.

Your personal information may also be given to third parties contracted by the County Council to provide a service to the County Council. These service providers are known as data processors and have a legal obligation under UK GDPR and to the County Council to look after your personal information and only use it for providing that service.

How the law protects you and the legal basis for processing your information

We have legal grounds under the UK GDPR to process this information because it is necessary:

  • For the performance of a task carried out in the public interest and the task or function has a clear basis in law

These statutory powers and duties are:

  • Public Contract Regulations 2015
  • Local Government Transparency Code 2015F

We have legal grounds to process (including share) special category data and criminal convictions data because it is necessary:

  • For reasons in the substantial public interest and in the exercise of a statutory function (The statutory functions are the same as the statutory powers and duties referred to above)
  • Equalities Act (information about disabilities and reasonable adjustments)

How long will we keep your personal information for

We will retain the information in accordance with our retention schedule.

If we need to use your information for research or reports, your information will be anonymised and any information taken from notes (handwritten or typed) during any consultation sessions will be securely destroyed. The information will continue to be used in a summarised and anonymised form in any research reports or papers that are published. The anonymised information in the papers may be of historic interest and may be held in public archives indefinitely.

How we keep your information

The information is stored electronically, on the County Council’s network including records management systems, and in paper files.

We do not process your information outside of the UK and European Economic Area.

Automated decision making

We do not make automated decisions about you.

Changes to this notice

We may amend this privacy notice at any time so please review it frequently. The date below will be amended each time this notice is updated.

This notice was updated on 13 December 2022. 

Share this page

Facebook icon Twitter icon Email icon


Print icon