Privacy Policy


Document Control

POLICY NAMESpectra CIC service user privacy notice
Document Description This policy has been written in line with the requirements of the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).
Document AuthorChristopher Burgess
Core Officer ResponsibleDee Wang
Information Management ResponsibleJoel Robinson
StatusLive
Last Review Date20 December 2025
Mandatory Review Date / Expirers20 December 2026
Version Number1.1
Person Responsible for ReviewDee Wang

This procedure will be deemed no longer supported if there is a newer version available or the document has expired.

Version Control

Version NumberDateAuthorReason for New Version
0.12018-04-10C. BurgessDocument creation for GDPR
0.22018-05-11C. BurgessConference call changes
0.32018-05-11D. WangConference call changes
0.42019-11-06D. WangRetention statement changed for general email
0.52021-04-06D. WangReference updates
0.62022-08-24D. WangRephrase special category data
0.62024-01-05D. WangNo update
1.02024-11-20D. WangTitle change, format update and added details of data collection. Retention period updated for service users under 18.
1.12025-12-20D. WangContact address change. Added new marketing section; updated legal basis for data use and marketing consent retention period.

Spectra C.I.C and Spectra Charity (to be known as collectively as Spectra) are committed to protecting your privacy and handling your personal information responsibly. Looking after the personal information you share with us is very important, and we want you to be confident that your personal data is kept safely and securely and to understand how we use if. This policy explains what data we collect, why we collect it, how we use it, and your rights under the UK General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR).

If we make changes to this notice we will notify you by updating it on our website. Spectra C.I.C and Spectra Charity will be what is known as the ‘Data Controller’ of the personal data you provide to us, and we will sometimes refer to ourselves in this notice as “we” or “us”. By Data Controller, this means Spectra. determines the purposes and way in which any personal data are, or will be, processed.

However, there are some services where Spectra is the ‘Processor’ acting on behalf of another organisation (the NHS, for example). You will be notified specifically that who is responsible for your information and their privacy notice if this apply to the service you are receiving.

Should you need to contact us please write to:
Data Protection Officer, Spectra, China Works, Black Prince Rd, SE1 7SJ or via dataprotection@spectra-london.org.uk quoting Security and Privacy Enquiry. Telephone: 02033229620.

This privacy notice was last updated on 20 December 2025. Version 1.1

What information we collect, use, and why?

We only ask for your information when it relates to your service, or we are legally required to, and we will not ask for information that we do not need or will never use. These might include:

  • Names and contact details
  • Gender
  • Pronoun preferences
  • Addresses
  • Date of birth
  • Emergency contact details
  • Photographs or video recordings
  • Service use history
  • Health information (including medical conditions, test results, allergies, medical requirements and medical history)
  • Information about care needs (including disabilities, home conditions, dietary requirements and general care provisions)
  • Information about work, home and living conditions
  • Information about support requirements
  • Information about lifestyle, interests or personal history
  • Records of meetings and decisions
  • Information about income and financial needs for funding or personal budget support
  • Payment details (including card or bank information for transfers and direct debits)
  • Information relating to compliments or complaints
  • Taxpayer information (for Gift Aid purposes)
  • Marketing preferences
  • Records of consent, where appropriate
  • Financial transaction information

We also collect or use the following special personal information to provide services:

  • Racial or ethnic origin
  • Health information
  • Sex life information
  • Sexual orientation information

Evaluation data is not personally identifiable,  the data is anonymised and simply compiled for reporting. i.e. we have had 10 x White English attendees, 2 x Gay attendees, 12 x Have said they the event has helped. This data is used to make sure we are reaching all demographics and not excluding any populations, helping us to continually improve our services and to demonstrate impact for funding.

Spectra operates in a serviced business building where CCTV is in operation across the site for security monitoring purposes.  Spectra does not control this data.

Lawful bases and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

  • Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right here.
  • Your right to rectification– You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. You can read more about this right here.
  • Your right to erasure– You have the right to ask us to delete your personal information. You can read more about this right here.
  • Your right to restriction of processing– You have the right to ask us to limit how we can use your personal information. You can read more about this right here.
  • Your right to object to processing– You have the right to object to the processing of your personal data. You can read more about this right here.
  • Your right to data portability– You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. You can read more about this right here.
  • Your right to withdraw consent– When we use consent as our lawful basis you have the right to withdraw your consent at any time. You can read more about this right here.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Legal Bases for Processing your data

Data Protection says that we are allowed to use and share your personal data only where we have a proper reason to do so. The law says we must have one or more of these reasons and these are:

  • Consent – where you agree to us using your information in this way e.g. for storing your email address. we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
  • Contract – we have to collect or use your information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Legitimate Interests – this means the interests of Spectra in managing our business to allow us to provide you with the best service in the most secure and appropriate way e.g., to transfer your data to certain Third Parties.
  • Legal Obligation – where there is statutory or other legal requirement to share the information e.g., when we have to share your information for law enforcement purposes.

Here is a list of the ways that we may use your personal information, and which of the reasons described above we rely on to do so. Where we list legitimate interests as a reason, we also describe below what we believe these legitimate interests are.

What We Use Your Personal Information ForOur Reasons (Legal Basis)Our Explanation of Bloomsbury’s Legitimate Interests
Service delivery (health, wellbeing, events)Legal Obligation & Legitimate InterestsProcess efficiency and ability to deliver requested services and comply with health regulations.
Booking of event or serviceContract & Legitimate InterestsNecessary to manage bookings and deliver services.
Respond to any enquiries you makeLegitimate interestsTo provide accurate and timely responses.
Marketing communications (newsletters, campaigns, fundraising)ConsentWe only send marketing where you have opted in. Declining does not affect access to services.
Seek your views or comments on the services we provideConsent & Legitimate interests Process efficiency in dealing with such activity, and help you make the event or attend the service.
Respond to any enquiries you makeConsent
Safeguarding, child protection and health and safetyLegal Obligation & Vital InterestsTo safeguard individuals and comply with statutory duties.
Process a volunteer or job application.Contract & Legal ObligationTo manage recruitment and comply with employment law.
Participatory researchConsentTo involve you in research activities with informed agreement.

Marketing Consent

  • Marketing consent is optional and separate from service consent.
  • Declining marketing will not affect your access to services.
  • For newsletters, we use a double opt-in process for transparency.
  • You can withdraw consent at any time by clicking “unsubscribe” in emails or contacting dataprotection@spectra-london.org.uk.

Where we get personal information from

  • Directly from you
  • Family members or carers
  • Other health and care providers
  • Social services
  • Charities or voluntary sector organisations
  • Schools, colleges, universities or other education organisations
  • Councils and other public sector organisations
  • From other mental health providers

Who we share your information with and why

We will not share your data unless we are legally required to, or you have asked us to do so, and we will do what we can to protect it. This even includes sharing with other teams within Spectra. Should we need to share any identifiable data on to any other third parties we will only do so where there is a service need to do so, once we have obtained your consent or unless we are legally required to do so, for example to comply with the law, or a court order or where there is a clear safety risk to you or to someone else. If this is the case, we will always try to inform you.

Where some of our services are commissioned by a third party (the local authority, for example) we may be required to share some personal or statistical information with them. This will be clearly explained prior to the data collection for such services.

Data Processer

Spectra works with a number of trusted agencies and businesses in order to provide you the high-quality events and services you expect from us. We may pass your information to our third-party service providers, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf (for example to maintain and support the management of your data). However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service, and we have a contract in place that requires them to keep your information secure and not to use it for their own direct marketing purposes. Please be reassured that we will not release your information to third parties beyond the Spectra Network for them to use for their own direct marketing purposes, unless you have requested us to do so, or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.

We will not sell or rent your information to third parties.

We will not share your information with third parties for marketing purposes.

How long we keep your information

We only retain your personal data when it is necessary. We may retain your personal data for a longer period of time where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

If we collect your personal information, the length of time we retain it is determined by a number of factors including the purpose for which we use that information and our obligations under other laws. We will retain your personal data as follows:

    1. For short-term service, e.g. HIV testing, STI screening, one-off event and specific survey, personal data will be retained for 1 year after the events;
    2. for long-term service, e.g. counselling, mentoring, advocacy, 1-2-1 support and group work, personal data will be retained for 7 years after the data it is no longer needed by us for any of the purposes listed under How we use your information
    3. for counselling service users under the age of 18, personal data be retained until their 25th birthday, or else their 26th if the patient was 17 when counselling ended.
    4. email address for newsletter subscription is kept for a maximum term of 3 years post the last trackable action on a newsletter i.e. open or click through.
    5. for volunteer and job application, in the case of unsuccessful application, the personal data will be retained for a further 6 months in the event of a more suitable opportunity arising, after which time it will be destroyed.
    6. for non-specific online enquiries and any other enquiries that are not directly related to service provision, the personal data is kept for a max of one month post the contact time.

The only exceptions to this are where:

      • the law requires us to hold your personal information for a longer period or delete it sooner.
      • you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law.
      • we bring or defend a legal claim or other proceedings during the period we retain your personal information, in which case we will retain your personal information until those proceedings have concluded and no further appeals are possible; or
      • in limited cases, existing or future law or a court or regulator requires us to keep your personal information for a longer or shorter period.

Specific Time Frames

Personal identifiable information on event booking data is kept for a maximum of one month post the event scheduled time.

How to complain

If you have any concerns about our use of your personal data, please contact us using the details at the top of this privacy notice. We will respond promptly and aim to resolve your concerns.

If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO).

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint