Privacy Policy

Document Control

POLICY NAMESpectra CIC service user privacy notice
Document Description  This policy has been written in line with the requirements of the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).
Document Author Christopher Burgess
Core Officer ResponsibleDee Wang
Information Management ResponsibleJoel Robinson
StatusLive
Last Review Date02 July 2025
Mandatory Review Date / Expirers02 July 2026
Version Number2.0
Person Responsible for ReviewDee Wang

 

This procedure will be deemed no longer supported if there is a newer version available or the document has expired.

 

Version Control

 

Version Number DateAuthor Reason for New Version
0.12018-04-10C. BurgessDocument creation for GDPR
0.22018-05-11C. BurgessConference call changes
0.32018-05-11D. WangConference call changes
0.42019-11-06D. WangRetention statement changed for general email
0.52021-04-06D. WangReference updates
0.62022-08-24D. WangRephrase special category data
0.62024-01-05D. WangNo update
1.02024-11-20D. WangTitle change, format update and added details of data collection. Retention period updated for service users under 18.
2.02025-06-02D. WangContact address change

 

Spectra C.I.C and Spectra Charity (to be known as collectively as Spectra) are committed to complying with the UK General Data Protection Regulation and the Data Protection Act 2018, once enacted. Looking after the personal information you share with us is very important, and we want you to be confident that your personal data is kept safely and securely and to understand how we use it.

We have published this notice to help you understand

  • how and why Spectra collect information from you;
  • who we share your information with, why and on what basis; and
  • what your rights are.

If we make changes to this notice we will notify you by updating it on our website. Spectra C.I.C and Spectra Charity will be what is known as the ‘Data Controller’ of the personal data you provide to us, and we will sometimes refer to ourselves in this notice as “we” or “us”. By Data Controller, this means Spectra. determines the purposes and way in which any personal data are, or will be, processed.

However, there are some services where Spectra is the ‘Processor’ acting on behalf of another organisation (the NHS, for example). You will be notified specifically that who is responsible for your information and their privacy notice if this apply to the service you are receiving.

Should you need to contact us please write to:
Data Protection Officer, Spectra, China Works, Black Prince Rd, SE1 7SJ or via dataprotectionofficer@spectra-london.org.uk quoting Security and Privacy Enquiry. Telephone: 02033229620.

This privacy notice was last updated on 20 November 2024. Version 1.0

What information we collect, use, and why?

We only ask for your information when it relates to your service, or we are legally required to, and we will not ask for information that we do not need or will never use. These might include:

  • Names and contact details
  • Gender
  • Pronoun preferences
  • Addresses
  • Date of birth
  • Emergency contact details
  • Photographs or video recordings
  • Service use history
  • Health information (including medical conditions, test results, allergies, medical requirements and medical history)
  • Information about care needs (including disabilities, home conditions, dietary requirements and general care provisions)
  • Information about work, home and living conditions
  • Information about support requirements
  • Information about lifestyle, interests or personal history
  • Records of meetings and decisions
  • Information about income and financial needs for funding or personal budget support
  • Payment details (including card or bank information for transfers and direct debits)
  • Information relating to compliments or complaints
  • Taxpayer information (for Gift Aid purposes)
  • Marketing preferences
  • Records of consent, where appropriate
  • Financial transaction information

We also collect or use the following special personal information to provide services:

  • Racial or ethnic origin
  • Health information
  • Sex life information
  • Sexual orientation information

Evaluation data is not personally identifiable,  the data is anonymised and simply compiled for reporting. i.e. we have had 10 x White English attendees, 2 x Gay attendees, 12 x Have said they the event has helped. This data is used to make sure we are reaching all demographics and not excluding any populations, helping us to continually improve our services and to demonstrate impact for funding.

Spectra operates from the St Charles Center for Health and Wellbeing. The St Charles Center for Health and Wellbeing is a site controlled by the NHS Foundation; CCTV is in operation across the site for security monitoring purposes.  Spectra does not control this data.

Lawful bases and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for the collection and use of your data

Data Protection says that we are allowed to use and share your personal data only where we have a proper reason to do so. The law says we must have one or more of these reasons and these are:

  • Consent – where you agree to us using your information in this way e.g. for storing your email address. we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
  • Contract – we have to collect or use your information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Legitimate Interests – this means the interests of Spectra in managing our business to allow us to provide you with the best service in the most secure and appropriate way e.g., to transfer your data to certain Third Parties.
  • Legal Obligation – where there is statutory or other legal requirement to share the information e.g., when we have to share your information for law enforcement purposes.

Here is a list of the ways that we may use your personal information, and which of the reasons described above we rely on to do so. Where we list legitimate interests as a reason, we also describe below what we believe these legitimate interests are.

What We Use Your Personal Information ForOur Reasons (Legal Basis)Our Explanation of Bloomsbury’s Legitimate Interests
Marketing communications to inform you of events, campaigns, fundraising activities, service update and promotions of new servicesConsent
Providing HIV and other sexual health servicesConsent & Legitimate interests

 

Process efficiency in dealing with such activity, and help you make the event or attend the service.
Providing mental health and wellbeing servicesConsent, Legal Obligation & Legitimate interestsProcess efficiency in dealing with such activity, and help you make the event or attend the service.
Booking of event or serviceConsent
Seek your views or comments on the services we provideConsent & Legitimate interests

 

Process efficiency in dealing with such activity, and help you make the event or attend the service.
Respond to any enquiries you makeConsent
Create an individual profile for you so that we can understand and respect your preferencesConsent & Legitimate interests

 

Process efficiency in dealing with such activity, and help you make the event or attend the service.
Process a volunteer or job application.Consent
Identify and protect those at risk of harmConsent & Legal Obligation
Safeguarding, child protection and health and safetyLegal Obligation
Conducting participatory researchConsent

Where we get personal information from

  • Directly from you
  • Family members or carers
  • Other health and care providers
  • Social services
  • Charities or voluntary sector organisations
  • Schools, colleges, universities or other education organisations
  • Councils and other public sector organisations
  • From other mental health providers

Who we share your information with and why

We will not share your data unless we are legally required to, or you have asked us to do so, and we will do what we can to protect it. This even includes sharing with other teams within Spectra. Should we need to share any identifiable data on to any other third parties we will only do so where there is a service need to do so, once we have obtained your consent or unless we are legally required to do so, for example to comply with the law, or a court order or where there is a clear safety risk to you or to someone else. If this is the case, we will always try to inform you.

Where some of our services are commissioned by a third party (the local authority, for example) we may be required to share some personal or statistical information with them. This will be clearly explained prior to the data collection for such services.

Data Processer

Spectra works with a number of trusted agencies and businesses in order to provide you the high-quality events and services you expect from us. We may pass your information to our third-party service providers, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf (for example to maintain and support the management of your data). However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service, and we have a contract in place that requires them to keep your information secure and not to use it for their own direct marketing purposes. Please be reassured that we will not release your information to third parties beyond the Spectra Network for them to use for their own direct marketing purposes, unless you have requested us to do so, or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.

We will not sell or rent your information to third parties.

We will not share your information with third parties for marketing purposes.

How long we keep your information

We only retain your personal data when it is necessary. We may retain your personal data for a longer period of time where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

If we collect your personal information, the length of time we retain it is determined by a number of factors including the purpose for which we use that information and our obligations under other laws. We will retain your personal data as follows:

  1. For short-term service, e.g. HIV testing, STI screening, one-off event and specific survey, personal data will be retained for 1 year after the events;
  2. for long-term service, e.g. counselling, mentoring, advocacy, 1-2-1 support and group work, personal data will be retained for 7 years after the data it is no longer needed by us for any of the purposes listed under How we use your information
  3. for counselling service users under the age of 18, personal data be retained until their 25th birthday, or else their 26th if the patient was 17 when counselling ended.
  4. email address for newsletter subscription is kept for a maximum term of 2 years post the last trackable action on a newsletter i.e. open or click through.
  5. for volunteer and job application, in the case of unsuccessful application, the personal data will be retained for a further 6 months in the event of a more suitable opportunity arising, after which time it will be destroyed.
  6. for non-specific online enquiries and any other enquiries that are not directly related to service provision, the personal data is kept for a max of one month post the contact time.

The only exceptions to this are where:

  • the law requires us to hold your personal information for a longer period or delete it sooner.
  • you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law.
  • we bring or defend a legal claim or other proceedings during the period we retain your personal information, in which case we will retain your personal information until those proceedings have concluded and no further appeals are possible; or
  • in limited cases, existing or future law or a court or regulator requires us to keep your personal information for a longer or shorter period.

Specific Time Frames

Personal identifiable information on event booking data is kept for a maximum of one month post the event scheduled time.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after making a complaint with us, you can also complain to the ICO.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint