Privacy Policy

Document Control

POLICY NAMEData Collection, Privacy and GDPR Policy
Document Description  This policy has been written in line with the requirements of the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).
Document Author Christopher Burgess
Core Officer ResponsibleDee Wang
Information Management ResponsibleKaren Skipper
Last Review Date05 January 2024
Mandatory Review Date / Expirers06 January 2025
Version Number0.6
Person Responsible for ReviewDee Wang


This procedure will be deemed no longer supported if there is a newer version available or the document has expired.


Version Control


Version Number DateAuthor Reason for New Version
0.12018-04-10C. BurgessDocument creation for GDPR
0.22018-05-11C. BurgessConference call changes
0.32018-05-11D. WangConference call changes
0.42019-11-06D. WangRetention statement changed for general email
0.52021-04-06D. WangReference updates
0.62022-08-24D. WangRephrase special category data
0.62024-01-05D. WangNo update


Spectra C.I.C and Spectra Charity (to be known as collectively as Spectra) are committed to complying with the Data Protection Act 2018 and the UK General Data Protection Regulation, once enacted. Looking after the personal information you share with us is very important, and we want you to be confident that your personal data is kept safely and securely and to understand how we use it.

We have published this notice to help you understand

  • how and why Spectra collect information from you;
  • who we share your information with, why and on what basis; and
  • what your rights are.

If we make changes to this notice we will notify you by updating it on our website. Spectra C.I.C and Spectra Charity will be what is known as the ‘Data Controller’ of the personal data you provide to us, and we will sometimes refer to ourselves in this notice as “we” or “us”. By Data Controller, this means Spectra. determines the purposes and way in which any personal data are, or will be, processed.

Should you need to contact us please write to:
Data Protection Officer Karen Skipper, St Charles Center for Health and Wellbeing, Exmoor Street W10 6DZ or via quoting Security and Privacy Enquiry.

This privacy notice was last updated on 05 January 2022. Version 0.6


What information we collect when you register and why?

This depends on the service you require from us. We may collect information that includes your personal or sensitive information, such as:

Personal information

  • first name or given name
  • family name or surname
  • address, postcode
  • email
  • telephone numbers
  • date of birth

Sensitive personal information

  • data revealing racial or ethnic origin;
  • data concerning health;
  • data concerning your sex life; and
  • data concerning your sexual orientation.

Evaluation data is not personally identifiable,  the data is anonymised and simply compiled for reporting. i.e. we have had 10 x White English attendees, 2 x Gay attendees, 12 x Have said they the event has helped. This data is used to make sure we are reaching all demographics and not excluding any populations, helping us to continually improve our services and to demonstrate impact for funding.

Spectra operates from the St Charles Center for Health and Wellbeing. The St Charles Center for Health and Wellbeing is a site controlled by the NHS Foundation; CCTV is in operation across the site for security monitoring purposes.  Spectra does not control this data.

How do we use your information?

Data Protection says that we are allowed to use and share your personal data only where we have a proper reason to do so. The law says we must have one or more of these reasons and these are:

  • Contract – your personal information is processed in order to fulfill a contractual arrangement
  • Consent – where you agree to us using your information in this way e.g. for storing your email address
  • Legitimate Interests – this means the interests of Spectra in managing our business to allow us to provide you with the best service in the most secure and appropriate way e.g. to transfer your data to certain Third Parties .
  • Legal Obligation – where there is statutory or other legal requirement to share the information e.g. when we have to share your information for law enforcement purposes.

Here is a list of the ways that we may use your personal information, and which of the reasons described above we rely on to do so. Where we list legitimate interests as a reason, we also describe below what we believe these legitimate interests are.

What We Use Your Personal Information ForOur Reasons (Legal Basis)Our Explanation Of Bloomsbury’s Legitimate Interests
Marketing communications to inform you of events, campaigns, fundraising activities, service update and promotions of new servicesConsent

Administer any events in which you participate or wish to participate in

Consent & Legitimate interests


Process efficiency in dealing with such activity, and help you make the event or attend the service.
Booking of event or serviceConsent
Seek your views or comments on the services we provideConsent & Legitimate interests


Process efficiency in dealing with such activity, and help you make the event or attend the service.
Respond to any enquiries you makeConsent
Create an individual profile for you so that we can understand and respect your preferencesConsent & Legitimate interests


Process efficiency in dealing with such activity, and help you make the event or attend the service.
Process a volunteer or job application.Consent
Identify and protect those at risk of harmConsent & Legal Obligation


Who we share your information with and why

We will not sell or rent your information to third parties.

We will not share your information with third parties for marketing purposes.

Spectra works with a number of trusted agencies and businesses in order to provide you the high quality events and services you expect from us such as charities, none profit organisations, medical institutes amongst others. Some examples of the categories of third parties with whom we share your data are:

Third Party Service Providers working on our behalf: We may pass your information to our third party service providers, agents subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf (for example to process tests and send you mailings). However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure and not to use it for their own direct marketing purposes. Please be reassured that we will not release your information to third parties beyond the Spectra Network for them to use for their own direct marketing purposes, unless you have requested us to do so, or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.

Third Party Product Providers we work in association with: Spectra works with business who support our website and other business systems, such as IT companies and payment processors.

Automated Decisions

We do not use your data in any automated decisions.

Keeping in touch with you

We want to keep you up to date with information about new events, news, research and improvements to our website. When you subscribe to the organisation we will ask you if you want to receive this type of marketing information.

Spectra will not share your information with companies outside of Spectra for their marketing purposes.

If you decide you do not want to receive this marketing information you can request that we stop by writing to the Data Protection Officer Karen Skipper, St Charles Center for Health and Wellbeing, Exmoor Street W10 6DZ or via quoting Security and Privacy Enquiry or the unsubscribe link within the email.

You may continue to receive mailings for a short period while your request is dealt with.

How long we keep your information

We only retain your personal data when it is necessary. We may retain your personal data for a longer period of time where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

If we collect your personal information, the length of time we retain it is determined by a number of factors including the purpose for which we use that information and our obligations under other laws. We will retain your personal data as follows:

  1. For short-term service, e.g. HIV testing, STI screening, one-off event and specific survey, personal data will be retained for 1 year after the events;
  2. for long-term service, e.g. counselling, mentoring, advocacy, 1-2-1 support and group work, personal data will be retained for 7 year after the data it is no longer needed by us for any of the purposes listed under How we use your information above;
  3. email address for newsletter subscription is kept for a maximum term of 2 years post the last trackable action on a newsletter i.e. open or click through;
  4. for member scheme service, e.g. 24s, personal data will be retained for 3 year after last action utilising the membership. Renewal of membership will need be confirmed by email at the end of this period;
  5. for volunteer and job application, in the case of unsuccessful application, the personal data will be retained for a further 6 months in the event of a more suitable opportunity arising, after which time it will be destroyed;
  6. for non-specific online enquiries and any other enquiries that are not directly related to service provision, the personal data is kept for a max of one month post the contact time.

The only exceptions to this are where:

  • the law requires us to hold your personal information for a longer period, or delete it sooner;
  • you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law;
  • we bring or defend a legal claim or other proceedings during the period we retain your personal information, in which case we will retain your personal information until those proceedings have concluded and no further appeals are possible; or
  • in limited cases, existing or future law or a court or regulator requires us to keep your personal information for a longer or shorter period.


Specific Time Frames

Personal identifiable information on event booking data is kept for a maximum of one month post the event scheduled time.


What are your rights

Your personal data is protected by legal rights, which include your rights to object to our processing of your personal data; request that your personal data is erased or corrected; request access to your personal data.

For more information or to exercise your data protection rights, please contact us using the contact details above. You also have a right to complain to the Information Commissioner’s Office, which regulates the processing of personal data.

You are entitled to request the following from Spectra, these are called your Data Subject Rights and there is more information on these on the Information Commissioners website

  • Right of access –to request access to your personal information and information about how we process it
  • Right to rectification –to have your personal information corrected if it is inaccurate and to have incomplete personal information completed
  • Right to erasure (also known as the Right to be Forgotten) – to have your personal information erased.
  • Right to restriction of processing – to restrict processing of your personal information
  • Right to data portability – to electronically move, copy or transfer your personal information in a standard form
  • Right to object – to object to processing of your personal information
  • Rights with regards to automated individual decision making, including profiling –rights relating to automated decision making, including profiling

If you have any general questions about your rights or want to exercise your rights please contact

You have the right to lodge a complaint with a data protection regulator. The contact details for the Information Commissioner’s Office (ICO), the data protection regulator in the UK, are available on the ICO website where your personal information has or is being used in a way that you believe does not comply with data, however, we encourage you to contact us before making any complaint and we will seek to resolve any issues or concerns you may have.