Privacy Notice

The Spotlight is committed to keeping your personal data secure and we respect your right to privacy.

This privacy notice explains what personal data we collect from you, the purpose for which it is used, with whom it is shared and how long it is kept.

Personal data – what is it?

Personal data relates to a living individual who can be identified from that data. This can include information that can identify a person when it is put together with other information.

Some of your personal data fits into what are called ‘special categories of personal data’ because it is information that is considered to be more sensitive and therefore requires more protection. This includes information that identifies your racial/ethnic origin, political opinion, religious/philosophical beliefs, sexual orientation and information regarding your physical or mental health.

What personal data do we hold?

The type of personal data we collect depends on the Spotlight service(s) you are using, but it may include your:

  • Name
  • Address
  • Email address
  • Phone number
  • Debit card details (if you are making a payment to the Spotlight).

Why do we need your personal data?

We may need your personal data in order to:

  • Deliver services and support to you
  • Manage those services we provide to you
  • Help investigate any worries or complaints you have about our services
  • Keep track of spending on services
  • Check the quality of services
  • Help with research and planning new services.

What is our legal basis for using your data?

Our legal basis for holding and using your personal data will depend on the service we are providing to you. Generally, we collect and use personal data where:

  • You have entered into a contract with us
  • You, or your legal representative, have given consent
  • It is required by law
  • It is necessary for employment purposes
  • You have made your information publicly available
  • It is necessary for legal cases
  • It is for the benefit of society as a whole
  • It is necessary to protect public health
  • It is necessary for archiving, research or statistical purposes.

Sharing your personal data

Depending on the purpose for which we originally obtained your personal data and the use to which it is to be put, it may be necessary to share it with other organisations. In such cases, the personal data provided is only the minimum necessary to enable them to provide services to you.

Sometimes we are bound by law to share data with other organisations, such as Government departments. We may also share your personal data when we feel there is a good reason, such as in relation to the prevention of fraud or detection of a crime.

How do we protect your personal data?

We take measures to make sure the personal data is secure, whether it’s held on paper or electronically.

Examples of our security include:

  • Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password)
  • Pseudonymisation, meaning that we’ll use a different name so we can hide parts of your personal data
  • Controlling access to systems and networks allows us to stop people who are not allowed to view your personal data
  • Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong
  • Regular testing of our technology and ways of working, including keeping up to date on the latest security updates.

How long do we keep your personal data?

We only keep your personal data for as long as is necessary for the purpose for which it was taken, unless we have a legitimate reason for keeping it (e.g. adhering to a legal requirement to keep the data for a set time period). However, where possible we will anonymise this data so that you cannot be identified. Where we do not need to continue to process your personal data, it will be securely destroyed.

What are your rights?

Data protection legislation gives you the right to request a copy of the information we hold about you. This is called a Subject Access Request (SAR).

To submit a subject Access Request please email This request must be in writing and clearly specify what information you require.

If you believe the data we hold about you is incorrect, you have the right to request that it is corrected.

If your data is no longer needed for the purpose it was collected, in certain circumstances you have the right to request that this information is deleted (the right to erasure). However, there will be occasions when the Council has a legal duty to retain your data despite your request. We will advise you if this is the case.

You have the right to ask for your personal data to be given back to you or another provider of your choice in a commonly used format. This is called data portability. However, this only applies if we’re using your personal data with consent (i.e. not if we are required by law to use it) and if the decision was made by a computer (automated). It’s likely that data portability won’t apply to most of the services you receive from the Council.

You also have the right to object if you are being ‘profiled’. Profiling is where decisions are made about you based on certain things in your personal information (e.g. health conditions).

You can request for a restriction to be placed on further processing where there is a dispute in relation to the accuracy or processing of your personal data.

You have the right to object to or ask us to stop the processing of your personal data in certain circumstances. However, if this request is approved this may cause delays or prevent us delivering services to you. Where possible, we’ll seek to comply with your request, but we may need to hold or use information because we are required to do so by law.

Data Protection Officer

If you have any concerns, questions, comments or would like further information about data protection, please email the Council’s Data Protection Officer at or write to:

Broxbourne Council
Data Protection Officer
Legal Services
Bishops’ College

For more information on data protection or to lodge a complaint about the way we’ve used your personal data, contact the Information Commissioner’s Office via its website at or write to:

Information Commissioner’s Office
Wycliffe House
Water Lane