Privacy notices

Updated: June 2026 

We are committed to protecting your privacy when you use our services. This privacy notice explains how we use your information and how we protect your privacy.

This is our main corporate privacy notice. It explains how Luton Council collects, uses, shares and protects personal data across the council.

Many services also have their own privacy notices, which provide more detailed information about:

• the personal data used by that service
• why it is used
• who it is shared with
• any service-specific arrangements

This corporate notice should be read alongside any relevant service privacy notice and applies where a service does not have its own notice. 

Data controller

Luton Council
Town Hall
George Street
Luton, LU1 2BQ

Data protection officer

Donna McLeod
Luton Council
Town Hall
George Street
Luton, LU1 2BQ

How to contact us

This email address is for data protection queries only.

By email:
dataprotection@luton.gov.uk

By post:
Data Protection Officer
Luton Council
Town Hall
George Street
Luton, LU1 2BQ

Personal data

Personal data means information which relates to a living person who can be identified directly or indirectly from that information, either on its own or when combined with other information.

We may collect different types of personal information depending on the service(s) you have involvement with. Common categories are listed below.

Identity and contact details

• Name, title, address, email address and telephone number
• Date of birth and customer or reference numbers
• National Insurance number and proof of identity

Personal and demographic details

• Age or date of birth, sex, gender identity, and marital or civil partnership status
• Pregnancy or maternity, ethnic origin, nationality, languages spoken, religion or belief, and sexual orientation
• Disability status and household composition

Some of this information may be collected for equality monitoring, accessibility, service planning, or to help us make sure services are fair and inclusive.

Household, family, safeguarding and support information

• Family composition, next of kin and emergency contacts
• Caring responsibilities, support needs and vulnerabilities
• Details of other individuals or organisations you are involved with

Employment, education and training information

• Occupation, employer and education history
• Qualifications, training records and attendance information
• References and information used to assess applications or provide support

Financial, benefits and transactional information

• Income, benefits and payment or billing information
• Bank details, council tax or rent account details, and debts owed to or by the council
• Information used to assess eligibility for financial support

Compliance, legal and enforcement information

• Complaints, investigations, inspections, interviews and legal proceedings
• Licensing, regulatory and enforcement activity, including warnings, notices, prosecutions and appeals
• Fraud prevention, anti-social behaviour, witness statements, intelligence and evidence records
• Criminal allegations, investigations, cautions, sanctions and offences

Service use and interaction information

• Service requests, case notes, correspondence and communications
• Appointments, visits, inspections, recordings, photographs, CCTV images and body-worn video
• Online account or website use information and records of your interactions with council systems
• Business or professional contact details where you interact with us in a work or trading capacity

Special category information

Special category data is personal data that is considered by law to be more sensitive and in need of extra protection. This can include information about:

• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• rade union membership
• enetic data
• biometric data used to identify you
• health
• sex life or sexual orientation

Criminal offence data

Some services may also use information about:

• criminal allegations
• investigations
• witness statements
• intelligence
• evidence records,
• proceedings
• convictions
• offences
• cautions
• sanctions
• related safeguarding or enforcement matters

Where do we get your data from?

The source of personal information will vary depending on the service. We often collect information directly from you, for example when you:

• contact us
• complete a form
• apply for a service
• use our website
• otherwise interact with the council

We may also receive information from others, such as:

• public bodies
• partner organisations
• regulators
• health and care providers
• housing providers
• education settings
• government departments
• the police and other enforcement agencies
• courts and tribunals
• people acting on your behalf or supporting you
• your friends and family members
• neighbours
• other individuals. 

Why do we need your personal information?

The reasons we use personal information depend on the service using the data and what we need to do with it. Common reasons are set out below:

• provide services, support and advice
• assess eligibility, process applications and make decisions
• manage accounts, payments, charges and debts
• safeguard children and adults
• carry out licensing, regulatory, inspection and enforcement functions
• prevent and detect crime, fraud and misuse of public funds
• handle complaints, legal claims, appeals, investigations and prosecutions
• plan, monitor and improve our services, including quality assurance, audit, research and equality monitoring
• meet our legal and regulatory duties as a local authority

Who do we share your information with?

Who we share information with depends on the service and the reason for the processing. Common examples include:

• other council departments
• central government departments and agencies
• other local authorities
• health and social care organisations
• education providers
• housing providers
• police and other law enforcement bodies
• courts and tribunals
• regulators
• professional bodies
• voluntary and community organisations
• contractors or system suppliers

Why do we share your information?

We may share information for different reasons including to:

• provide services
• protect children or adults
• protect public funds
• prevent and detect potential crime or fraud
• manage complaints or legal claims
• where we are otherwise required or permitted to do so by law

Where we share data, we take steps to make sure personal information is handled lawfully and securely.

How the law allows us to use personal information

Data protection law requires us to identify a lawful basis for using personal data. Where we use special category data, we must also meet an additional condition under article 9 of the UK GDPR. Where we use criminal offence data, we must meet the relevant conditions under data protection law. The exact lawful basis and any additional condition will depend on the service and the reason for the processing.

Article 6 UK GDPR grounds for personal data

• Consent – where you have given us clear permission to use your information for a specific purpose.
• Contract – where we need to use your information to enter into or perform a contract with you.
• Legal obligation – where we need to use your information to comply with the law.
• Vital interests – where we need to use your information to protect someone’s life.
• Public task – where we need to use your information to perform our official functions or carry out tasks in the public interest.
• Legitimate interests – where we or a third party have a legitimate reason to use personal information, provided this is not overridden by your rights and interests.  

For most council services, we rely on legal obligation or public task, although in some circumstances we may rely on other lawful bases.

Article 9 UK GDPR grounds for special category data

• Explicit consent – Article 9(2)(a), where you have clearly agreed to the use of this information for a specific purpose.
• Employment, social security and social protection – Article 9(2)(b), for employment-related, social security or social protection functions.
• Vital interests – Article 9(2)(c), to protect someone’s life where consent cannot be given.
• Not-for-profit bodies – Article 9(2)(d), for certain legitimate activities of not-for-profit bodies.
• Manifestly made public – Article 9(2)(e), where you have clearly made the information public yourself.
• Legal claims or courts – Article 9(2)(f), for legal proceedings, obtaining legal advice, or establishing, exercising or defending legal claims.
• Substantial public interest – Article 9(2)(g), where processing is necessary for reasons of substantial public interest and supported by law. This often depends on a more specific condition in Schedule 1 of the Data Protection Act 2018.
• Health or social care – Article 9(2)(h), for the provision or management of health or social care or treatment.
• Public health – Article 9(2)(i), to protect against serious cross-border threats to health or for other public health reasons.
• Archiving, research and statistics – Article 9(2)(j), for archiving in the public interest, scientific or historical research, or statistical purposes, subject to safeguards.

Criminal offence data

Where we use information about criminal convictions or offences, we must have both a lawful basis under article 6 and satisfy the relevant conditions in schedule 1 of the Data Protection Act 2018. Common conditions used by councils include:

• safeguarding children and adults at risk
• preventing or detecting unlawful acts
• protecting the public against dishonesty or malpractice
• preventing fraud
• meeting statutory or government purposes

We only use what we need

We will only collect and use personal information if we need it to achieve our purposes or comply with the law. This will be limited to the minimum amount necessary and data will be pseudonymised where appropriate.

If we can achieve our purposes or comply with the law without using identifiable data, we will either securely remove the data or anonymise it, for example in some reports or areas of research.

Any automated decision making or profiling

Most council services do not make decisions about you based solely on automated processing that have legal or similarly significant effects. If a service does use automated decision-making or profiling in this way, it will explain this in its service privacy notice and tell you about the safeguards available to you, including how to request human intervention and challenge the decision.

The council may use data matching and data analysis tools to help identify anomalies, risks, potential fraud, or cases that may need further review. These checks do not by themselves determine an outcome, and where they are used they will usually lead to further assessment by a member of staff.

What are your rights?

Data protection law gives you rights over your personal information. These rights are not absolute and may not apply in every case. In particular, they may be limited where we need to:

• comply with the law
• carry out public tasks
• protect other people’s rights
• maintain safeguarding arrangements
• prevent or detect fraud or crime
• keep information for legal proceedings
• retain records in line with statutory duties and retention requirements

You do not usually have to pay to exercise your rights. We will normally respond within one month, although this can be extended where requests are complex or numerous. We may ask for proof of identity before responding. If a request is manifestly unfounded or excessive, we may refuse it or charge a reasonable fee where the law allows this. If we cannot comply with your request, we will explain why.

Right of access

You can ask for a copy of the personal information we hold about you and supplementary information about how we use it. This right may be limited where exemptions apply, including where disclosure would adversely affect the rights of others, prejudice crime prevention or detection, or reveal information we are required to withhold by law.

Right to rectification

You can ask us to correct inaccurate information or complete incomplete information. We may need evidence before making a change, and we may keep a record of the original information where this is necessary for legal or audit purposes.

Right to erasure

You can ask us to delete your information in some circumstances. This right does not apply where we still need the information to comply with the law, carry out a public task, exercise or defend legal claims, safeguard children or adults, prevent or detect fraud or crime, or keep records for statutory retention periods.

Right to restrict processing

You can ask us to limit how we use your information in some circumstances, for example while we are checking accuracy or considering an objection. We may still use restricted information where the law allows this, such as for legal claims or to protect the rights of another person.

Right to object

You can object in some circumstances, including where we rely on public task or legitimate interests. We may continue processing if we can demonstrate compelling legitimate grounds or if the processing is needed for legal claims or other lawful reasons. You also have an absolute right to object to direct marketing, although this is not usually relevant to core council services.

Right to data portability

Where processing is based on consent or contract and carried out by automated means, you can ask for the information you provided to be given to you or transmitted to another organisation in a structured, commonly used and machine-readable format. This right will not usually apply to council processing carried out under legal obligation or public task.

Rights relating to automated decision-making

If we make a decision about you using solely automated means and that decision has legal or similarly significant effects, you can ask for human intervention, express your point of view and challenge the decision.

If you want to exercise any of these rights, please contact us using the details at the top of this notice. For more information about your rights, you can also visit the Information Commissioner’s Office website. If we are processing your information for law enforcement purposes, some rights may be different.

How do we protect your information?

We take appropriate technical and organisational measures to protect personal information and to make sure it is handled lawfully, fairly and securely.

We make sure records about you, whether held on paper or electronically, are kept securely and only made available to people who need to see them. We use a range of security measures, such as access controls, pseudonymisation, encryption, staff training, and regular review of our systems and processes.

Where in the world is your information?

We do not routinely transfer personal data outside the UK.

If a particular service needs to transfer personal data outside the UK, the relevant service privacy notice should explain this in more detail. Where this applies, we will ensure that appropriate safeguards are in place as required by data protection law, such as adequacy regulations, the International Data Transfer Agreement, or the UK Addendum where relevant.

How long do we keep your personal information?

We will only keep your personal data for as long as it is needed for the purpose or purposes it was collected for, or for as long as we are required to keep it by law. Retention periods vary depending on the type of information and what we are using it for.

We decide how long to keep records by considering:

• the purpose of the processing
• legal and regulatory requirements
• limitation periods
• any ongoing need to retain the information for audit, safeguarding, fraud prevention or legal proceedings

When we no longer need your personal data, we will securely delete it or anonymise it.

How to raise a concern or make a complaint

If you have a question, concern or want to make a complaint about the use of your personal information, ontact us using the details at the top of this notice.

If you are not satisfied with our response, you can complain to the Information Commissioner’s Office (ICO), which is the UK regulator for data protection. You may also have the right to seek a judicial remedy if you believe your rights under data protection law have been infringed.

Contact the ICO using the details below.

ICO website: ico.org.uk

ICO telephone helpline: 0303 123 1113