Rosebud Business Finance
To comply with the UK General Data Protection Regulation (UK GDPR), where personal data relating to a data subject is collected, Lancashire County Council would like to provide you with the following details.
Contact details of this Lancashire County Council service:
Note that for queries intended for this specific service, do not contact the Data Protection Officer (DPO) mailbox, instead please direct your query to the following point of contact:
Reasons for processing your personal data
We process your personal data to deliver, manage and oversee the Rosebud Business Finance programme, which provides financial support and business growth assistance to eligible organisations. The use of personal data is essential to ensure the programme operates effectively, fairly and in the public interest.
Your personal data may be processed for the following purposes:
- Responding to enquiries and providing initial advice
To receive, log and respond to enquiries from businesses or their representatives, and to provide information about the support available. - Assessing eligibility and suitability for support
To determine whether a business meets the criteria for the programme and to ensure that support is directed appropriately. - Coordinating engagement and delivering support
To arrange meetings, communicate with you, and provide adviser support, guidance and ongoing engagement throughout your involvement with the programme. - Assessing applications and making funding decisions
To carry out proportionate and evidence-based assessments of applications for finance or other support, including understanding the individuals responsible for the business and their role in decision-making. - Administering financial assistance and related agreements
To manage the provision of loans or other financial support, including entering into agreements, making payments, managing repayments and maintaining records over the lifecycle of the support. - Managing relationships and case records
To maintain accurate records of interactions, decisions, and outcomes to ensure a consistent and informed service is provided. - Monitoring delivery, performance and outcomes
To evaluate how the programme is performing, measure its impact, and demonstrate that public funds are being used effectively and achieving intended economic outcomes. - Ensuring accountability, audit and compliance
To meet legal, financial and governance requirements, including audit, fraud prevention, subsidy control and financial assurance obligations. - Coordinating activity with delivery partners
To share necessary information with organisations involved in delivering elements of the programme, so that support is coordinated, consistent and not duplicated. - Improving services and informing future delivery
To analyse trends, understand demand, and improve how business support is designed and delivered, typically using aggregated or anonymised information where possible. - Supporting fair and inclusive access (where information is voluntarily provided)
To monitor and improve equality of access to public services and identify any barriers experienced by different groups. - Managing communications and preferences
Where you have chosen to receive them, to send updates, information or promotional material about the programme or related opportunities, and to manage your communication preferences.
Processing personal data for these purposes ensures that the programme can operate in a coordinated, efficient and accountable way, while providing appropriate support to businesses and safeguarding the use of public funds.
Use of artificial intelligence (AI) technologies
We are increasingly utilising AI technologies to process your personal data. This is primarily utilised within Lancashire County Council using Microsoft Copilot Web and Microsoft Copilot 365. Please consult our Artificial Intelligence privacy notice for more details of how we use these specific platforms.
We do not use AI to make automated decisions. There is always a human intervention to review and approve any outputs from the AI tools. Decisions are not made solely by automated means.
We may use artificial intelligence (AI) tools to support administrative processes, improve efficiency and enhance service delivery, such as summarising information, identifying key themes or assisting with routine tasks. These technologies are used with appropriate safeguards, and decisions about funding or eligibility are not made solely by automated means. Human oversight is applied to ensure accuracy, fairness and accountability at all times.
Legal basis for processing personal data
We rely on the following lawful bases under Article 6 of the UK GDPR when processing personal data for the Rosebud Business Finance programme:
- Article 6(1)(e) – Public task
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Council. This includes delivering economic development and business support functions under legislation such as the Local Government Act 1972, Local Government Act 2000 and the Localism Act 2011, as well as administering financial assistance in line with the Subsidy Control Act 2022. - Article 6(1)(b) – Contract
Where financial support is provided, processing is necessary for entering into and managing contractual agreements, including loan arrangements, repayments and associated administration. - Article 6(1)(c) – Legal obligation
Processing is necessary to comply with legal and regulatory requirements, including financial accountability, audit and fraud prevention obligations, for example under the Accounts and Audit Regulations 2015 and wider public finance requirements. - Article 6(1)(a) – Consent
Where applicable, we rely on consent for specific activities such as optional communications or equality monitoring, and you can withdraw your consent at any time.
These lawful bases ensure that personal data is processed appropriately, lawfully and in a transparent manner while delivering public services and managing public funds.
Legal basis for processing special categories of personal data
Where special category (sensitive) personal data is processed as part of the Rosebud Business Finance programme, we rely on one or more of the following conditions under Article 9 of the UK GDPR:
- Article 9(2)(g) – Substantial public interest
Processing is necessary for reasons of substantial public interest, including ensuring equality of opportunity, preventing discrimination and supporting inclusive access to public services. This is supported by the Data Protection Act 2018, Schedule 1, Part 2 (e.g. equality of opportunity or treatment). - Article 9(2)(a) – Explicit consent
In limited circumstances, such as voluntary equality monitoring, we rely on your explicit consent. You can withdraw your consent at any time. - Article 9(2)(f) – Legal claims (where applicable)
Processing may be necessary for the establishment, exercise or defence of legal claims, for example in relation to contractual or financial arrangements.
Special category data is handled with additional safeguards to ensure it is used proportionately, securely and only where necessary.
Information we process about you
As part of the Rosebud Business Finance programme, we may collect and process a range of personal data about business representatives, owners, directors, partners and other relevant individuals. This may include:
- Identity and contact information
Such as your name, job title, business role, address, email address and telephone number. - Business and professional information
Details about your organisation, your position within it, ownership or directorship information, and your involvement in business decision-making. - Application and eligibility information
Information provided as part of enquiries or applications, including business plans, project details, funding requirements and supporting documentation. - Financial and due diligence information
Relevant financial details where required to assess or administer support, including information necessary to undertake checks relating to identity, creditworthiness, fraud prevention and financial standing. - Correspondence and engagement records
Records of communications with you, including emails, meeting notes, telephone calls and interactions with advisers or delivery partners. - Monitoring and evaluation information
Information relating to the progress, outcomes and impact of support received, including business performance measures and programme outcomes. - Equality and diversity information (where voluntarily provided)
Data relating to characteristics such as age, gender, ethnicity or disability, used for monitoring fairness of access and service improvement. - Technical and usage information
Limited information collected through digital systems, such as system identifiers or usage logs, to support service delivery and security.
We only process personal data that is necessary and relevant for the purposes of delivering, managing and evaluating the programme.
Recipients of the personal data that we process about you
We may share your personal data with a range of organisations where it is necessary, proportionate and lawful to do so in connection with the delivery and oversight of the Rosebud Business Finance programme. These may include:
- Service delivery partners and advisers
External organisations and professional advisers who support the delivery of business support services or provide specialist advice. - Fund administrators and financial partners
Organisations involved in assessing applications, administering financial support, managing loans or processing payments. - Regulatory, audit and assurance bodies
Public authorities and auditors where required for compliance, inspection, financial assurance, subsidy control and the prevention or detection of fraud. - Other public sector organisations
Government departments, local authorities or agencies where there is a legal basis to share information, for example to coordinate funding, avoid duplication or support wider economic development activity. - IT system providers and data processors
Third-party suppliers who provide secure systems, hosting and technical services to support programme delivery, acting under contractual controls. - Professional services and legal representatives
Where necessary, for the purposes of obtaining advice or managing legal matters.
All sharing is carried out with appropriate safeguards to ensure that your personal data remains secure and is only used for specified and lawful purposes.
Any transfers to another country
Your personal data is primarily processed within the United Kingdom. In some cases, it may be processed or stored outside the UK, for example where systems or service providers operate internationally.
Where this occurs, we ensure that appropriate safeguards are in place to protect your personal data and maintain your rights. This includes relying on recognised adequacy regulations or implementing appropriate contractual protections, such as international data transfer agreements, to ensure that your information is handled securely and in accordance with UK data protection law.
Retention periods
Lancashire County Council will only store your information for as long as is legally required or in situations where there is no legal retention period they will follow established best practice.
| File type | Description | Security | Retention period |
|---|---|---|---|
| Initial enquiry records | Records of first contact including enquiry forms, emails or calls capturing basic business and contact details prior to eligibility confirmation. | Stored in access‑controlled case management systems; limited to staff handling enquiries; audit logging enabled. | Retained for up to 12 months from last contact where no further engagement takes place, then securely deleted. Retain for 7 years from case closure if enquiry leads to further work. |
| Ineligible or ceased enquiries | Records relating to businesses assessed as ineligible or who choose not to proceed beyond early discussion. | Secure electronic storage with role‑based access; no onward sharing beyond delivery staff. | Retained for up to 12 months after closure to evidence fair decision‑making, then securely deleted. |
| Engagement and adviser appointment records | Notes of discussions, appointment schedules, correspondence and engagement history for businesses supported but not funded. | Stored within secure council systems; access limited to authorised service officers and advisers. | Retained for 7 years from case closure to support audit, challenge and service reporting. |
| Funding application records – unsuccessful | Applications for finance that do not result in an offer, including supporting documentation and assessment notes. | Restricted access; encrypted storage; handled only by authorised assessment and governance staff. | Retained for 3 years from decision to demonstrate transparency and accountability, then securely deleted. |
| Funding application records – successful | Full application packs for approved funding, including business, director and assessment information. | High‑security storage; role‑based access; encryption at rest and in transit. | Retained for the duration of the loan or support plus 7 years after final repayment or end of support. |
| Loan management and repayment records | Ongoing records required to administer loans, track repayments and manage defaults if applicable. | Secure financial systems; restricted to finance and authorised programme staff; enhanced monitoring. | Retained for 7 years following full repayment or write‑off, in line with financial and audit requirements. If funding body requires specific retention period, retain in line with that. |
| Legal and contractual documents | Signed agreements, guarantees, engagement letters and formal correspondence forming part of contractual arrangements. | Stored in secure document management systems with restricted access and version control. | Retained for 7 years after termination or completion of the agreement. |
| Equality monitoring information (optional) | Voluntary data provided for monitoring inclusivity and accessibility of the programme. | Access strictly limited; separated from core application data where possible. | Retained for no longer than 6 years and reviewed regularly; anonymised or deleted when no longer required. |
| Marketing consent and communication preferences | Records showing opt‑in or opt‑out choices for newsletters or promotional communications. | Stored securely within communications systems with suppression controls applied. | Retained until consent is withdrawn or 24 months after last engagement, whichever is sooner. |
| Supplier processing records | Copies of data handled by delivery partners on behalf of the Council under instruction. | Controlled through contracts; secure systems; return or deletion required on instruction. | Retained only for the contracted processing period and securely deleted or returned at contract end. |
Your rights
You have certain rights under the UK General Data Protection Regulation (UK GDPR), these are those rights:
- to be informed via Privacy Notices such as this.
- to withdraw your consent. If we are relying on your consent to process your data, then you can remove this at any point.
- of access to any personal information the council holds about yourself. To request a copy of this information you must make a subject access request in writing. You are entitled to receive a copy of your personal data within 1 calendar month of our receipt of your subject access request. If your request is complex then we can extend this period by a further two months, if we need to do this, we will contact you. You can request a subject access request, either via a letter or via an email to Information Governance Team, address below.
- of rectification, we must correct inaccurate or incomplete data within one month.
- to erasure. You have the right to have your personal data erased and to prevent processing unless we have a legal obligation to process your personal information.
- to restrict processing. You have the right to suppress processing. We can retain just enough information about you to ensure that the restriction is respected in future.
- to data portability. We can provide you with your personal data in a structured, commonly used, machine readable form when asked.
- to object. You can object to your personal data being used for profiling, direct marketing or research purposes.
- in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.
If you want to exercise any of these rights, then you can do so by contacting:
Information Governance Team
Lancashire County Council
PO Box 78
County Hall
Preston
PR1 8XJ
Email: dpo@lancashire.gov.uk
To ensure that we can deal with your request as efficiently as possible you will need to include your current name and address, proof of identity (a copy of your driving licence, passport or two different utility bills that display your name and address), as much detail as possible regarding your request so that we can identify any information we may hold about you, this may include your previous name and address, date of birth and what council service you were involved with.
Identity and contact details of the data controller
- Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ
Contact details of the data protection officer
- Our Data Protection Officer is Joanne Winston. You can contact her at dpo@lancashire.gov.uk or Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ
Further information
For more information about how we use personal information see Lancashire County Council's full privacy notice.
If you wish to raise a complaint on how we have handled your personal data, you can contact the Information Governance team who will investigate the matter.
Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ or email: dataprotection@lancashire.gov.uk
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).