Trading Standards

To comply with the UK General Data Protection Regulation (UK GDPR), where personal data relating to a data subject is collected, Lancashire County Council would like to provide you with the following details.

Contact details of this Lancashire County Council service:

Note that for queries intended for this specific service, do not contact the Data Protection Officer (DPO) mailbox, instead please direct your query to the following point of contact:

TSGeneralMail@lancashire.gov.uk or write to:

Lancashire County Council Trading Standards Service
County Hall
Pitt Street
Preston
PR1 0LD

Reasons for processing your personal data

Lancashire County Council’s Trading Standards Service is responsible for enforcing a wide range of public protection legislation to safeguard consumers and ensure fair, safe, and legal trading practices. This includes:

  • Consumer Protection and Fair Trading – investigating complaints about misleading pricing, descriptions, and unfair contract terms.
  • Product and Food Safety – ensuring goods and food meet legal standards.
  • Weights and Measures – verifying accuracy of weighing and measuring equipment.
  • Age‑Restricted Sales – enforcing laws on the sale of alcohol, tobacco, knives, and similar products.
  • Animal Health and Welfare – monitoring compliance with animal health regulations.
  • Licensing and Safety – overseeing petroleum, fireworks, and explosives licensing.
  • Business Advice and Compliance – providing guidance to help businesses meet legal obligations.

To deliver these statutory functions, Trading Standards may collect and process personal data from consumers, businesses, witnesses, and other parties involved in investigations or enforcement actions. This processing is necessary to investigate complaints, gather evidence, take enforcement action where appropriate, and promote a fair and safe trading environment across Lancashire.

Use of artificial intelligence (AI) technologies

We are increasingly utilising AI technologies to process your personal data. This is primarily utilised within Lancashire County Council using Microsoft Copilot Web and Microsoft Copilot 365. Please consult our Artificial Intelligence privacy notice for more details of how we use these specific platforms.

We do not use AI to make automated decisions. There is always a human intervention to review and approve any outputs from the AI tools. Decisions are not made solely by automated means.

Legal basis for processing personal data

The legal basis for processing your personal data, in accordance with the UK GDPR Article 6 is:

(c) Legal Obligation: the processing is necessary for us to comply with the law. We will cite the applicable legislation if we need to rely on this basis for processing.

Lancashire County Council is legally required to enforce consumer protection and related legislation, such as:

  • Consumer Rights Act 2015
  • Enterprise Act 2002
  • Weights and Measures Act 1985

This means collecting and using personal data to investigate complaints, conduct inspections, and take enforcement action is a statutory duty.

(e) Public Task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law. We will cite the applicable task/function and its' basis in law if we wish to rely on this basis for processing.

Trading Standards functions are carried out under official authority granted by law to protect consumers, ensure fair trading, and maintain public safety. Activities include:

  • Investigating suspected breaches of trading laws.
  • Taking enforcement measures such as warnings, compliance notices, or prosecutions.

Legal basis for processing special categories of personal data

The legal basis for processing special categories of personal data relating to you, in accordance with the UK GDPR Article 9 is:

(g) Processing is necessary for reasons of substantial public interest.

  • Trading Standards investigations aim to protect consumers and public safety, which is a substantial public interest.
  • Supported by the Data Protection Act 2018, Schedule 1, Part 2, which includes conditions such as:
    • Statutory and Government Purposes (paragraph 6)
    • Regulatory Requirements (paragraph 7)
    • Preventing or Detecting Unlawful Acts (paragraph 10)

Examples:

  • Processing health-related data in injury reports caused by unsafe products.
  • Handling sensitive data in fraud or counterfeit medicine cases.

Legal basis for processing criminal offence data

Our service will process criminal offence data where we have a legitimate requirement to do so. Where we process such data, we will rely on the following legal basis to do so:

Lancashire County Council Trading Standards processes criminal offence data when investigating suspected breaches of trading laws, fraud, or other unlawful acts.

This is done under statutory powers granted by legislation such as:

  • Consumer Rights Act 2015
  • Enterprise Act 2002
  • Weights and Measures Act 1985

The Data Protection Act 2018 supplements Article 10 by requiring:

  • A lawful basis under Article 6 (usually Public Task or Legal Obligation).
  • Compliance with Schedule 1 conditions (e.g., preventing or detecting unlawful acts, regulatory requirements).

Information we process about you

We may process the following types of personal information when carrying out Trading Standards functions:

  1. Identification Details
    • Name, address, date of birth, gender.
  2. Contact Information
    • Telephone numbers, email addresses, social media handles.
  3. Business‑Related Details
    • Sole trader or director names, business registration information, licensing details.
  4. Complaint and Case Information
    • Details of complaints, statements, correspondence, inspection notes.
  5. Transactional Data
    • Purchase history, invoices, receipts, payment details (where relevant to investigations).
  6. Evidence and Records
    • Photographs, video/audio recordings, seized documents, interview transcripts.
  7. Online Identifiers
    • IP addresses, usernames, website account details linked to investigations.
  8. Criminal Conviction Data
    • Information about suspected or proven offences relevant to enforcement action.
  9. Special Category Data (where necessary)
    • Health information (e.g., injury reports linked to unsafe products) processed under substantial public interest conditions.

Recipients of the personal data that we process about you

When necessary for the purposes of Trading Standards investigations and enforcement, we may share your personal data with:

  1. Other Local Authority Services
    • For example, Legal Services for prosecutions or Information Governance for compliance checks.
  2. Law Enforcement Agencies
    • Police and other authorities for the prevention and detection of crime.
  3. Regulatory and Government Bodies
    • HM Revenue & Customs (HMRC), Food Standards Agency (FSA), and other regulators for joint enforcement activities.
  4. Courts and Tribunals
    • When legal proceedings require disclosure of evidence.
  5. Approved Service Providers
    • IT system providers, secure storage providers, and accredited laboratories acting as data processors under contract.
  6. Other Local Authorities or Trading Standards Services
    • For intelligence sharing under statutory powers or formal agreements. This includes the National Anti-Fraud Network, National Trading Standards and the regional investigations teams.
  7. Public Disclosure (Limited)
    • Certain enforcement actions (e.g., undertakings or enforcement orders) may be published as required by law.

Any transfers to another country

  • Yes – Europe and America

Retention periods

Lancashire County Council will only store your information for as long as is legally required or in situations where there is no legal retention period they will follow established best practice.

File type Description Security Retention period
Consumer complaint case file Initial complaint record, contact details, narrative, correspondence and triage notes. Stored in secure case management system with role-based access; encrypted at rest and in transit. 6 years from case closure (subject to legal hold if linked to enforcement).
Investigation case file (no prosecution) Evidence collected, witness statements, business contact details, inspection notes. Secure case management repository; access restricted to investigating team; full audit logging. 6 years from case closure.
Prosecution case file Full evidential bundle, interview records (PACE), exhibits schedules, legal correspondence. Held in secure evidence repositories; controlled sharing with Legal Services and courts; chain of custody maintained. 7 years from conclusion of proceedings (final disposal), or longer where required by Criminal Procedure and Investigations Act disclosure duties or court orders.
Compliance notices / Enforcement orders / Undertakings Records of formal actions under Enterprise Act or sector-specific regulations and any enhanced consumer measures. Secure document store with restricted access; published elements held separately for public disclosure where applicable. 6 years from expiry or fulfilment of the notice/order/undertaking.
Licensing applications (petroleum / explosives) Applicant personal data, assessments, site plans, inspection reports, correspondence. Licensing system with RBAC; encrypted storage; physical documents in locked cabinets where applicable. Duration of licence plus 6 years. Site plans and associated documents are kept permanently
Test purchase and sampling records Test purchase details, receipts, packaging photographs, lab reports linking to individuals/businesses. Secure evidence storage; anonymised reporting where feasible; restricted access. 3 years from test date if no enforcement; if linked to enforcement, align with associated case file retention.
Interview recordings and transcripts PACE interviews under caution; witness interviews. Encrypted storage; limited access; integrity checks; chain of custody. 6 years from case closure (or 7 years if part of a prosecution case file).
Seized documents and exhibits (containing personal data) Business records, customer lists, invoices, device images relevant to investigation. Physical evidence in secure lockers; digital evidence in secure repository; access logged. Retain until conclusion of proceedings and resolution of appeals; thereafter align with prosecution/investigation case file retention.
Safe Trader Scheme membership records Applicant/Member personal data, vetting outcomes, complaints and feedback linked to the scheme. Scheme database with RBAC; encryption; limited administrative access. Membership duration plus 2 years; complaints linked to investigations follow case file retention.
Data sharing records (Information sharing agreements, disclosures to Police/HMRC/FSA) Copies of shared datasets, decision logs, MoUs, justification for sharing, audit trail. Secure records store; restricted to senior officers and IG team; audit logging. 6 years from date of sharing or termination of the agreement.
Access logs and audit trails System logs recording user access and actions on case records. Immutable logging with security monitoring. 12–24 months depending on system capability and security policy; extend under investigation of security incidents.
Correspondence (emails and letters) not already filed to case Operational emails with personal data that are not evidential but relate to the service. Email retention policy; secure mail; periodic review and filing to case or deletion. 1–2 years, then review for deletion or filing to the relevant case record.

Your rights

You have certain rights under the UK General Data Protection Regulation (UK GDPR), these are those rights:

  • to be informed via Privacy Notices such as this.
  • to withdraw your consent. If we are relying on your consent to process your data, then you can remove this at any point.
  • of access to any personal information the council holds about yourself. To request a copy of this information you must make a subject access request in writing. You are entitled to receive a copy of your personal data within 1 calendar month of our receipt of your subject access request. If your request is complex then we can extend this period by a further two months, if we need to do this, we will contact you. You can request a subject access request, either via a letter or via an email to Information Governance Team, address below.
  • of rectification, we must correct inaccurate or incomplete data within one month.
  • to erasure. You have the right to have your personal data erased and to prevent processing unless we have a legal obligation to process your personal information.
  • to restrict processing. You have the right to suppress processing. We can retain just enough information about you to ensure that the restriction is respected in future.
  • to data portability. We can provide you with your personal data in a structured, commonly used, machine readable form when asked.
  • to object. You can object to your personal data being used for profiling, direct marketing or research purposes.
  • in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.

If you want to exercise any of these rights, then you can do so by contacting:

Information Governance Team
Lancashire County Council
PO Box 78
County Hall
Preston
PR1 8XJ

Email: dpo@lancashire.gov.uk

To ensure that we can deal with your request as efficiently as possible you will need to include your current name and address, proof of identity (a copy of your driving licence, passport or two different utility bills that display your name and address), as much detail as possible regarding your request so that we can identify any information we may hold about you, this may include your previous name and address, date of birth and what council service you were involved with.

Identity and contact details of the data controller

  • Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ

Contact details of the data protection officer

  • Our Data Protection Officer is Joanne Winston. You can contact her at dpo@lancashire.gov.uk or Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ

Further information

For more information about how we use personal information see Lancashire County Council's full privacy notice.

If you wish to raise a complaint on how we have handled your personal data, you can contact the Information Governance team who will investigate the matter.

Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ or email: dataprotection@lancashire.gov.uk

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).