Your council

Our Data Protection Policy Statement

We regularly update our Data Protection Policy Statement; it was last updated in September 2021. The date of formal approval for this version was the September 8 2021. It was approved by Janie Berry, Director of Governance and Monitoring Officer, and the Responsible Officer is Lorraine Lunt.

The next review for the Data Protection Policy Statement will be in September 2022. We will retain this version of the document until it has been superseded.


This Data Protection Policy Statement sets out our commitment to:

  • comply with data protection law and follow good practice
  • protect the rights of staff, citizens and partners
  • being open about how we store and process individuals' data
  • protect ourselves from the risks of a data breach

The scope of the Policy Statement applies to:

  • all substantive and temporary employees of City of York Council
  • any individual including contractors, volunteers and others who work on behalf of the council
  • all students and those undertaking a work experience placement
  • Elected Members

This policy outlines the behaviours and responsibilities expected in order to ensure the council continues to fulfil its obligations under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (DPA) 2018 and any other related legislation.


Statement of commitment

All council employees, Councillors, volunteers and organisations working on behalf of the council are committed to:

  • ensuring that we comply with the data protection principles, as listed within the current Data Protection legislation
  • meeting our legal obligations as laid down by the current Data Protection legislation
  • ensuring that data is collected and used fairly, lawfully and in a transparent manner
  • processing personal data only in order to meet our operational needs or fulfil legal requirements
  • taking steps to ensure that personal data is up to date and accurate
  • establishing appropriate retention periods for personal data and ensuring these are complied with
  • ensuring individuals are informed appropriately about their rights and that we action these correctly
  • providing adequate organisational, technical and security measures to protect personal data
  • ensuring that all staff are aware of data protection and privacy requirements
  • providing adequate training for all staff responsible for personal data
  • ensuring that everyone handling personal data knows where to find further guidance
  • ensuring that queries about data protection, internal and external to the council, are dealt with effectively and promptly
  • regularly reviewing data protection procedures and guidelines within the council

Top of page


Roles and Accountability

The Chief Operating Officer must appoint a manager of an appropriate seniority as its Senior Information Risk Owner (SIRO).

Senior Information Risk Owner

The SIRO is accountable and responsible for information risk across the council and they ensure that everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately.

The SIRO will also:

  • act as an advocate for information governance and assurance at Council Management Team (CMT) and in internal discussions
  • chair the Governance Risk and Assurance Group (GRAG)
  • ensure reports are provided to the Audit and Governance Committee relating to information risk
  • managing delivery of information governance and assurance services
  • ensure that information risks are treated as a priority for the business
  • play a vital role in getting the council to recognise the value of its information
  • by treating information as a business priority not only an ICT issue, ensure that risks are addressed, managed and capitalised upon

The current SIRO is Janie Berry, Director of Governance and Monitoring Officer.

Information Asset Owner

Information Asset Owners (IAO) are senior members of staff who are the nominated owner for one or more identified information assets in the council. They must be senior or responsible individuals involved in running the relevant service areas.

IAOs should be in position to have a good knowledge of their asset and how and why it is processed to give them a good understanding of the risks and opportunities associated with it. They also need to be aware of the consequences and impacts of those risks materialising.

The IAO will also:

  • lead and foster a culture that values, protects and uses information correctly
  • provide assurance for the security and use of their asset annually to the SIRO and the Governance Risk and Assurance Group (GRAG)
  • be responsible for approving, monitoring and minimising data transfers or sharing
  • approve data protection impact assessments (DPIA) for any new systems or projects that involve the processing of their information asset

Information Asset Administrator

The role of Information Asset Administrators (IAAs) is to support the IAO.

The IAA should be closely associated with the information asset and its day to day processing so that they have a full understanding of what information is held, what is added and what is removed, how information is moved, and who has access and why, in their information asset.

The IAA will also:

  • identify, assess, address and manage risks to the information, and ensure that its use is fully within the law
  • ensure that opportunities for the use of the information asset can be exploited more efficiently and safely
  • input into DPIAs for any new systems or projects that will involve the processing of their asset
  • know who has access and why to their information asset, and ensure their use is monitored

Caldicott Guardian

The council’s registered Caldicott Guardians (CGs) are:

  • Sharon Stoltz, Director of Public Health
  • Michael Melvin, Director of Safeguarding

The CGs are responsible for protecting the confidentiality of people’s health and care information, and making sure such data is used properly. The key responsibilities are:

  • strategy and governance - to act as a champion for data confidentiality at Directorate Management level and as part of an organisations Information Governance Board
  • to provide confidentiality and data protection expertise - to develop a knowledge of confidentiality and data protection matters including links with external sources of advice and guidance
  • internal information processing - to ensure that confidentiality issues are appropriately reflected in organisational strategies, policies and working procedures for staff
  • information sharing - to oversee all arrangements, protocols and procedures where confidential social care information may be shared with external bodies including disclosures to other public sector agencies and other outside interest

Data Protection Officer

The role of the Data Protection Officer (DPO) is to:

  • assist the council to monitor internal compliance
  • inform and advise the council on its data protection obligations
  • provide advice regarding DPIAs
  • act as a contact point for data subjects and the supervisory authority, such as the Information Commissioner’s Office (ICO)
  • help the council demonstrate compliance
  • be an easily accessible point of contact for staff, individuals and the ICO

The DPO must:

  • report directly to our highest level of management
  • be given the required independence to perform their tasks
  • have expert knowledge of data protection law and practices
  • be involved in a timely manner, in all issues relating to the protection of personal data
  • sufficiently well resourced to be able to perform their tasks
  • not be penalised for performing their duties

The DPO contact details are published on the council’s website, intranet and have been communicated to the ICO.

The Council’s Corporate Directors and Directors

Corporate Directors and Directors have responsibility for:

  • ensuring the council’s compliance with the current Data Protection legislation
  • assigning responsibilities for adherence to the council’s policies and procedures
  • ensuring that complaints from the public or from the Information Commissioner’s Office are dealt with promptly and appropriately

All staff with line management or supervisory responsibilities

Managers and supervisors are responsible for ensuring that staff under their control who process personal data in any way:

  • are made aware of their personal obligations and responsibilities under the current data protection legislation
  • receive appropriate training
  • are made aware of the council’s policies and procedures relating to personal information

All individuals who have access to council data

Individuals who have access to council data are responsible for:

  • complying with the council’s policies and legislation
  • ensuring good data protection and privacy practices are followed at all times
  • seeking advice, assistance and training when required

Top of page


Associated and further reading

Further reading and information on data protection and privacy is available on the Information Commissioner’s Office website.

Top of page


Also see

Data Protection Officer

West Offices, Station Rise, York, YO1 6GA

Telephone: 01904 554145