Your council

West Offices CCTV and Visitor Log Privacy Notice

City of York Council (CYC) current data protection notification is registered with the Information Commissioner’s Office (ICO) – reference Z5809563. We regularly review this privacy notice, and it was last updated in February 2026.

CYC contracts with Gough & Kelly Security Ltd. (G&K) to provide the CCTV services. G&K is an Information Commissioner's Office (ICO) registered data controller (Z1585966) and a National Security Inspectorate (NSI) Gold approved company contracted to the council to manage CCTV operations. The NSI is recognised as the leading certification body for the security and fire protection sectors in the UK.

For the purposes of data protection legislation, CYC is the data controller and G&K are the data processor and are both responsible to you under the law for the processing set out in this privacy notice.

CYC and G&K are committed to ensuring that personal data is handled in accordance with the principles set out in data protection legislation and guidance from the Information Commissioner’s Office (ICO).

This privacy notice tells you what to expect when we process your information, and it applies to West Offices CCTV and Visitor Log.

You can contact the council’s Data Protection Officer at email: information.governance@york.gov.uk or telephone: 01904 555719, or write to:

Data Proctection Officer
City of York Council
West Offices
Station Rise
York
YO1 6GA

You can contact G&K’s Data Protection Officer at email: enquiry@gough-kelly.co.uk or telephone: 0344 8807100, or write to:

Gough & Kelly
Unit 2, Railsfield Mount
Bramley
Leeds
LS13 3AX

This privacy notice should be read in conjunction with other CYC privacy notices that are available in our Privacy Notice and/or CYC policies and procedures.

When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this privacy notice.

How we collect your information

We get information about you from the following sources:

  • directly from you when you visity or attend West Offices
  • our CCTV systems in West Offices and its external periemeter

Top of page

What personal data we process and why

Our CCTV systems will process images from the systems in West Offices and its external perimeter.

When you visit or attend West Offices, we will collect your information in the Visitor Log at our main reception area in the customer centre. This will include one or more of the following:

  • name
  • date and time you arrive and leave
  • department, team, or service area
  • company or business name
  • your point of contact in West Offices
  • ID card number (if needed)
  • date and time of your arrival and when you leave
  • contact phone number
  • any accessibility requirements

We use CCTV and the Visitor Log for one or more of the following:

  • to help keep members of the public and staff safe, both inside the building and around the outside areas
  • to support security, fire safety and evacuation procedures
  • to prevent and deter crime
  • to provide evidence to the police, legal representatives, insurance companies or courts when this is appropriate and lawful
  • to carry out welfare and security checks for individuals when needed and appropriate

To find out about the council’s use of AI please see Our Privacy Notice – City of York Council

We may use your information to create reports and statistics that are anonymous and cannot be linked back to you or individuals such as:

  • for statistical analysis
  • for statutory returns
  • for audit frameworks
  • to see how the council and its partners are supporting individuals
  • to help design better services
  • to inform funding decisions

Top of page

Automated decision-making

We do not carry out any automated decision-making in our use of CCTV systems.

Top of page

Collecting information automatically

Please see our Cookies Policy for further information about the information we collect automatically when you use our website.

Top of page

Children’s information

Where we provide services directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.

Top of page

Lawful basis for processing your personal data

Any personal data, special category data and criminal offence data that we process about individuals is done so in accordance with one or more of the following Articles 6 and 9 and 10 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (DPA 2018).

  • Article 6(1)
    • (d) Vital interests: the processing is necessary to protect someone’s life.
    • (e) Public task: the processing is necessary for the council to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
    • (f) Legitimate interests: the processing is necessary for the council’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks)
  • Article 9(2)
    • (c) Vital interests
    • (g) Reasons of substantial public interest (with a basis in law)

This is supported by Schedule1, Part 2 (6) of the Data Protection Act 2018 and the following legal framework:

  • Health and Safety at Work etc. Act 1974 (HSWA)
  • Regulatory Reform (Fire Safety) Order 2005
  • The Terrorism (Protection of Premises) Act 2025
  • Prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties including the safeguarding against and the prevention of threats to public security
  • Crime and Disorder Act

Where we process information relating to criminal convictions and offences, this is under Article 10 UK GDPR that covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences, or proceedings for an offence committed or alleged to have been committed, including sentencing.

Some of the Schedule 1 conditions for processing special category and criminal offence data require an Appropriate Policy Document (APD) to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice

Our Appropriate Policy Document – City of York Council provides further information about this processing.

Top of page

How long we keep your personal data

CCTV data will only be kept for as long as is necessary and will be automatically and securely overwritten after 31 days.

We will only keep your information from the Visitor Log for as long as it is needed then it will be securely and confidentially deleted or disposed of.

You can find details about how long the council keeps records at the council retention schedule.

Top of page

Data sharing

We will only share your information where it is appropriate to, with:

  • other CYC services
  • other councils, government departments and agencies
  • other organisations such as the Police
  • third parties including our data processors, partners or contractors, who undertake work on our behalf
  • retail and licensed premises who use ‘Storenet’ including SIA licensed operatives
  • internal and external auditors

In some circumstances, such as under a court order or safeguarding, we are legally obliged to share information.

We will always satisfy ourselves that we have a lawful basis on which to share the information and document our decision making.

Additionally, we are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives (TNA) for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.

Top of page

Data processors and/or third parties

When we have third parties providing parts or all of our services, systems, software, platforms, applications (apps) etc for us, we have contracts or agreements in place with them. These include:

Top of page

Transfers of personal data

We do not routinely transfer personal data, special categories of personal data or criminal offence data, outside of the UK but when this is necessary, we ensure that we have appropriate safeguards in place and that is done in accordance with the UK data protection and privacy legislation.

Top of page

How we protect your information

We're committed to keeping your information safe and secure. There are several ways we do this, such as:

  • IT security safeguards such as firewalls, encryption, and anti-virus software
  • on-site security safeguards to protect physical files and electronic equipment
  • training for all staff and elected councillors
  • policies and procedures

Top of page

Your rights in relation to this processing

To find out about your rights under data protection law, you can go to the Information Commissioner's Office website.

You can also find information about your rights in our Privacy Notice.

If you have any questions about this privacy notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us on email: information.governance@york.gov.uk, or on telephone: 01904 555719, or write to:

Data Protection Officer
City of York Council
West Offices
Station Rise
York YO1 6GA

Top of page

Also see

Comment on this page