Retrofit One Stop Shop York Project Privacy Notice

City of York Council (CYC) current data protection notification is registered with the Information Commissioner’s Office (ICO) - reference Z5809563. We regularly review this privacy notice, and it was last updated in April 2026.

CYC is committed to ensuring that personal data is handled in accordance with the principles set out in data protection legislation and guidance from the Information Commissioner’s Office (ICO).

This privacy notice tells you what to expect when we collect personal information about you. It applies to Retrofit One Stop Shop York (ROSSY) Project.

CYC is the controller for this information unless we specifically state otherwise in this privacy notice.

You can contact the council’s Data Protection Officer at:

Telephone: 01904 555719.

Email: information.governance@york.gov.uk.

This privacy notice should be read in conjunction with other relevant CYC privacy notices that are available in our Privacy Notice and/or CYC policies and procedures.

When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this document.

• How we collect your information
• What personal data we process and why
• Use of Artificial Intelligence
• Automated decision-making
• Collecting information automatically
• Children's information
• Lawful basis for processing your personal data
• How long we keep your personal data
• Data sharing
• Data processors and/or third parties
• Transfers of personal data
• How we protect your information
• Your rights in relation to this processing

How we collect your information

We get information:

• directly from you when you take part in our events, surveys, consultation
• directly from you when you contact us about the ROSSY project
• from third parties acting on your behalf such as family members, advocates, councillors, MPs
• from other organisations such as NHS and the police
• from our commissioned partners or contractors who undertake work on our behalf

We may also get address data from YorkMap, Energy Performance Certificate (EPC) OpenData, Building Research Establishment (BRE) modelling software, Parity Modelling software, Land Registry software and Ordnance Survey software.

Top of page

What personal data we process and why

We will process your personal data and special category data such as:

• your name
• your address
• if your property is in a conservation area and/or is a listed property
• specific details about your property such as build type, date, number of rooms etc
• your preferred contact details e.g., email address, phone number
• low-income indicators
• health information
• disability information
• internet accessibility
• your opinions, comments, and feedback, if you choose to take part in our surveys or consultations; you can withdraw your consent to these at any time by contacting us on email: saveenergy@york.gov.uk

We collect and use your information for one or more of the following purposes:

• to help you take part in surveys, consultation and attend events
• for the platform to recommend the most suitable energy efficiency installations for your home and to your specifications
• provide Bespoke Home Energy Efficiency Advice and Recommendations, based on the Current Energy Efficiency of your Property
• Home Energy Assessments
• a Recommended and Accredited Supplier Marketplace
• financing Options and Referral to Appropriate Grant Scheme Funding
• end-to-End Advisor Access

Top of page

Use of Artificial Intelligence

We may use Artificial Intelligence (AI) technologies to support or enhance council services. Where AI is involved in a process that directly affects your interaction with us, we will inform you before your user journey begins. This ensures transparency and helps maintain trust in how we use AI.

Our use of AI complies with the UK General Data Protection Regulation (UK GDPR), including the principles of lawfulness, fairness, transparency, accountability, and accuracy. We conduct Data Protection Impact Assessments (DPIAs) where AI systems are likely to result in high risks to individuals’ rights and freedoms, such as automated decision-making or profiling.

If generative AI tools are used, we do not use personal or end-user data to train AI models. This helps ensure compliance with the purpose limitation and data minimisation principles under UK GDPR.

AI for Staff Productivity and Accessibility

Where AI tools are used solely by staff to assist with drafting, research, or accessibility - for example, to improve writing efficiency or summarise information - these uses do not form part of a business process that affects service delivery or decision-making. As such, no specific notification will be provided for these internal productivity uses.

These uses are considered low-risk and do not involve automated decision-making that produces legal or similarly significant effects. They are also subject to internal governance and safeguards to ensure responsible use.

Examples include:

• drafting internal reports or meeting notes
• summarising lengthy documents for quicker review
• assisting with spelling, grammar, or formatting tasks

We may use your information to create reports and statistics that are anonymous and cannot be linked back to you or individuals such as:

• for statistical analysis
• for statutory returns
• for audit frameworks
• to see how the council and its partners are supporting individuals
• to help design better services
• to inform funding decisions

Top of page

Automated decision-making

We do not carry out any automated decision-making without any human intervention in delivering the ROSSY project.

Top of page

Collecting information automatically

Please see our Cookies Policy for further information about the information we collect automatically when you use our website.

Top of page

Children’s information

Where we provide services directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.

Top of page

Lawful basis for processing your personal data

Any personal data including special category data that we process about individuals is done so in accordance with one or more of the following Article 6 and 9 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (DPA 2018).

• Article 6(1)
  • (a) your explicit consent
  • (e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • (f) Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights, or freedoms of the data subject
• Article 9(2)
  • (a) your explicit consent
  • (g) Processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards

Some of the Schedule 1 conditions for processing special category data require an Appropriate Policy Document (APD) to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice

Our Appropriate Policy Document provides further information about this processing.

Top of page

How long we keep your personal data

We will only keep your information for as long as it is needed then it will be securely and confidentially deleted or disposed of.

You can find details on how long the council keeps records in the Retention Schedule.

Top of page

Data sharing

We will only share your information where it is appropriate to, with:

• other CYC services
• other councils, government departments and agencies
• other organisations such as NHS and the police
• third parties including our data processors, partners or contractors, who undertake work on our behalf
• internal and external auditors

In some circumstances, such as under a court order or safeguarding, we are legally obliged to share information.

We will always satisfy ourselves that we have a lawful basis on which to share the information and document our decision-making and satisfy ourselves we have a legal basis on which to share the information.

Additionally, we are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives (TNA) for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.

Top of page

Data processors and/or third parties

Where we have third parties providing parts or all of our services or partners enlisted in the production and use of the ROSSY platform (YorEnergy), we have contracts or agreements in place with them. These are listed below:

• Abundance Investment Ltd - read the Abundance Privacy Policy
• BrightSparks Agency - read the Brightsparks Privacy Policy
• the council's use of Canon (UK) Lts as its main multi-functional print devices. You can find out how they use information in the Canon (UK) Ltd Privacy Notice
• Energy Systems Catapult - read the ESC Privacy Policy
• Eventbrite for arranging and organising events. You can find out how they use information in the Eventbrite Privacy Policy
• Forviz Mazars, who provide external audit services to the council. You can find out how they use information at Local Government Audits in England - Forvis Mazars
• Granicus/Gov Delivery, to send you updates and newsletters. You can find out how they use your information in the Granicus Privacy Policy
• Mentimeter, at events for interactive presentation software. You can find out how they use your information in the Mentimeter Privacy Policy
• the council’s use of Microsoft 365 as its main operating system; read the Microsoft Privacy Statement, alongside our contract with Phoenix Software Limited; read the Phoenix Data protection information
• Microsoft forms as part of MS365 You can find out how they use information at in the Microsoft Privacy Statement
• Microsoft Teams, to contact you, to gather information from you, or if we are recording or transcribing our discussion or meeting with you, we will let you know. You can find more details about this in the City of York Council Microsoft Office 365 (MS365) Teams Meeting recording and transcription privacy notice
• Stockholm Environment Institute, University of York - read the SEI Privacy Policy
• SurveyMonkey for surveys or consultation. You can find out how they use information in the SurveyMonkey Privacy Notice
• Veritau Public Sector Limited (VPS), who provides services to the council such as internal audits. You can find out how they use your information in the Veritau Privacy Policy
• WhatsApp to contact you. You can find out how they use information in the WhatsApp Privacy Policy
• Wrapt Homes Ltd - read the Wrapt Homes Privacy Policy
• YorEnergy - read the YorEnergy Privacy Policy
• York and North Yorkshire Combined Authority - read the Y&NYCA Privacy Policy
• York Community Energy - read the YCE Privacy Policy
• YouTube, where we provide information in British Sign Language via the City of York Council YouTube channel, please read YouTube Privacy Settings and Google Privacy Policies
• Zimma Ltd trading as Ticket Tailor for arranging and organising events etc. You can find out how they use information in the Ticket Tailor Privacy Policy
• organisations to support the council’s corporate transformation programme such as Impower. Read the Impower Privacy Notice
• other specialist or assistive systems, software, platforms, applications (apps), to help provide our services and support to you and our staff

Top of page

Transfers of personal data

We do not routinely transfer personal data and special categories of personal data outside of the UK but when this is necessary, we ensure that we have appropriate safeguards in place and that is done in accordance with the UK data protection and privacy legislation.

Top of page

How we protect your information

We're committed to keeping your information safe and secure. There are several ways we do this, such as:

• IT security safeguards such as firewalls, encryption, and anti-virus software
• on-site security safeguards to protect physical files and electronic equipment
• training for all staff and elected councillors
• policies and procedures

Top of page

Your rights in relation to this processing

To find out about your rights under data protection law, you can go to the Information Commissioner's Office website.

You can also find information about your rights in our Privacy Notice.

If you have any questions about this privacy notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us on email: information.governance@york.gov.uk, or on telephone: 01904 555719, or write to:

Top of page

Also see

• Website terms and disclaimer
• Data Protection Policy Statement
• Accessibility statement
• Cookies policy
• Copyright statement