City of York Council (CYC) complies with the Data Protection Act 1998 and is a registered ‘Data Controller’. Our data protection notification is registered with the Information Commissioner’s Office (ICO) - reference Z5809563.

Health and Social Care Act 2012

Since April 2013 the Health and Social Care Act 2012 has given local authorities the power to perform public health functions.  This means that CYC has "A duty to improve the health of the people and responsibility for commissioning appropriate public health services" and the statutory responsibilities for public health services are clearly set out in the Health and Social Care Act 2012.

To deliver public health, local authorities need to use available health data sources to get relevant health and social care information. This data can contain person identifiable data (PID) which may identify patients such as name, address, age, sex, ethnicity, disease, use of hospital services, and/or NHS Number. Some data may not be obviously identifiable; however there may be the potential to identify individuals through combinations of information, either by the people handling the data or by those who see published results.

Who we collect information about

CYC collects and holds information for public health purposes about:

  • residents of York
  • people receiving health and care services in York
  • people who work or attend schools in York

to all of whom it has a public health duty of care.

CYC will also have access to the following data:

  • Primary Care Mortality Database (PCMD) - The PCMD holds mortality data as provided at the time of registration of the death along with additional GP details, geographical indexing and coroner details where applicable
  • Births and Vital Statistics datasets - Births files include date of birth, sex, birthweight, address, postcode, place of birth, stillbirth indicators and age of mother. Deaths data includes: deaths broken down by age, sex, area and cause of death sourced from the deaths register.

How we use information

CYC’s Public Health Team will access health and related information to analyse the health needs and outcomes of the local population and for monitoring trends and patterns of diseases and the associated risk factors.

All information accessed, processed and stored by CYC’s Public Health Team will be used to measure the health, mortality or care needs of the population; for planning, evaluating and monitoring health; protecting and improving public health. It is used to carry out and support:

  • health needs assessments
  • health equity analysis
  • commissioning and delivery of services to promote health and prevent ill health
  • public health surveillance
  • identifying inequalities in the way people access services
  • joint strategic needs assessment
  • health protection and other partnership

CYC’s Public Health team is committed to using pseudonymised or anonymised information as much as is practical, and in many cases this will be the default position.

  • Pseudonymisation is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. There can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field. The purpose is to render the data record less identifying and therefore lower customer or patient objections to its use.
  • Anonymisation is the process of removing identifying particulars or details from something, especially medical test results, for statistical or other purposes.

The legal basis for the flow of data for the above purposes is set out in Section 42(4) of the Statistics and Registration Service Act (2007) as amended by section 287 of the Health and Social Care Act (2012) and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.

How we keep information secure and who we share it with

We are required to comply with the Data Protection Act to ensure information is managed securely and this is reviewed every year as part of our NHS Information Governance Toolkit assessment.

Any personal identifiable data is sent or received using secure e-mail. All data is stored electronically on encrypted equipment and is managed using the principles of medical confidentiality and data protection. The number of staff accessing and handling such data is limited to only those key professionals named on relevant signed information sharing agreements (where applicable), all of whom undertake regular training about data protection and managing personal information.

Confidential public health data will only be shared with other areas of the NHS, local authorities or care organisations with the permission of the Caldicott Guardian, once the necessary legal basis has been established and data protection safeguards have been verified, so that the data is managed and used under the same restrictions. Anyone who receives information from CYC Public Health Team is also under a legal duty to keep it confidential.

In relation to births and deaths, the data will only be processed by CYC employees in fulfilment of their public health function, and will not be transferred, shared, or otherwise made available to any third party, including any organisations processing data on behalf of CYC or in connection with their legal function.

We only keep hold of information for as long as is necessary. This will depend on what the specific information is and the agreed period of time. Data is permanently disposed of after this period, in line with CYC’s retention policy/schedule or the specific requirements of the organisation who has shared the data with us.

How to opt out

You have the right to opt out of CYC receiving or holding your personal identifiable information. There are occasions where service providers will have a legal duty to share information, for example for safeguarding or criminal issues. The process for opting out will depend on the specific data and what programme it relates to. For further information, please contact the Public Health team by email at

Your rights

To find out about your rights under the Data Protection Act 1998, see the Information Commissioners Office (ICO) website.

The most common requests are:

  • you are entitled to ask for access to and a copy of any information we hold about you. If you find that the information the council holds about you is not accurate, you have the right to ask for it to be corrected
  • you can ask the council to stop processing your personal information in relation to any council service. This may delay or prevent us delivering a service to you. We will seek to comply with your request but may be required to hold or process information to comply with our legal duties

You can also make a request or find out more about how we handle these requests.

If you have any questions about our Privacy Notice, your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for, please contact the Customer Feedback Team at

Also see

Comment on this page