City of York Council (CYC) complies with the Data Protection Act 1998 and is a registered ‘Data Controller’. Our data protection notification is registered with the Information Commissioner’s Office (ICO) – reference Z5809563.

What information do we collect

The amount and type of information CYC collects from you will depend on why and how you are contacting or interacting with us and the service you are requesting.

This may simply mean providing your name and address, but for some services, we will need more details and sometimes sensitive personal information. For example if you are applying for social services or for public health functions, we may need information about your health.

How we use your personal information

We will only use your personal information in accordance with the Data Protection Act 1998 to provide you with statutory and other services. This may mean we share your personal information with internal departments or with external partners, agencies and contractors involved in delivering services on our behalf.

When we ask you for personal information, we will:

  • ensure you know why we need it
  • only ask for what is necessary for the service we are providing to you
  • protect it and make sure nobody has access to it who shouldn’t
  • ensure you know if you have a choice about giving us information
  • make sure we don’t keep it for longer than is necessary

We ask that you:

  • give us accurate information
  • tells us as soon as possible of any changes
  • tell us as soon as possible if you notice mistakes in the information we hold about you

Statutory services such as education and social care, protection of vulnerable children and adults, and the support of public health and wellbeing, may involve collecting, using and sharing Sensitive Personal Data as defined by the Data Protection Act 1998. We do not disclose or share sensitive or confidential information without your explicit consent except where disclosure is required by law, or where we have good reason to believe that failing to do so would put you or someone else at risk.

We may be required or permitted, under the Data Protection Act 1998 to disclose your personal information without your explicit consent. For example if we have a legal obligation to do so, such as law enforcement, regulation and licensing, criminal prosecutions and court proceedings.

CYC must protect public funds and may use personal information and data-matching techniques to detect and prevent fraud, collect taxes and ensure public money is targeted and spent in the most appropriate and cost-effective way. To do this, your information may be shared with other bodies responsible for auditing or administering public funds including the Audit Commission, the Department for Work and Pensions, other local authorities, HM Revenue and Customs, and the Police.

All Local Authorities have a duty to improve the health of the population they serve. To help with this our Public Health Team uses data and information from a range of sources, including data collected at the registration of a birth or death, to understand more about health and care needs in the York area. Find out how we use your information in our Privacy Notice for Public Health.

We may monitor and record electronic communications (website, email and phone conversations) for a number of reasons eg staff training, records of conversations or detection, investigation and prevention of crime. We will inform you if your call is being recorded or monitored.

We may use personal information to identify individuals who need additional support during emergencies or major incidents. For example emergency evacuation or flooding.

We will keep your personal information in accordance with our retention schedule requirements and when we no longer have a need to keep it, we will delete or destroy it securely.

You can find out more about how we handle personal information in our Data Protection policy.

Visiting our website

We are the sole owner of the information collected on our website. It does not store or capture personal information of users with general public access, but does log the IP address of a visitor. This enables us to determine which pages are being viewed and helps us to improve our services. It does not use cookies for the general running of the website, but does use them to enable requested services such as payments and to remember choices during the visit. Anonymous information about page visits is collected using Google Analytics.

Links to other websites

Our privacy notice does not cover external websites. We encourage you to read the privacy information on any other websites you visit. Our website also lists email addresses for external organisations (those addresses that don't end with ''); we cannot guarantee what will happen to your personal information if you email an external organisation.


By using our website you are consenting to certain types of cookie being placed on your device. See our cookies policy.

Where our website links to external resources or websites, these may add their own cookies. These are outside our control. Cookies can be disabled by changing the settings on your computer browser, but you may need to re-enter information at times.

Online Payments

The information you give to us when using our online payment system will only be used for the recording of your payment. We will ensure that it is used for no other purpose and is not disclosed to a third party, other companies or individuals unless required to do so by law for the prevention of crime and the detection of fraud. We will hold it securely and only for as long as is needed. It will then be deleted in line with our Retention and Disposal Policy and Procedures.


Emails that we send to you or you send to us may be retained as a record of contact and your email address stored for future use in accordance with our record retention schedules. If we need to email sensitive or confidential information to you, we may perform checks to verify the correct email address and may take additional security measures.

Unsolicited paper or electronic mail

You will not receive unsolicited paper or electronic mail as a result of sending us any personal information while using our website, unless you have given us permission to do this.

Third parties

CYC does not pass personal data to third parties for marketing, sales or any other commercial purposes without your prior explicit consent.

If we have to share your information externally, we require any third party to comply with the principles of the Data Protection Act 1998 and our procedures and instructions when they use your information on our behalf.

We may process your personal information using web services hosted outside the European Economic Area, but only where a data processing agreement is in place that complies with obligations equivalent to those of the principles of the Data Protection Act 1998.

Your rights

To find out about your rights under the Data Protection Act 1998, see the Information Commissioners Office (ICO) website.

The most common requests are:

  • you are entitled to ask for access to and a copy of any information we hold about you. If you find that the information the council holds about you is not accurate, you have the right to ask for it to be corrected
  • you can ask the council to stop processing your personal information in relation to any council service. This may delay or prevent us delivering a service to you. We will seek to comply with your request but may be required to hold or process information to comply with our legal duties.

You can also make a request or find out more about how we handle these requests.

If you have any questions about our Privacy Notice, your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for, please contact the Customer Feedback Team at

Also see

Comment on this page
Back to the top of the page