Cookie Consent by Free Privacy Policy Generator website

Our Privacy Notice

City of York Council (CYC) current data protection notification is registered with the Information Commissioner’s Office (ICO) - reference Z5809563. We regularly review this privacy notice, and it was last updated in April 2025.

CYC is committed to ensuring that your information is handled in accordance with the principles set out in data protection legislation and guidance from the Information Commissioner’s Office (ICO).

This privacy notice tells you what to expect when we process information about you.

CYC is the controller for this information unless we specifically state otherwise.

You can contact the council’s Data Protection Officer on email: information.governance@york.gov.uk, or telephone: 01904 554145, or write to:

Data Protection Officer
City of York Council
West Offices
Station Rise
York
YO1 6GA

This privacy notice should be read in conjunction with other CYC privacy notices that are available in our Privacy Notice and/or CYC policies and procedures.

When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this document.

How we collect your information

We get information about you from different sources and you can find more details about this in our Service Privacy Notices.

Our service areas may collect and use your information through consultation or surveys, in a way which is not covered by the relevant service privacy notice.

If they do, they will notify you as part of the consultation or survey and will publish the associated privacy notice at consultation and survey Privacy Notices.

Top of page

What personal data we process and why

The amount and type of information we process depends on why and how you're contacting or interacting with us, and the service you're requesting. You can find more details about this in our Service Privacy Notices.

In some cases you may only need to provide your name and address to access services, in other instances we'll need more details or may require special categories of personal data. For example, if you're applying for public health or social services, we may need information about your health.

Where we process information relating to criminal convictions and offences, this includes details of any past criminal convictions or offences.

When you complete an online form on the council’s website and you have provided your email address, we will send you a copy of your completed online form.

Where we have a lawful basis and it is appropriate to do so, we may monitor and record our communications (website, email and phone conversations) with you.

We'll inform you if your call is being recorded and you can find more details in our Call Recording Privacy Notice.

We may use information to identify individuals who need additional support during emergencies or major incidents such as emergency evacuation, flooding.

All local authorities have a duty to improve the health of the population they serve. To help with us do this, our Public Health Team uses data and information from a range of sources, including data collected at the registration of a birth or death, to understand more about health and care needs in the York area.

Top of page

Automated decision-making

Our service privacy notices explain about automated decision-makings and your right to object to this.

Top of page

Collecting information automatically

Please see our cookies policy for further information about the information we collect automatically when you use our website.

Top of page

Children's information

Where we provide services directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.

Top of page

Lawful basis for processing your personal data

Any personal data, special category data and criminal offence data that we process about individuals is done so in accordance with one or more of the following Article 6, 9 and 10 of the UK GDPR, and Schedule 1 of the Data Protection Act 2018 (DPA 2018) and will be set out in the relevant service privacy notice.

In many cases laws exists (such as the Local Government Acts and the Localism Act 2011) which say we must or can use your data, and we can do so without your consent or permission - for more information see Statutory duties placed on local government.

Where we process information relating to criminal convictions and offences, this is also under Article 10 UK GDPR that covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences, or proceedings for an offence committed or alleged to have been committed, including sentencing.

Some of the Schedule 1 conditions for processing special category and criminal offence data require an Appropriate Policy Document (APD) to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice.

Our Appropriate Policy Document provides further information about this processing.

Top of page

How long we keep your personal data

We will only keep your information for as long as it is needed then it will be securely and confidentially deleted or disposed of.

You can find details about this in our Service Privacy Notices and also in our Council retention schedule.

Top of page

Data sharing

We will only share your information where it is appropriate to, with:

  • other CYC services
  • other councils, government departments and agencies
  • other organisations such as NHS
  • third parties including our data processors, partners or contractors,  who undertake work on our behalf
  • specialist or assistive systems, software, platforms, applications (apps) to help provide our services and support to you, such as UK Immigration ID check
  • internal and external auditors

In some circumstances, such as under a court order or safeguarding, we are legally obliged to share information.

We will always satisfy ourselves that we have a lawful basis on which to share the information and document our decision-making and satisfy ourselves we have a legal basis on which to share the information.

We must protect public funds and may use personal data and data-matching techniques to detect and prevent fraud, collect taxes and ensure public money is targeted and spent in the most appropriate and cost-effective way. To do this, your personal data may be shared with other bodies responsible for auditing or administering public funds, including the Department for Work and Pensions, HM Revenue and Customs, the Police and other local authorities.

Additionally, we are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives (TNA) for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.

Top of page

Data processors and or third parties

Where we have third parties providing parts or all of our services, systems, software, platforms, applications (apps) etc for us, we have contracts or agreements in place with them. This includes

You will find more details about data processors and or third parties in service privacy notices.

Top of page

Transfers of personal data

We do not routinely transfer personal data, special categories of personal data or criminal offence data outside of the UK but when this is necessary, we ensure that we have appropriate safeguards in place and that is done in accordance with the UK data protection and privacy legislation.

Top of page

How we protect your information

We are committed to keeping your information safe and secure. There are several ways we do this, such as:

  • IT security safeguards such as firewalls, encryption, and anti-virus software
  • on-site security safeguards to protect physical files and electronic equipment
  • training for all staff and elected councillors
  • policies and procedures

Top of page

Visiting our website and links to other websites

We are the sole owner of the information collected via our website.

Our website does not store or capture personal data of users with general public access, but does log the IP address of a visitor. This enables us to determine which pages are being viewed and helps us to improve our services.

Our website does not use cookies for the general running of the www.york.gov.uk website, but does use them to enable requested services (for example, payments) and to remember choices during the visit.

Anonymous information about page visits is collected using Google Analytics.

Our privacy notice does not cover external websites; we encourage you to read the privacy notices on any other websites you visit.

Our website also lists email addresses for external organisations (those addresses that don't contain 'york.gov.uk'); we cannot guarantee what will happen to your personal data if you email an external organisation.

Top of page

Cookies

By using our website you are consenting to certain types of cookie being placed on your device. See our Cookies policy.

Where our website links to external resources or websites, these may add their own cookies. These are outside our control. Cookies can be disabled by changing the settings in your browser, but you may need to re-enter information at times.

Top of page

Online Payments

The information you give to us when using our online payment system will only be used for the recording of your payment.

You can find more details at Online Payments Privacy Notice – City of York Council

Top of page

Unsolicited mail

You will not receive unsolicited paper or electronic mail as a result of sending us any information while using our website, unless you have given us permission to do this.

Top of page

Caldicott Guardians

A Caldicott Guardian is responsible for protecting the confidentiality of people’s health and care information, and making sure such data is used properly.

Top of page

Use of your NHS Number in Adult Social Care

If you're receiving support from adult social care then the NHS may share your NHS number with our adult social care services. This is so that the NHS and adult social care are using the same number to identify you whilst providing your care. By using the same number the NHS and adult social care can work together more closely to improve your care and support.

Your NHS number is accessed through an NHS service called the Personal Demographic Service (PDS). Adult social care sends basic information such as your name, address and date of birth to the PDS in order to find your NHS Number. Once retrieved from the PDS the NHS Number is stored in the council’s adult social care case management system. These data are retained in the adult social care system in line with the council’s record retention policies. These policies are in accordance with data protection legislation, government record retention regulations and best practice.

In terms of data protection legislation, for use of your NHS number in Adult Social Care, the council is both the 'data controller' and the 'data processor'.

The NHS Number then has 2 uses, the first being a unique identifier to allow social care information to be displayed in the council’s adult social care case management system, for the provision of direct care. We will also use this number in an integrated care record system across a number of support services including GPs, hospitals, community matrons, district nurses and social care practitioners.

We will share information only to provide health and social care professionals directly involved in your care access to the most up-to-date information about you and for analytical purposes to enable better services to be designed. It will do this by sharing appropriate information between health and social care services at the time of patient contact. Access to information is strictly controlled, based on the role of the professional. For example, social workers will only have access to information that is relevant to the execution of their care duties.

Our ICT security and confidentiality policies ensure that your information is protected, and available only to staff directly involved in your care.

The use of joined-up information across health and social care brings many benefits. One specific example where this will be the case is the discharge of patients into social care. Delays in discharge (commonly known as bed blocking) can occur because details of social care involvement are not readily available to the staff on the hospital ward. The hospital does not know who to contact to discuss the ongoing care of a patient. Linking of social care and health information via the NHS Number will help hospital staff quickly identify if social care support is already in place and who the most appropriate contact is. Ongoing care can be planned earlier in the process, because hospital staff will know who to talk to.

The addition of the NHS Number to social care data will bring additional benefits:

  • better coordinated and safer care across health and social care enabled through the sharing of real-time information
  • better coordination of discharges from hospital into social care, as explained above
  • more time to spend on planning and coordinating social care because health staff can identify and involve social care staff earlier in the process
  • earlier intervention to maximise the opportunities or reablement services leading to greater independence for patients
  • less paperwork and more efficient use of social care resources

You have the right to object to the processing of your NHS Number for social care purposes. This will not stop you from receiving care, but will result in the benefits outlined above not being realised. To help you decide, talk with your social worker or contact our Data Protection Officer to discuss how this may affect our ability to provide you with care, and any other options you have.

Top of page

Your rights in relation to this processing

You have a number of rights under data protection law.

You are not required to pay any charge for exercising your rights. We have one month to respond to you.

Your right to be informed

You have the right to be told how your information will be processed. This right applies whether or not you supply your information to us, or whether we obtain your information from a third party. We'll inform you how we're processing your information using privacy notices, to explain what we are doing with your information and why.

Your right of access

You have the right to ask us for copies of your personal information. Subject Access Request (SAR). This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about getting copies of your information.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. We'll always comply with a request for rectification, unless there is a legal reason why we can’t (for example, if the information held is for evidential purposes and was accurate at the time of collection). Where we can’t rectify your information we'll provide an explanation. Read more about your right to get your data corrected.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances. This is sometimes referred to as the “right to be forgotten". We must legally erase any information where there is no compelling reason for us to be processing it. Where we cannot comply with a request to erase your information we'll provide an explanation. You can read more about your right to get your data deleted.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances. This right is similar to asking for your data to be erased, but in this instance, it means that we can only store/hold your information and can’t process it in any other way. For example:

  • where you have contested the accuracy of your information and processing is restricted until its accuracy is verified
  • where you have objected to processing and we are considering the legal implications of complying with your request
  • where we no longer require the information but you have specifically asked that we keep it to enable you to seek legal advice or for legal proceedings

Where we cannot comply with a request for restriction of processing because there is a legal reason not to, we'll provide an explanation. You can read more about your right to limit how organisations use your data.

Your right to object to processing

You have the right to object to certain types of processing of your personal data. If you object to the processing of your information and there is a legal reason why we cannot comply, we'll provide an explanation. You can read more about the right to object to the use of your data.

Your right to ask for your data to be sent to another organisation - data portability

There are some limited circumstances where you have the right to ask us to transfer your information to another organisation. However, to exercise this right the following criteria must apply:

  • you must have given your information to us directly
  • we must only be processing your data solely on the basis that you have given your consent or we are processing it to fulfil a contract (if we're processing your information to fulfil a public task, this right does not apply)
  • the processing of the data is carried out by automatic means (only by a computer system with no human intervention)

We do not believe that any type of processing that we carry out would fall within these criteria. However, we'll always comply with requests to provide your data where possible, and if we cannot, we'll provide an explanation. You can read more about your right to data portability.

Your right to object to automated decision-making - including profiling of you

Automated decision-making is purely carried out by a computer system with no human intervention. For example when you apply for credit, a computer system may decide that you're not eligible. We very rarely carry out automated decision-makings without any human intervention. However, where we have made an automated decision about you, you have the right to object to this. We'll tell you where we are making automated decisions about you. Right not to be subject to automated decision-making | ICO

Your right to raise a complaint with the Information Commissioner’s Officer (ICO)

You can complain to the ICO about how we have handled your information. How to make a data protection complaint to an organisation | ICO. In most cases, the ICO may expect you to have:

  • complained directly to us;
  • asked for clarification from us if you have had a response you don’t understand; and
  • followed up with us if you have not received a response after 30 days.

The ICO may not investigate where there has been an undue delay in bringing it to their attention and so you should raise your concerns or complaint with them as soon as possible. Contact the ICO.

If the ICO thinks we have not complied with our legal obligations they can give us advice and ask us to solve the problem. The ICO cannot award you compensation, their main aim is to improve the information rights practices of organisations.

There are some circumstances where other laws prevent us from complying with some of your rights and where this is the case, we'll provide an explanation.

You can find more information at For the public | ICO.

If you have any questions about this Privacy Notice, want to exercise your rights, or if you have a complaint about how your information has been used, contact us by email: information.governance@york.gov.uk, telephone: 01904 554145 or write to:

Data Protection Officer
City of York Council
West Offices
Station Rise
York
YO1 6GA

Top of page

Also see

Data Protection Officer

West Offices, Station Rise, York, YO1 6GA

Telephone: 01904 554145

Comment on this page