City of York Council (CYC) current data protection notification is registered with the Information Commissioner’s Office (ICO) - reference Z5809563. We regularly review this privacy notice, and it was last updated in October 2023.
CYC is committed to ensuring that personal data is handled in accordance with the principles set out in data protection legislation and guidance from the Information Commissioner’s Office (ICO).
This privacy notice tells you what to expect when we collect personal information about you.
CYC is the controller for this information unless we specifically state otherwise.
You can contact the council’s Data Protection Officer on email: firstname.lastname@example.org, or telephone: 01904 554145, or write to:Data Protection Officer
City of York Council
This privacy notice should be read in conjunction with other relevant CYC privacy notices and/or policies and procedures.
When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this document.
- How we collect your information
- What personal data we process and why
- Automated decision-making
- Collecting information automatically
- Children's information
- Lawful basis for processing your personal data
- How long we keep your personal data
- Data sharing
- Data processors and or third parties
- Transfers of personal data
- How we protect your information
- Your rights in relation to this processing
How we collect your information
What personal data we process and why
The amount and type of personal data we process depends on why and how you're contacting or interacting with us, and the service you're requesting. You can find more details about this in our Service Privacy Notices.
In some cases you may only need to provide your name and address to access services, in other instances we'll need more details or may require sensitive personal data or special categories of personal data. For example, if you're applying for public health or social services, we may need information about your health.
Where we process data relating to criminal convictions and offences, this includes details of any past criminal convictions or offences.
We may monitor and record electronic communications (website, email and phone conversations) for a number of reasons, for example, records of conversations or detection, investigation and prevention of crime. We'll inform you if your call is being recorded or monitored.
Where we use platforms, systems or apps such as Microsoft365, Attend Anywhere or Zoom and others, to contact you, hold meetings, training sessions and more, we'll let you know. You can find out more about these either in this privacy notice or in the specific privacy notices for the platform, system or app being used.
We may use personal data to identify individuals who need additional support during emergencies or major incidents such as emergency evacuation, flooding.
All local authorities have a duty to improve the health of the population they serve. To help with us do this, our Public Health Team uses data and information from a range of sources, including data collected at the registration of a birth or death, to understand more about health and care needs in the York area.
Where we carry out automated decision-makings without any human intervention, you have the right to object to this.
Collecting information automatically
Please see our cookies policy for further information about the information we collect automatically when you use our website.
Where we provide services directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.
Lawful basis for processing your personal data
Any personal data including special category data and criminal offence data that we process about individuals is done so in accordance with Article 6, 9 and 10 of the UK GDPR, and Schedule 1 of the Data Protection Act 2018 (DPA 2018) and will be set out in the relevant Service Privacy Notice.
In many cases laws exists (such as the Local Government Acts and the Localism Act 2011) which say we must/can use your data, and we can do so without your consent or permission - for more information see Statutory duties placed on local government.
Where we process personal data relating to criminal convictions and offences, this is also under Article 10 UK GDPR that covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences, or proceedings for an offence committed or alleged to have been committed, including sentencing.
Some of the Schedule 1 conditions for processing special category and criminal offence data require an Appropriate Policy Document (APD) to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice.
Our Appropriate Policy Document provides further information about this processing.
How long we keep your personal data
We'll keep your information for as long as it is needed and in accordance with our retention schedule requirements and when we no longer have a need to keep it, we will delete or destroy it securely - see our Service Privacy Notices for more details.
In some circumstances, such as under a court order or safeguarding, we are legally obliged to share information. We may also share information about you with third parties including our data processors, government agencies and external auditors. For example, law enforcement, regulation and licensing, criminal prosecutions and court proceedings.
We will always satisfy ourselves that we have a lawful basis on which to share the information and document our decision-making and satisfy ourselves we have a legal basis on which to share the information.
We must protect public funds and may use personal data and data-matching techniques to detect and prevent fraud, collect taxes and ensure public money is targeted and spent in the most appropriate and cost-effective way. To do this, your personal data may be shared with other bodies responsible for auditing or administering public funds, including the Department for Work and Pensions, HM Revenue and Customs, the Police and other local authorities.
Additionally, we are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives (TNA) for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.
Data processors and or third parties
Where we have third parties providing parts or all of our services for us, we have contracts or agreements in place with them. See a list of contracts and companies we deal with.
Transfers of personal data
We do not routinely transfer personal data outside of the UK but when this is necessary, we ensure that we have appropriate safeguards in place and that is done in accordance with the UK data protection and privacy legislation.
We may use Zoom Pro or Business version of Zoom (version 5) to host some public facing meetings, training sessions etc across different services in the council. Where these meetings are recorded, recordings will be kept locally on our server and will not be retained by Zoom.
Some personal data will be stored securely on Zoom’s system in the USA (that is, outside the EEA) in compliance with the EU, USA Privacy Shield Framework. This data may include a user's:
- email address
- telephone number where applicable
- IP address
- MAC address
- other device ID (UDID)
- device type
- operating system type and version
- client version
- type of camera, microphone or speakers
- connection type
Zoom does not sell personal data to third parties; collects only the personal data required to provide Zoom services; and retains that data only for so long as is necessary for the provision of those services.
How we protect your information
We are committed to keeping your information safe and secure. There are several ways we do this, such as:
- IT security safeguards such as firewalls, encryption, and anti-virus software
- on-site security safeguards to protect physical files and electronic equipment
- training for all staff and elected councillors
- policies and procedures
Your rights in relation to this processing
You have a number of rights under data protection law.
The right to be informed
You have the right to be told how your personal data will be processed. This right applies whether or not you supply your personal data to us, or whether we obtain your data from a third party. We'll inform you how we're processing your data using privacy notices, to explain what we are doing with your personal data and why.
The right of access to your personal data
You have the right to request access to personal data held about you; this is also known as making a Subject Access Request (SAR).
The right to rectification of your personal data
If your personal data is inaccurate or incomplete, you have the right to ask for this to be rectified. We'll always comply with a request for rectification, unless there is a legal reason why we can’t (for example, if the information held is for evidential purposes and was accurate at the time of collection). Where we can’t rectify your information we'll provide an explanation.
The right to have your personal data erased
You have the right to ask for any information held about you to be erased - sometimes referred to as the “right to be forgotten". We must legally erase any information where there is no compelling reason for us to be processing it. Where we cannot comply with a request to erase your information we'll provide an explanation.
The right to restrict the processing of your personal data
You have the right to ask for the processing of your personal data to be blocked or suppressed. This right is similar to asking for your data to be erased, but in this instance, it means that we can only store/hold your information and can’t process it in any other way. For example:
- where you have contested the accuracy of your information and processing is restricted until its accuracy is verified
- where you have objected to processing and we are considering the legal implications of complying with your request
- where we no longer require the information but you have specifically asked that we keep it to enable you to seek legal advice or for legal proceedings
Where we cannot comply with a request for restriction of processing because there is a legal reason not to, we'll provide an explanation.
The right to object to certain types of processing
You have the right to object to certain types of processing of your personal data. If you object to the processing of your information and there is a legal reason why we cannot comply, we'll provide an explanation.
The right to ask for your data to be sent to another organisation - data portability
There are some limited circumstances where you have the right to ask us to transfer your personal data to another organisation. However, to exercise this right the following criteria must apply:
- you must have given your information to us directly
- we must only be processing your data solely on the basis that you have given your consent or we are processing it to fulfil a contract (if we're processing your information to fulfil a public task, this right does not apply)
- the processing of the data is carried out by automatic means (only by a computer system with no human intervention)
We do not believe that any type of processing that we carry out would fall within these criteria. However, we'll always comply with requests to provide your data where possible, and if we cannot, we'll provide an explanation.
The right to object to automated decision-making - including profiling of you
Automated decision-making is purely carried out by a computer system with no human intervention. For example when you apply for credit, a computer system may decide that you're not eligible. We very rarely carry out automated decision-makings without any human intervention. However, where we have made an automated decision about you, you have the right to object to this. We'll tell you where we are making automated decisions about you.
The right to raise a complaint with the Information Commissioner’s Officer
If you have a concern about the way we handle your personal data, contact the Information Commissioner's Office (ICO). If the ICO thinks we have not complied with legal obligations they can give us advice and ask us to solve the problem. The ICO cannot award you compensation, their main aim is to improve the information rights practices of organisations. The ICO will not usually investigate concerns where there has been an undue delay in bringing it to their attention and so you should raise your concerns with them within 3 months of your last contact with us about your concern.
There are some circumstances where other laws prevent us from complying with some of your rights and where this is the case, we'll provide an explanation.
If you want to exercise any of your legal rights, or if you have a complaint about how your personal data has been used, email: email@example.com, telephone: 01904 554145 or write to:Data Protection Officer
City of York Council