Privacy and coronavirus
Find out how the council and its partners are using your data during the coronavirus (COVID-19) emergency.
We regularly update our Privacy Notice; it was last updated in May 2020.
When we use your personal data, City of York Council complies with the Data Protection Act 2018, and is the registered ‘controller’. Our data protection notification is registered with the Information Commissioner’s Office (ICO), reference: Z5809563.
To make it clear how we collect and use your personal data, and to help you understand your rights, we've divided our Privacy Notice into the following areas:
- personal data
- collecting personal data
- using your personal data (including service privacy notices)
- retaining personal data
- transferring personal data abroad
- further processing of personal data
- your rights relating to personal data
- visiting our website and links to other websites
- online payments
- unsolicited mail
- third parties
- caldicott guardians
- use of your NHS Number in Adult Social Care
If you have questions about this privacy notice, want to exercise any of your legal rights, or you have a complaint about how your personal data has been used, email: email@example.com, telephone: 01904 554145 or write to:
Data Protection Officer
City of York Council
'Personal data' is any information that relates to an identifiable living person; whether they are identified directly or indirectly by reference to a name, identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
For the purposes of data protection legislation the term 'personal data' also includes:
- personal information that has been pseudonymised or key-coded (depending how difficult it is to attribute the pseudonym to an individual)
- genetic data and biometric data where processed to uniquely identify an individual ('sensitive personal data' or 'special categories of personal data')
Personal data doesn't include information relating to deceased people, groups or communities of people, organisations or businesses, nor to data relating to criminal convictions and offences.
However, similar safeguards apply to data processing in those fields.
Find out about the non-personal data we hold and process.
Collecting personal data
When we collect your personal data we will:
- ensure you know why we need it
- only ask for what is necessary for the service we're providing to you
- protect it and make sure nobody has access to it who shouldn’t
- ensure you know if you have a choice about giving us information
- make sure we don’t keep it for longer than is necessary
We ask that you give us accurate information, notify us of any mistakes, and tells us as soon as possible of any changes.
Using personal data
The amount and type of personal data we collect depends on why and how you're contacting or interacting with us, and the service you're requesting.
In some cases you may only need to provide your name and address to access services, in other instances we'll need more details or may require sensitive personal data or special categories of personal data. For example, if you're applying for public health or social services, we may need information about your health.
In many cases laws exists (such as the Local Government Acts and the Localism Act 2011) which say we must/can use your data, and we can do so without your consent or permission - for more information see Statutory duties placed on local government.
For some services we'll use your data under a contract. Where we do not directly provide a service, we may need to pass your personal data onto our contractors. These providers must keep your details safe and secure, and use them only to provide the service - see a list of contracts and companies we deal with.
We may be required or permitted, under data protection legislation, to disclose your personal data without your explicit consent. For example, if we have a legal obligation to do so, such as law enforcement, regulation and licensing, criminal prosecutions and court proceedings.
We must protect public funds and may use personal data and data-matching techniques to detect and prevent fraud, collect taxes and ensure public money is targeted and spent in the most appropriate and cost-effective way. To do this, your personal data may be shared with other bodies responsible for auditing or administering public funds, including the Department for Work and Pensions, HM Revenue and Customs, the Police and other local authorities.
All local authorities have a duty to improve the health of the population they serve. To help with us do this, our Public Health Team uses data and information from a range of sources, including data collected at the registration of a birth or death, to understand more about health and care needs in the York area.
We may monitor and record electronic communications (website, email and phone conversations) for a number of reasons, for example, records of conversations or detection, investigation and prevention of crime. We'll inform you if your call is being recorded or monitored.
We may use personal data to identify individuals who need additional support during emergencies or major incidents such as emergency evacuation, flooding.
We'll keep your personal data in accordance with our retention schedule requirements and when we no longer have a need to keep it, we will delete or destroy it securely - see our service privacy notices for more details.
Service privacy notices
Details of how our service areas use your personal data, and why, are available in the following service privacy notices:
- Asset and Property Management Privacy Notice
- Be Independent Privacy Notice
- Benefits Privacy Notice
- Blue Badge Privacy Notice
- Call Recording Privacy Notice
- CCTV Privacy Notice
- Change of Name Deed Privacy Notice
- City of York Council Health Trainers
- Click Before You Tip service Privacy Notice
- Communications Privacy Notice
- Community and Equalities Privacy Notice
- Coronavirus (COVID-19) Privacy Notice
- Coronavirus (COVID-19) Community Volunteer Privacy Notice
- Coronavirus (COVID-19) Extended Micro-Business Grant Privacy Notice
- Corporate Finance and Commercial Procurement Privacy Notice
- Council Tax and Business Rates Privacy Notice
- Customer Service Privacy Notice
- Cycle Track Gate Key Scheme Privacy Notice
- Democratic Services Privacy Notice
- Educational Psychology Privacy Notice
- Electoral Registration Privacy Notice
- Foster Care Recruitment Campaign Privacy Notice
- Free Access for National Sports People (FANS) Privacy Notice
- Governance Support and Development Service Privacy Notice
- Historic Environment Record Privacy Notice
- Housing Delivery Programme Privacy Notice
- Housing Services Privacy Notice
- Housing Standards and Adaptations Service Privacy Notice
- Income Services Privacy Notice
- Information Governance Customer Complaints and Feedback (IGCCF) Team Privacy Notice
- Learning and Work Advisors Privacy Notice
- Mental Health Recovery Service Privacy Notice
- Neighbourhood Planning Privacy Notice
- Park and Pedal Scheme Privacy Notice
- Parking Services Privacy Notice
- Public Health Privacy Notice
- Public Protection Privacy Notice
- Recruitment Privacy Notice
- School Admissions Privacy Notice
- School Wellbeing Service Privacy Notice
- Schools Privacy Notice
- Special Educational Needs Privacy Notice
- Specialist Careers Advice Service Privacy Notice
- Specialist Early Years Support Service Privacy Notice
- Web Services Privacy Notice
- Workforce Development Unit (WDU) Privacy Notice
- York Central Community Forum (YCCF) Privacy Notice
- York Drug and Alcohol Service (YDAS) Privacy Notice
- York Financial Assistance Scheme (YFAS) Privacy Notice
- York Register Office Privacy Notice
- Youth Offending Team Privacy Notice
Consultation and survey privacy notices
Our service areas may collect and use your personal data through a consultation or survey, in a way which is not covered by the relevant service privacy notice.
If they do they will notify you as part of the consultation or survey and we will publish the associated privacy notice on York Open Data:
Retaining personal data
At the end of any defined data retention period, we may pass any relevant information to the City Archives where it is required or appropriate to do so.
Transferring personal data abroad
We may process your personal data using services hosted outside the European Economic Area, but only where a data processing agreement is in place that complies with obligations equivalent to the principles of the Data Protection Act 2018.
However, for as long as the provisions of the Local Authorities and Police and Crime Panels (Coronavirus) (Flexibility of Local Authority and Police and Crime Panel Meetings) (England and Wales) Regulations 2020/392 remain in effect, we'll be hosting public virtual meetings and we are currently using Zoom Pro or Business version of Zoom to host meetings (version 5) for that purpose.
Where meetings are recorded, recordings will be kept locally on our server and will not be retained by Zoom.
Some personal data will be stored securely on Zoom’s system in the USA (that is, outside the EEA) in compliance with the EU, USA Privacy Shield Framework. This data may include a user's:
- email address
- telephone number where applicable
- IP address
- MAC address
- other device ID (UDID)
- device type
- operating system type and version
- client version
- type of camera, microphone or speakers
- connection type
Zoom does not sell personal data to third parties; collects only the personal data required to provide Zoom services; and retains that data only for so long as is necessary for the provision of those services.
Further processing of personal data
Before we use personal data for a new purpose (not covered by this privacy notice or any of our service privacy notices), we'll provide a new notice to set out the relevant purposes and processing conditions. Where and whenever necessary, we'll seek your prior consent to new processing.
Your rights relating to personal data
When we collect your personal data we'll tell you how we are going to use it. Where we process your personal data, you have a number of rights under data protection law.
The right to be informed
You have the right to be told how your personal data will be processed. This right applies whether or not you supply your personal data to us, or whether we obtain your data from a third party. We'll inform you how we're processing your data using privacy notices, to explain what we are doing with your personal data and why.
The right of access to your personal data
You have the right to request access to personal data held about you; this is also known as making a 'Subject Access Request' (SAR).
The right to rectification of your personal data
If your personal data is inaccurate or incomplete, you have the right to ask for this to be rectified. We'll always comply with a request for rectification, unless there is a legal reason why we can’t (for example, if the information held is for evidential purposes and was accurate at the time of collection). Where we can’t rectify your information we'll provide an explanation.
The right to have your personal data erased
You have the right to ask for any information held about you to be erased - sometimes referred to as the “right to be forgotten". We must legally erase any information where there is no compelling reason for us to be processing it. Where we cannot comply with a request to erase your information we'll provide an explanation.
The right to restrict the processing of your personal data
You have the right to ask for the processing of your personal data to be blocked or suppressed. This right is similar to asking for your data to be erased, but in this instance, it means that we can only store/hold your information and can’t process it in any other way. For example,
- where you have contested the accuracy of your information and processing is restricted until it’s accuracy is verified
- where you have objected to processing and we are considering the legal implications of complying with your request
- where we no longer require the information but you have specifically asked that we keep it to enable you to seek legal advice or for legal proceedings
Where we cannot comply with a request for restriction of processing because there is a legal reason not to, we'll provide an explanation.
The right to object to certain types of processing
You have the right to object to certain types of processing of your personal data. If you object to the processing of your information and there is a legal reason why we cannot comply we'll provide an explanation.
The right to ask for your data to be sent to another organisation - data portability
There are some limited circumstances where you have the right to ask us to transfer your personal data to another organisation. However, to exercise this right the following criteria must apply:
- you must have given your information to us directly
- we must only be processing your data solely on the basis that you have given your consent or we are processing it to fulfil a contract (if we're processing your information to fulfil a public task, this right does not apply)
- the processing of the data is carried out by automatic means (only by a computer system with no human intervention)
We do not believe that any type of processing that we carry out would fall within these criteria. However, we'll always comply with requests to provide your data where possible, and if we cannot we'll provide an explanation.
The right to object to automated decision making - including profiling of you
Automated decision making is purely carried out by a computer system with no human intervention. For example when you apply for credit, a computer system may decide that you're not eligible. We very rarely carry out automated decision makings without any human intervention. However, where we have made an automated decision about you, you have the right to object to this. We'll tell you where we are making automated decisions about you.
The right to raise a complaint with the Information Commissioner’s Officer
If you have a concern about the way we handle your personal data, contact the Information Commissioner's Office (ICO). If the ICO thinks we have not complied with legal obligations they can give us advice and ask us to solve the problem. The ICO cannot award you compensation, their main aim is to improve the information rights practices of organisations. The ICO will not usually investigate concerns where there has been an undue delay in bringing it to their attention and so you should raise your concerns with them within 3 months of your last contact with us about your concern.
There are some circumstances where other laws prevent us from complying with some of your rights and where this is the case, we'll provide an explanation.
Find out more about your legal rights from the Information Commissioners Office (ICO).
Exercise your legal rights
If you want to exercise any of your legal rights, or if you have a complaint about how your personal data has been used, email: firstname.lastname@example.org, telephone: 01904 554145 or write to:
Data Protection Officer
City of York Council
Visiting our website and links to other websites
Our website privacy notice does not cover external websites; we encourage you to read the privacy notices on any other websites you visit.
Our website also lists email addresses for external organisations (those addresses that don't contain 'york.gov.uk'); we cannot guarantee what will happen to your personal data if you email an external organisation.
By using our website you are consenting to certain types of cookie being placed on your device. See our Cookies Policy.
Where our website links to external resources or websites, these may add their own cookies. These are outside our control. Cookies can be disabled by changing the settings in your browser, but you may need to re-enter information at times.
The personal data you give to us when using our online payment system will only be used for the recording of your payment. We'll ensure that it is used for no other purpose and is not disclosed to a third party specifically other companies or individuals unless required to do so by law for the prevention of crime and the detection of fraud. We will hold it securely and only for as long as is needed. It will then be deleted in line with our retention and disposal policy and procedures.
Emails that we send to you or you send to us, may be retained as a record of contact and your email address stored for future use in accordance with our record retention schedules. If we need to email sensitive or confidential information to you, we may perform checks to verify the correct email address and may take additional security measures.
You will not receive unsolicited paper or electronic mail as a result of sending us any personal data while using our website, unless you have given us permission to do this.
We do not pass personal data to third parties for marketing, sales or any other commercial purposes without your prior explicit consent.
If we have to share your personal data externally, we require any third party to comply with the principles of data protection legislation, and our procedures and instructions, when they use your information on our behalf.
See details of our Caldicott Guardians, responsible for protecting the confidentiality of people’s health and care information, and making sure such data is used properly.
Use of your NHS Number in Adult Social Care
If you're receiving support from adult social care then the NHS may share your NHS number with our adult social care services. This is so that the NHS and adult social care are using the same number to identify you whilst providing your care. By using the same number the NHS and adult social care can work together more closely to improve your care and support.
Your NHS number is accessed through an NHS service called the Personal Demographic Service (PDS). Adult social care sends basic information such as your name, address and date of birth to the PDS in order to find your NHS Number. Once retrieved from the PDS the NHS Number is stored in the council’s adult social care case management system. These data are retained in the adult social care system in line with the council’s record retention policies. These policies are in accordance with the Data Protection Act 2018, Government record retention regulations and best practice.
In terms of the Data Protection Act 2018, for use of your NHS number in Adult Social Care, the council is both the “Controller” and the “Processor”.
The NHS Number then has two uses, the first being a unique identifier to allow social care information to be displayed in the council’s adult social care case management system, for the provision of direct care. We will also use this number in an integrated care record system across a number of support services including GP’s, hospitals, community matrons, district nurses and social care practitioners.
We will share information only to provide health and social care professionals directly involved in your care access to the most up-to-date information about you and for analytical purposes to enable better services to be designed. It will do this by sharing appropriate information between health and social care services at the time of patient contact. Access to information is strictly controlled, based on the role of the professional. For example, social workers will only have access to information that is relevant to the execution of their care duties.
Our ICT security and confidentiality policies ensure that your information is protected, and available only to staff directly involved in your care.
The use of joined up information across health and social care brings many benefits. One specific example where this will be the case is the discharge of patients into social care. Delays in discharge (commonly known as bed blocking) can occur because details of social care involvement are not readily available to the staff on the hospital ward. The hospital does not know who to contact to discuss the ongoing care of a patient. Linking of social care and health information via the NHS Number will help hospital staff quickly identify if social care support is already in place and who the most appropriate contact is. Ongoing care can be planned earlier in the process, because hospital staff will know who to talk to.
The addition of the NHS Number to social care data will bring additional benefits:
- better coordinated and safer care across health and social care enabled through the sharing of real-time information
- better coordination of discharges from hospital into social care, as explained above
- more time to spend on planning and coordinating social care because health staff can identify and involve social care staff earlier in the process
- earlier intervention to maximise the opportunities or re-ablement services leading to greater independence for patients
- less paperwork and more efficient use of social care resources
You have the right to object to the processing of your NHS Number for social care purposes. This will not stop you from receiving care, but will result in the benefits outlined above not being realised. To help you decide, talk with your social worker or contact our Data Protection Officer to discuss how this may affect our ability to provide you with care, and any other options you have.