City of York Council keep the Blue Badge Privacy Notice under review. It was last reviewed and updated in December 2019.
If you have any questions about this Privacy Notice contact the council’s Data Protection Officer.
View the Privacy and transparency information for all of the City of York Council (CYC).
- only ask you for the information that is necessary to provide you with the Blue Badge service
- store your information securely and ensure it is only accessed by employees who are authorised to do so
- make sure your information is not kept for longer than outlined in CYC ‘Blue Badge Data Retention Schedule’
- confidentially and securely destroy and delete your information when it is no longer needed
We require you to:
- provide accurate and up-to-date information
- inform us at your earliest convenience of any relevant changes/updates to the information previously provided
- inform us at your earliest convenience if there are any mistakes in the information you have provided, or in the information that has been sent to you
If you fail to provide the information we ask for, we may not be able to process your Blue Badge application or provide you with any relevant advice.
See further details about how we define personal data and non-personal data.
Using personal data
We'll collect and use your personal data in order to:
- process your application for a Blue Badge
- process the Blue Badge payment
- answer any appropriate questions relating to your application or use of a Blue Badge
- assess your application to see whether it meets one of the automatic qualifying criteria, or if a further assessment is required
- provide you with any relevant advice for the purposes set out in this Privacy Notice
- investigate any instances where a Blue Badge is allegedly being misused
We also use your personal data to create a secure record of your application on our Case Management System (CMS). Any paper applications will be transferred to an electronic record and then be destroyed after 3 months.
See further details about how we use your personal data.
Sharing personal data
Your information may be shared with the following companies in order to process your application:
- Department for Transport (DfT) - the central government directive responsible for the Blue Badge Scheme
- Northgate - the Blue Badge Case Management System, used for securely storing your Personal Data and processing Blue Badge applications
- Valtech - the company managing the Central Blue Badge register called ‘Manage Blue Badges’
- APS Group - the printer and distributer of Blue Badges
- Premier Physical Healthcare - IMA provider
- GOV.UK - the central government website which allows you to apply online
- Government Digital Service - used for sending email and SMS notifications and for processing online payments
We will also share your data with other Council services in order to protect the integrity of the Blue Badge service and to investigate any potential misuse of a Blue Badge where appropriate, including:
Sharing data under Data Protection legislation
We may be required or permitted, under data protection legislation, to disclose your personal data without your explicit consent, for example if we have a legal obligation to do so, such as for:
- law enforcement
- fraud investigations
- regulation and licensing
- criminal prosecutions
- court proceedings
We must protect public funds and may use personal data and data-matching techniques to detect and prevent fraud, collect taxes and ensure public money is targeted and spent in the most appropriate and cost-effective way. To do this, your personal data may be shared with other bodies responsible for auditing or administering public funds, including the Department for Work and Pensions, HM Revenue and Customs, the Police and other local authorities.
Retaining personal data
Your data will be stored electronically on our Case Management System (CMS), which has been procured from a company called Northgate.
The Blue Badge scheme is a central government directive owned by the DfT, however each Local Authority is responsible for holding the data for their customers. In order to securely manage the data, we process all Blue Badge applications on our CMS.
Although we manage each application through our CMS, the data is sent to us through the Central Badge Register called ‘Manage Blue Badges.’ The contract to manage this Register was awarded by the DfT to a company called Valtech.
Blue Badges will usually be issued for 3 years, but can be reapplied for and extended for a further period of time. Blue Badge information will only be destroyed once you no longer hold a valid badge.
When a badge has expired or has been cancelled, your data will be destroyed 24 months from the date the badge has expired. If a badge is cancelled due to alleged misuse, we must keep the information for 24 months in case this decision is appealed and ultimately revoked.
If an application has been refused, we will still keep your information for 12 months to allow for any appeals or subsequent applications to be considered accurately and effectively.
When we no longer have a need to keep your information, we will delete or destroy it securely.
Our Retention Schedule is based on best practice and business needs of all services, including our Fraud Team.
At the end of the retention period, we may pass any relevant information to the City Archives where it is required or appropriate to do so.
Further processing of personal data
If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we'll provide you with a new notice.
The new notice will:
- explain this new use before we start the processing
- set out the relevant purposes and processing conditions
Where and whenever necessary, we'll seek your consent to the new processing, if we start to use your personal data for a purpose not mentioned in this Privacy Notice.
See further details about the further processing of personal data.
Your rights relating to personal data
When we collect your personal data we'll tell you how we are going to use it. Where we process your personal data, you have a number of rights under data protection law.