Cookie Consent by Free Privacy Policy Generator website

City of York Council Employees Privacy Notice

City of York Council (CYC) complies with the UK General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018, and is registered with the Information Commissioner’s Office (ICO), reference: Z5809563.

We updated this privacy notice in January 2024 and we will keep it under regular review.

CYC is committed to ensuring that information is handled in accordance with the principles set out in data protection legislation and guidance from the Information Commissioner’s Office (ICO).

This Privacy Notice explains how and why we process your information, under Part 3 of the Data Protection Act 2018 for law enforcement purposes and the steps we take to keep your information safe.

CYC is the controller for the personal data we process, unless otherwise stated. You can contact the council’s Data Protection Officer at:

West Offices
Station Rise

Telephone: 01904 554145.


You can find more information about the role of the Data Protection Officer in our Data Protection Policy Statement.

This privacy notice should be read in conjunction with other relevant specific privacy notices that are available in our Privacy Notice.

When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this privacy notice.

How we collect your information

We get information about you from the following sources:

  • directly from you such as
    • application forms
    • identification documents for example: passport, drivers licence etc.
    • via interviews process, meeting, or other assessments
    • training records
  • third parties such as
    • references supplied by former employers
    • background check providers
    • criminal records checks permitted by law
  • Medigold Health such as
    • sickness absence
    • unplanned absences for example: compassionate leave, dependent care leave etc.
    • occupational health referrals and assessments
    • physiotherapy referrals and assessments

Top of page

What personal data we process and why

We process the following personal data and special categories of personal data:

  • your name, address and contact details, including personal email address and personal telephone number, date of birth, gender, and work-related photos (e.g., for your security pass, profile etc)
  • information about your marital status, next of kin and emergency contacts
  • details of your qualifications, professional memberships, skills, experience, and employment history, including start and end dates, with previous employers and with the council
  • the terms and conditions of your employment
  • information about your remuneration, including entitlement to benefits such as pensions, salary sacrifice and tax information
  • details of your bank account and national insurance number
  • information about your nationality and entitlement to work in the UK
  • details of your days of work, working hours and attendance at work
  • details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence
  • assessments of your performance, including performance development reviews and performance ratings, training you have participated in, performance improvement plans and related correspondence
  • details of trade union subscriptions if paid via CYC payroll
  • equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief
  • information about whether you are a member of the armed forces community, are a care leaver, or a carer of dependents
  • information about any conflict of interests
  • information about medical or health conditions, including whether you have a disability for which the organisation needs to make reasonable adjustments
  • details of periods of leave taken by you, including holiday, sickness absence, family leave, compassionate leave and sabbaticals, and the reasons for the leave
  • information about any drug and alcohol referrals, testing and results
  • where required or appropriate to, information about criminal convictions and offences including details of any past criminal convictions or offences
  • your comments, views and feedback as part of staff surveys

The council needs to use your information to

  • enter into an employment contract with you and to meet its obligations under your employment contract. For example, it needs to process your information to provide you with an employment contract, to pay you in accordance with your employment contract and to administer pension entitlements.
  • ensure that it is complying with its legal obligations. For example, it is required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled.
  • run recruitment processes
  • maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights
  • operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace
  • operate and keep a record of employee performance and related processes, to plan for workforce management purposes
  • operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled
  • obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled
  • operate and keep a record of other types of leave (including maternity, paternity, compassionate, dependent care, adoption, parental and shared parental leave), to ensure that the council complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled
  • ensure effective general HR and business administration
  • provide references on request for current or former employees
  • respond to and defend against legal claims; and
  • maintain and promote equality in the workplace
  • maintain building security (staff security pass / photographic ID
  • contact you in the event of an emergency affecting the council or with other work-related emergency information
  • contact you where you have consented to receive the council newsletter and communications to your personal email account
  • publishing pay data as required by the Local Government Transparency Code, which can be found at the Organisation Chart on York Open Data

For positions that are exempt from the Rehabilitation of Offenders Act (ROA) 1974, it is necessary to carry out criminal records checks on appointment and intermittently in line with CYC policy to ensure that individuals are permitted to undertake the role in question.

We use your security pass photo or a photo you upload to your intranet profile/Delve as it is in the legitimate interest of the council to do this. This is because its extremely useful for everyone you work with, as it enables staff to identify other work colleagues and introduces employees new to the council, especially now many of us are working from home. You can find out how to edit, update or delete this photo at Introducing Delve.

Where the council conducts staff surveys, there will be a privacy notice provided for it.

Where the council asks for your information for the purposes of equal opportunities monitoring e.g., ethnic origin, sexual orientation, health or religion or belief, etc we will ask for your explicit consent for this. You can withdraw your consent at any time by updating or removing your information held on your iTrent employee self-service account or by contacting the payroll services. You are entirely free to decide whether to provide such data and there are no consequences of failing to do so.

Top of page

If you do not provide your information

You have some obligations under your employment contract to provide the council with information. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith.

You may also have to provide the council with information to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the information may mean that you are unable to exercise your statutory rights.

Certain information, such as contact details, your right to work in the UK and payment details, must be provided to enable the organisation to enter a contract of employment with you.

If you do not provide other information, this will hinder the council’s ability to administer the rights and obligations arising as a result of the employment relationship efficiently and may impact on the continuation of an existing employment contract.

Top of page

Automated decision-making

There is no automated decision-making in the processing of your information as set out in this privacy notice.

Top of page

Collecting information automatically

Please see our Cookies Policy for further information about the information we collect automatically when you use our website.

Top of page

Children’s information

Where we provide services directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.

Top of page

Lawful basis for processing your personal data

Any information that we process about individuals is done so in accordance with Article 6, 9 and 10 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (DPA 2018).

The legal bases are one or more of the following:

  • Article 6(1)(a) Consent – you have given clear consent for us to process your personal data for a specific purpose
  • Article 6(1)(b) Contract: the processing is necessary for a contract the council has with you, or because you have asked us to take specific steps before entering into a contract.
  • Article 6(1)(c) Legal obligation: the processing is necessary for the council to comply with the law (not including contractual obligations)
  • Article 6(1)(d) Vital interests: the processing is necessary to protect someone’s life
  • Article 6(1)(e) Public task: the processing is necessary for the council to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law
  • Article 6(1)(f) Legitimate interests: the processing is necessary for the council’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests. (This does not apply where the council is processing data to perform official tasks)
  • Article 9(2)(a) Explicit consent
  • Article 9(2) (b) Employment, social security and social protection (if authorised by law)
  • Article 9(2) (c) Vital interests
  • Article 9(2) (e) Made public by the data subject
  • Article 9(2) (f) Legal claims or judicial acts
  • Article 9(2) (g) Reasons of substantial public interest (with a basis in law)
  • Article 9(2) (h) Health or social care (with a basis in law)
  • Article 9(2) (i) Public health (with a basis in law)
  • Article 9(2) (j) Archiving, research, and statistics (with a basis in law)

This is supported by Schedule 1, Part 2 (6) of the Data Protection Act 2018 and the following legal framework such as:

  • Equality Act 2010
  • Employment Relations Act 1999
  • Trade Union and Labour Relations (Consolidation) Act 1992
  • The Health and Safety at Work Act 1974
  • The Rehabilitation of Offenders Act (1974)
  • Access to Medical Reports Act 1998

Where we process information relating to criminal convictions and offences, this is also under Article 10 UK GDPR that covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences, or proceedings for an offence committed or alleged to have been committed, including sentencing.

Some of the Schedule 1 conditions for processing special category and criminal offence data require an Appropriate Policy Document (APD) to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice.

Our Appropriate Policy Document provides further information about this processing.

Top of page

How long we keep your personal data

The council will hold your information for as long as is necessary and then securely and confidentially destroy it. You can find more details in the document retention schedule available on our HR Intranet page.

When you leave the council, the details held for your security pass are deleted as soon as possible from the system.

Top of page

Data sharing

Your information will be shared internally with members of the Human Resources and Business Support department, your line manager, managers in the business area in which you work, finance and IT staff.

Where needed the council will share your personal data with third parties for the purposes described in this privacy notice e.g., to obtain pre-employment references from other employers, in connection with payroll, the provision of benefits, management of unplanned absence, occupational health services and training providers.

Where needed, when a council employee is seconded to another organisation, we will only share the relevant personal data with the other organisation for the purposes of that secondment. You will need to look at the other organisation’s employee privacy notice for details of what they may do with your personal data.

In some circumstances, such as under a court order or safeguarding, we are legally obliged to share information. We may also share information about you with third parties including our data processors, government agencies and external auditors. For example, we may share information about you with HMRC for the purpose of collecting tax and national insurance contributions.

We will always satisfy ourselves that we have a lawful basis on which to share the information and document our decision-making and satisfy ourselves we have a legal basis on which to share the information.

Additionally, we are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives (TNA) for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.

Top of page

Data processors and/or third parties

Where we have third parties providing parts or all of our services for us, we have contracts or agreements in place with them, for these including processing your information, such as:

  • Gough and Kelly Ltd, for example photos, security pass information
  • Medigold Health, for example occupational health referrals and reports, sick absence and unplanned absence data
  • Learning Pool, for example training records
  • City of York Trading Ltd/Work with York
  • Matrix Booking, for example desk booking records
  • MidlandHR (iTrent), for example payslips, salary and contract information, personal contact details
  • North Yorkshire Council Health and Safety / BSafe, for example DSE assessments, accidents or near miss information
  • North Yorkshire Human Resources (Schools)
  • Disclosure Barring Service and First Advantage (DBS provider), for example outcome of DBS check
  • Granicus Full Marketing Platform for Government l govDelivery by Granicus
  • ACAS supporting conciliation
  • KPI Machine/Open Data
  • North Yorkshire Pension Fund, NHS Pension, Teachers Pension, for example pension schemes and contributions, additional voluntary contributions
  • Prudential (AVC)
  • Vivup, for example details of salary sacrifice payments, payroll deductions and loan amounts
  • AVC Wise, for example details of salary sacrifice payments, payroll deductions and loan amounts
  • NHS Fleet (Car scheme), for example details of salary sacrifice payments, payroll deductions and loan amounts
  • BlackHawk (Cycle scheme), for example details of salary sacrifice payments, payroll deductions and loan amounts
  • Payroll Giving
  • Fidelity childcare salary sacrifice / vouchers

Top of page

Transfers of personal data

We don’t routinely transfer personal data outside of the UK but when this is necessary we ensure that we have appropriate safeguards in place and that is done in accordance with the UK data protection and privacy legislation.

Top of page

How we protect your information

We store your information in a range of different places including in

  • your personnel file
  • the council’s HR management systems
  • other IT systems, for example on the council's secure network, email system

We are committed to keeping your information safe and secure. There are several ways we do this, such as:

  • IT security safeguards such as firewalls, encryption, and anti-virus software
  • on-site security safeguards to protect physical files and electronic equipment
  • training for all staff and elected councillors
  • policies and procedures on our Intranet

Top of page

Your rights in relation to this processing

To find out about your rights under data protection law, you can go to the Information Commissioner's Office website.

You can also find information about your rights in our Privacy Notice.

If you have any questions about this privacy notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us on email:, or on telephone: 01904 554145, or write to:

Data Protection Officer
City of York Council
West Offices
Station Rise
York YO1 6GA

Top of page

Also see

Data Protection Officer

West Offices, Station Rise, York, YO1 6GA

Telephone: 01904 554145