City of York Council Employees Privacy Notice

City of York Council's (CYC) current data protection notification is registered with the Information Commissioner’s Office (ICO) - reference Z5809563.

We regularly review this privacy notice, and it was last updated in December 2025.

CYC is committed to ensuring that information is handled in accordance with the principles set out in data protection legislation and guidance from the Information Commissioner’s Office (ICO).

This privacy notice tells you what to expect when we process your information.

CYC is the controller for the personal data we process, unless otherwise stated.

You can contact the council’s Data Protection Officer at:

Telephone: 01904 555719.

Email: information.governance@york.gov.uk.

This privacy notice should be read in conjunction with other relevant specific privacy notices that are available in our Privacy Notice.

When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this privacy notice.

• How we collect your information
• What personal data we process and why
• If you do not provide your information
• Automated decision-making
• Collecting information automatically
• Children's information
• Lawful basis for processing your personal data
• How long we keep your personal data
• Data sharing
• Data processors and/or third parties
• Transfers of personal data
• How we protect your information
• Your rights in relation to this processing

How we collect your information

We get information about you from the following sources:

• directly from you, such as:
  • application forms
  • identification documents - for example passport, drivers licence
  • via interviews process, meeting, or other assessments
  • training records
  • when you choose to take part in staff surveys, consultation and events
• third parties, such as:
  • references supplied by former employers
  • background check providers
  • criminal records checks permitted by law
• from our commissioned partners or contractors who undertake work on our behalf, such as Medigold Health for
  • sickness absence
  • unplanned absences - for example compassionate leave, dependent care leave
  • occupational health referrals and assessments
  • physiotherapy referrals and assessments

We may use your information to create reports and statistics that are anonymous and cannot be linked back to you or individuals such as:

• for statistical analysis
• for statutory returns
• audit framework
• to see how the council and its partners are supporting individuals
• to help design better services
• to inform funding decisions

Top of page

What personal data we process and why

We only collect and process the personal data and special category data necessary for employment and related purposes. This may include:

• identification and contact details, such as your name, address, personal email address, personal telephone number, date of birth, marital status and photograph - for example for security pass or profile picture
• personal and emergency information, such as next of kin, and emergency contact details
• employment and professional details, such as qualifications, professional memberships, skills, experience, and employment history (including start and end dates with previous employers and the council), terms and conditions of your employment, working hours, attendance records, and leave details - for example holiday, sickness, family leave, compassionate leave, sabbaticals
• pay and benefits, such as remuneration details, pension entitlements, salary sacrifice arrangements, tax information, bank account details, and National Insurance number
• Right to Work, such as nationality and entitlement to work in the UK
• performance and development, such as performance reviews, ratings, training records, improvement plans, and related correspondence
• conduct and compliance such as records of disciplinary or grievance procedures, warnings, and related correspondence; information about any conflicts of interest.
• Equal Opportunities Monitoring, such as data on ethnic origin, sexual orientation, health, religion or belief, and whether you are a member of the armed forces community, a care leaver, or a carer of dependents
• health and wellbeing, such as medical or health conditions, including disabilities requiring reasonable adjustments
• information relating to drug and alcohol referrals, testing, and results
• other information, such as trade union subscription details (if paid via CYC payroll), your feedback, comments, and opinions if you choose to participate in staff surveys, consultations, or events

We will ask for your consent to

• take part in staff surveys, consultation or other events
• take photos, video and or audio recordings; you can find more information about how the council uses photos, videos and audio recordings in the Communications Team including photos, filming and recording Privacy Notice
• contact you to receive the council newsletter and communications to your personal email account

It is your responsibility to let us know if you want to withdraw your consent. You can do this at any time, by contacting us at newsdesk@york.gov.uk.

When we process information relating to criminal convictions and offences this includes details of any past criminal convictions or offences.

We use your information for:

• managing your employment contract:
  • enter into and fulfil your employment contract
  • pay you and administer pension entitlements
  • comply with legal obligations
  • verify your right to work in the UK
  • deduct tax and comply with health and safety laws
  • enable statutory leave entitlements
• managing recruitment and workforce:
  • run recruitment processes
  • maintain accurate employment records, including contractual terms
  • keep emergency contact details for business continuity
• maintaining employee relations and performance:
  • operate and record disciplinary and grievance procedures
  • monitor and record performance, training, and development
  • manage absence and ensure correct pay and benefits
• health and wellbeing:
  • obtain occupational health advice
  • comply with disability and health and safety obligations
  • manage leave types - for example maternity, paternity, adoption, parental, compassionate
• HR and administrative functions:
  • ensure effective HR and business administration
  • operate staff benefit schemes
  • administer trade union subscriptions (if paid via payroll)
  • provide employment references
• legal and compliance:
  • respond to and defend legal claims
  • maintain and promote workplace equality
  • publish pay data as required by the Local Government Transparency Code
• security and emergency contact:
  • maintain building security - for example staff passes, photo ID
  • contact you in emergencies affecting the council or for urgent work-related matters
• use of CCTV in Staff Areas:
  • CCTV may be in operation in staff areas for the purposes of detecting and deterring vandalism, crime prevention, and maintaining building security.
• Criminal Records Checks:
  • for positions exempt from the Rehabilitation of Offenders Act 1974, we carry out criminal records checks at appointment and periodically in line with CYC policy. This ensures individuals are permitted to undertake the role
• use of photos for identification:
  • we use your security pass photo or the photo you upload to your intranet profile as a legitimate interest of the council. This helps colleagues identify each other and introduces new employees, especially in remote working environments. You can edit, update, or delete your photo at Introducing Delve
• Equal Opportunities Monitoring
  • where we request information for equal opportunities monitoring (for example ethnic origin, sexual orientation, health, religion or belief), we will ask for your explicit consent. You can withdraw consent at any time by updating or removing your information in your iTrent self-service account or by contacting Payroll Services. Providing this data is entirely voluntary and has no consequences if you choose not to

Artificial Intelligence

We may use Artificial Intelligence (AI) technologies to support or enhance council services. Where AI is involved in a process that directly affects your interaction with us, we will inform you before your user journey begins. This ensures transparency and helps maintain trust in how we use AI.

Our use of AI complies with the UK General Data Protection Regulation (UK GDPR), including the principles of lawfulness, fairness, transparency, accountability, and accuracy. We conduct Data Protection Impact Assessments (DPIAs) where AI systems are likely to result in high risks to individuals’ rights and freedoms, such as automated decision-making or profiling.

If generative AI tools are used, we do not use personal or end-user data to train AI models. This helps ensure compliance with the purpose limitation and data minimisation principles under UK GDPR.

AI for Staff Productivity and Accessibility

Where AI tools are used solely by staff to assist with drafting, research, or accessibility - for example, to improve writing efficiency or summarise information - these uses do not form part of a business process that affects service delivery or decision-making. As such, no specific notification will be provided for these internal productivity uses.

These uses are considered low risk and do not involve automated decision-making that produces legal or similarly significant effects. They are also subject to internal governance and safeguards to ensure responsible use.

Examples include:

• drafting internal reports or meeting notes
• summarising lengthy documents for quicker review
• assisting with spelling, grammar, or formatting tasks

We may use your information to create reports and statistics that are anonymous and cannot be linked back to you or individuals such as:  

• for statistical analysis
• for statutory returns
• for audit frameworks
• to see how the council and its partners are supporting individuals
• to help design better services
• to inform funding decisions

Top of page

If you do not provide your information

You have some obligations under your employment contract to provide the council with information. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith.

You may also have to provide the council with information to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the information may mean that you are unable to exercise your statutory rights.

Certain information, such as contact details, your right to work in the UK, and payment details, must be provided to enable the organisation to enter a contract of employment with you.

If you do not provide other information, this will hinder the council’s ability to administer the rights and obligations arising as a result of the employment relationship efficiently and may impact on the continuation of an existing employment contract.

Top of page

Automated decision-making

We do not carry out any automated decision making without any human intervention in providing this service.

Top of page

Collecting information automatically

Please see our Cookies Policy for further information about the information we collect automatically when you use our website.

Top of page

Children’s information

Where we provide services directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.

Top of page

Lawful basis for processing your personal data

Any personal data, special category data and criminal offence data that we process about individuals is done so in accordance with one or more of the following Articles 6 and 9 and 10 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (DPA 2018).

Article 6(1):

• (a) Consent: the individual has given clear consent for the council to process their personal data for a specific purpose
• (b) Contract: the processing is necessary for a contract the council has with the individual, or because they have asked the council to take specific steps before entering into a contract
• (c) Legal obligation: the processing is necessary for the council to comply with the law (not including contractual obligations)
• (e) Public task: the processing is necessary for the council to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law
• (f) Legitimate interests: the processing is necessary for the council’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests (this cannot apply if you are a public authority processing data to perform your official tasks)

Article 9(2):

• (a) Explicit consent
• (b) Employment, social security and social protection (if authorised by law)
• (g) Reasons of substantial public interest (with a basis in law)
• (h) Health or social care (with a basis in law)
• (i) Public health (with a basis in law)

This is supported by Schedule1, Part 2 (6) of the Data Protection Act 2018 and the following legal framework:

• Equality Act 2010
• Employment Relations Act 1999
• Trade Union and Labour Relations (Consolidation) Act 1992
• The Health and Safety at Work Act 1974
• The Rehabilitation of Offenders Act (1974)
• Access to Medical Reports Act 1998

Where we process information relating to criminal convictions and offences, this is under Article 10 UK GDPR that covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences, or proceedings for an offence committed or alleged to have been committed, including sentencing.

Some of the Schedule 1 conditions for processing special category and criminal offence data require an Appropriate Policy Document (APD) to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice.

Our Appropriate Policy Document provides further information about this processing.

Top of page

How long we keep your personal data

When you leave the council, the details held for your security pass are deleted as soon as possible from the system.

We will only keep your information for as long as it is needed then it will be securely and confidentially deleted or disposed of.

You can find details on how long the council keeps records in the council retention schedule.

Top of page

Data sharing

We will only share your information where it is appropriate to, with:

• other CYC services
• other councils, government departments and agencies
• other organisations such as NHS and the police
• third parties including our data processors, partners or contractors, who undertake work on our behalf
• internal and external auditors

Where needed, when a council employee is seconded to another organisation, we will only share the relevant information with the other organisation for the purposes of that secondment. You will need to look at the other organisation’s employee privacy notice for details of what they may do with your information.

In some circumstances, such as under a court order or safeguarding, we are legally obliged to share information. We may also share information about you with third parties including our data processors, government agencies and external auditors.

We will always satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.

Additionally we are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives (TNA) for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.

Top of page

Data processors and/or third parties

When we have third parties providing parts or all of our services, systems, software, platforms, applications (apps) for us, we have contracts or agreements in place with them. These include:

• ACAS, supporting conciliation. You can find out how they use your information in the ACAS Privacy Notice
• AVC Wise Ltd, My Money Matters, for details of salary sacrifice payments, payroll deductions and loan amounts. You can find out how they use your information in the My Money Matters Privacy and Security Statement
• BSafe Health and Safety, for DSE assessments, accidents of near miss information. You can find out how they use your information in the North Yorkshire Council Privacy Notice
• Blackhawk Cycle Scheme, for details of salary sacrifice payments, payroll deductions and loan amounts. You can find out how they use your information in the Blackhawk Network Privacy Policy
• Civica, for online payments. You can find out how they use your information in the Civica Privacy Notice
• City of York Trading Ltd / Work With York. You can find out how they use your information in the City of York Trading Privacy Policy
• Disclosure Barring Service, and First Advantage (DBS provider), for outcome of DBS checks. You can find out how they use your information in the GOV.UK Privacy Notice
• Eventbrite, for arranging and organising events. You can find out how they use your information in the Eventbrite Privacy Policy
• Fideliti childcare salary sacrifice vouchers. You can find out how they use your information in the Fideliti Childcare Vouchers Privacy Policy
• Gough and Kelly Ltd, for example for photos and security pass information. You can find out how they use your information in the Gough and Kelly Privacy Policy
• Granicus/Gov Delivery, to send you updates and newsletters. You can find out how they use your information in the Granicus Privacy Policy
• Insytful. Insytful Privacy and Cookies
• KPI Machine. You can find out how they use your information in the York Open Data Privacy Notice
• Learning Pool, for training records. You can find out how they use your information in the Learning Pool Privacy Policy
• Matrix Booking, for desk booking records. You can find out how they use your information in the Matrix Booking Privacy Policy
• Me Learning. Me Learning Privacy and Cookie Policy
• Medigold Health, for example for occupational health referrals and reports, sickness absence and unplanned absence data. You can find out how they use your information in the Medigold Health Privacy Notice
• Mentimeter, at events for interactive presentation software. You can find out how they use your information in the Mentimeter Privacy Policy
• Microsoft 365, as our main operating system and platform. You can find out how they use your information in the Microsoft Privacy Statement, alongside our contract with Phoenix Software Limited
• Microsoft Forms, as part of MS365. You can find out how they use your information in the Microsoft Privacy Statement
• Microsoft Teams, to contact you, to gather information from you, or if we are recording or transcribing our discussion or meeting with you, we will let you know. You can find more details about this in the City of York Council Microsoft Office 365 (MS365) Teams Meeting recording and transcription privacy notice
• MidlandHR (iTrent), for payslips, salary and contract information, personal contact details. You can find out how they use your information in the MHR UK Privacy Policy
• NHS Fleet car scheme, for details of salary sacrifice payments, payroll deductions and loan amounts. You can find out how they use your information in the NHS Fleet Solutions Privacy and Cookie Notice
• North Yorkshire Human Resources, for schools
• North Yorkshire Pension Fund, NHS Pension, Teachers Pension, for pension schemes and contributions, additional voluntary contributions (AVC). You can find out how they use your information in the North Yorkshire Pension Fund Privacy Policy
• Paygate, for BACS payments and collections. You can find out how they use your information in the Paygate Privacy Statement
• Payroll Giving
• Prudential AVC
• Resilience Direct, for emergencies and business continuity. You can find out how they use your information on the Resilience Direct website
• SurveyMonkey, for our surveys or consultations. You can find out how they use your information in the SurveyMonkey Privacy Notice
• Trade Unions;
  • GMB Privacy Policy
  • Unison Privacy Policy
  • Unite Privacy Policy
• Veritau Public Sector Limited (VPS), who provides services to the council such as internal audits. You can find out how they use your information in the Veritau Privacy Policy
• Vivup, for details of salary sacrifice payments, payroll deductions and loan amounts. You can find out how they use your information in the Vivup Privacy Policy
• WhatsApp, to contact you. You can find out how they use your information in the WhatsApp Privacy Policy
• YouTube, where we provide information in British Sign Language via the City of York Council YouTube channel, please read YouTube Privacy Settings and Google Privacy Policies
• Zengenti. Zengenti Privacy Policy
• Zimma Ltd, trading as Ticket Tailor, for arranging and organising events. You can find out how they use your information in the Ticket Tailor Privacy Policy
• organisations to support the council's corporate transformation programme, such as Impower. You can find out how they use your information in the Impower Privacy Policy
• other specialist or assistive systems, software, platforms, applications (apps), to help provide our services and support to you and our staff

Top of page

Transfers of personal data

We don’t routinely transfer personal data outside of the UK but when this is necessary we ensure that we have appropriate safeguards in place and that is done in accordance with the UK data protection and privacy legislation.

Top of page

How we protect your information

We store your information in a range of different places including in:

• your personnel file
• the council’s HR management systems
• other IT systems, for example on the council's secure network, email system

We're committed to keeping your information safe and secure. There are several ways we do this, such as:

• IT security safeguards such as firewalls, encryption, and anti-virus software
• on-site security safeguards to protect physical files and electronic equipment
• training for all staff and elected councillors
• policies and procedures on our Intranet, and our corporate website

Top of page

Your rights in relation to this processing

To find out about your rights under data protection law, you can go to the Information Commissioner's Office website.

You can also find information about your rights in our Privacy Notice.

If you have any questions about this privacy notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us on email: information.governance@york.gov.uk, or on telephone: 01904 555719, or write to:

Top of page

Also see

• Website terms and disclaimer
• Data Protection Policy Statement
• Accessibility statement
• Cookies policy
• Copyright statement