We regularly review this privacy notice, and it was last updated in October 2022.
City of York council (CYC) complies with data protection legislation and is the registered ‘Controller’. Our current data protection notification is registered with the Information Commissioner’s Office (ICO) – reference Z5809563.
The council collects and processes personal and special categories of personal data relating to its employees to manage the employment relationship including the contract of employment. The council is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.
View the privacy and transparency information for all of CYC.
- information the council collects
- why the council processes your personal data as an employee
- who has access to personal data
- how the council protects personal data
- transferring personal data abroad
- how long the council keeps personal data
- further processing
- your rights
- third parties
- if you do not provide personal data
Information the council collects
The council collects and processes a range of personal data and special category personal information about you. This includes:
- your name, address and contact details, including personal email address and personal telephone number, date of birth, gender and work-related photos (e.g. for your security pass, profile etc)
- information about your marital status, next of kin and emergency contacts
- details of your qualifications, professional memberships, skills, experience and employment history, including start and end dates, with previous employers and with the council
- the terms and conditions of your employment
- information about your remuneration, including entitlement to benefits such as pensions, salary sacrifice and tax information
- details of your bank account and national insurance number
- information about your nationality and entitlement to work in the UK
- information about your criminal record
- details of your days of work, working hours and attendance at work
- details of periods of leave taken by you, including holiday, sickness absence, family leave, compassionate leave and sabbaticals, and the reasons for the leave
- details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence
- assessments of your performance, including performance development reviews and performance ratings, training you have participated in, performance improvement plans and related correspondence
- information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments
- details of trade union subscriptions if paid via CYC payroll
- equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief
- information about whether you are a member of the armed forces community, are a care leaver, or a carer of dependents
- information about any conflict of interests
- information about any drug and alcohol referrals, testing and results
The council collects this information in a variety of ways. For example, data is collected through application forms, obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment; from correspondence with you; or through interviews, meetings or other assessments.
In some cases, the council collects personal data about you from third parties, such as references supplied by former employers, information from employment background check providers and information from criminal records checks permitted by law.
We also collect information from you in relation to sickness absence and any unplanned absences for reasons such as compassionate leave, dependent care leave through a third party (Medigold Health).
All staff are issued with a security pass that displays their name, job role and photograph. Staff pass details (names, employee number and photographs) are held on a standalone machine controlled by Gough and Kelly Ltd and Facilities Management and can only be accessed by a restricted number of people.
When you leave the council the details held for your security pass are deleted as soon as possible from this system.
All staff can upload a profile photo of themselves to the relevant council systems, this is useful at it enables staff to identify other work colleagues and introduces employees new to the council. You can find out how to edit and update this photo at Introducing Delve.
Data is stored in a range of different places in the council, including in your personnel file, in the council’s HR management systems and in other IT systems (including the council's email system) There is also information held in third party systems including Learning Pool Ltd (Training records), Health Management (Occupational Health referrals and reports) and Medigold Health (Sick absence and unplanned absence data).
See further details about how we define personal data and non-personal data.
Why the council processes your personal data as an employee
The council needs to use your personal data to enter into an employment contract with you and to meet its obligations under your employment contract. For example, it needs to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer pension entitlements.
The council needs to use your personal data to ensure that it is complying with its legal obligations. For example, it is required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled.
For certain positions, it is necessary to carry out criminal records checks to ensure that individuals are permitted to undertake the role in question.
Examples of where the council will use your personal and special categories of personal data to meet legal obligations are to:
- run recruitment processes
- maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights
- operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace
- operate and keep a record of employee performance and related processes, to plan for workforce management purposes
- operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled
- obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled
- operate and keep a record of other types of leave (including maternity, paternity, compassionate, dependent care, adoption, parental and shared parental leave), to ensure that the council complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled
- ensure effective general HR and business administration;
- provide references on request for current or former employees
- respond to and defend against legal claims; and
- maintain and promote equality in the workplace
- maintain building security (staff security pass / photographic ID
- to contact you in the event of an emergency affecting the council or with other work related emergency information
We use your security pass photo or a photo you upload to your intranet profile/Delve as it is in the legitimate interest of the council to do this. It extremely useful for everyone you work with, especially now many of us are working from home, and especially for people who are new to the council to see your photo.
Where the council collects and processes special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, for the purposes of equal opportunities monitoring, we will ask for your explicit consent for this.
You can withdraw your consent at any time by updating or removing your data held on your iTrent employee self-service account or by contacting the HR business centre. You are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.
Who has access to personal data
Your information will be shared internally with members of the Human Resources and Business Support department, your line manager, managers in the business area in which you work, finance and IT staff. Your data will be handled securely, strictly on a need to know basis only by those authorised specifically to do so.
Where needed the council will share your personal data with third parties for the purposes described in this privacy notice e.g., to obtain pre-employment references from other employers, in connection with payroll, the provision of benefits, management of unplanned absence, occupational health services and training providers.
Where needed, when a council employee is seconded to another organisation, we will only share the relevant personal data with the other organisation for the purposes of that secondment. You will need to look at the other organisation’s employee privacy notice for details of what they may do with your personal data.
We may be required or permitted, under data protection and privacy legislation to disclose your personal information without your explicit consent, e.g. if we have a legal obligation to do so, such as law enforcement, regulation and licensing, criminal prosecutions and court proceedings.
We only work with external partners where we are satisfied they take appropriate measures to protect your personal information and where required, put in place contractual obligations to ensure they can only use your personal information to provide services to us and to you.
How the council protects personal data
The council takes the security of your data seriously.
The council has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.
You can find out more about information governance and ICT usage.
The council takes steps to ensure where we share your data with third parties that it is processed in compliance with data protection and privacy legislation e.g. UK GDPR, Data Protection Act 2018.
Transferring personal data abroad
We may process your personal data using services hosted outside the UK or European Economic Area, but only where there are safeguards in place e.g. a data processing agreement that complies with obligations equivalent to the principles of UK data protection legislation.
How long the council keeps personal data
The council will hold your personal data for the duration of your employment and then only keep it for as long as is necessary. We will then securely and confidentially destroy it.
At the end of the retention period, we may pass any relevant information to the City Archives where it is required or appropriate to do so.
If we wish to use your information for a new purpose, not covered by this privacy notice, we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.
Where and whenever necessary, we will seek your prior consent to the new processing.
When we collect your personal data we'll tell you how we are going to use it. Where we process your personal data, you have a number of rights under data protection law.
To find out about your rights under Data Protection law, see the Information Commissioners Office (ICO).
You can also find information about your rights in Our Privacy Notice.
If you have any questions about this Privacy Notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us by email: email@example.com or telephone: 01904 554145, or write to :
Data Protection Officer
City of York council
See further details of your rights relating to personal data.
The council does not pass or sell personal data to third parties for marketing, sales or any other commercial purposes.
If you do not provide personal data
You have some obligations under your employment contract to provide the organisation with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith.
You may also have to provide the organisation with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable the organisation to enter a contract of employment with you.
If you do not provide other information, this will hinder the organisation's ability to administer the rights and obligations arising as a result of the employment relationship efficiently and may impact on the continuation of an existing employment contract.
- Website terms and disclaimer
- Data Protection Policy Statement
- Accessibility statement
- Cookies policy
- Copyright statement