City Of York Council Law Enforcement Processing Privacy Notice

City of York Council (CYC) complies with the UK General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018, and is registered with the Information Commissioner’s Office (ICO), reference: Z5809563.

We regularly review this privacy notice, and it was last updated in February 2026.

CYC is committed to ensuring that your information is handled in accordance with the principles set out in data protection legislation and guidance from the Information Commissioner’s Office (ICO).

This Privacy Notice explains how and why we process your information, under Part 3 of the Data Protection Act 2018 for law enforcement purposes and the steps we take to keep your information safe.

CYC is the controller for this information unless we specifically state otherwise in this privacy notice.

You can contact the council’s Data Protection Officer at:

Telephone: 01904 555719.

Email: information.governance@york.gov.uk.

This privacy notice should be read in conjunction with other CYC privacy notices that are available in our Privacy Notice and/or other CYC policies and procedures.

When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this privacy notice.

• How we collect your information
• What personal data we process and why
• Automated decision-making
• Collecting information automatically
• Children's information
• Lawful basis for processing your personal data
• How long we keep your personal data
• Data sharing
• Data processors and/or third parties
• Transfers of personal data
• How we protect your information
• Your rights in relation to this processing

How we get your information

We get information about you from one or more of the following sources:

• directly from you
• from third parties acting on your behalf such as family member(s), advocates, councillors, MPs and others
• from our commissioned partners or contractors who undertake work on our behalf
• from other organisations such as
  • other law enforcement agencies and local authorities
  • emergency services such as Police, Fire Service, National Health Service or Ambulance
  • HM Revenue and Customs
  • licensing authorities
  • legal representatives
  • other prosecuting authorities such as solicitors, courts
  • partner agencies involved in crime and disorder strategies
  • private sector organisations working with or for us on anti-crime strategies
  • voluntary sector organisations
  • suspected or known perpetrators of offences and relatives, guardians or other persons associated with the individual victims
  • witnesses
  • City Of York Council CCTV systems and body worn video
  • correspondence sent to us, including anonymous reports and concerns

We may also obtain details from the council’s own information systems, this may include ‘general data’ processed for purposes under Part 2 of the Data Protection Act 2018.

Top of page

What personal data we process and why

We will only process the information that is neccesary such ad:

• your name and address
• employment details
• financial details
• racial or ethnic origin
• religious or other beliefs of a similar nature
• physical or mental health condition
• sexual life
• offences and alleged offences
• criminal proceedings
• outcomes and sentences
• cautions
• physical identifiers
• photograph
• sound and visual images
• criminal intelligence
• information relating to safety
• incidents and accident details

At this time, we do not process any DNA, fingerprints, other genetic samples, or facial recognition data for law enforcement purposes.

We are responsible for delivering a wide range of public services and functions. This includes a number of law enforcement functions associated with:

• Trading Standards
• Environmental Enforcement
• Youth Justice Service
• Children’s Services (for example non-attendance at school; child employment; child performance)
• Planning
• Highways
• Health and Safety

When you complete an online form on the council's website and you have provided your email address, we will send you a copy of your completed online form.

Use of Artificial Intelligence (AI)

We may use Artificial Intelligence (AI) technologies to support or enhance council services. Where AI is involved in a process that directly affects your interaction with us, we will inform you before your user journey begins. This ensures transparency and helps maintain trust in how we use AI.

Our use of AI complies with the UK General Data Protection Regulation (UK GDPR), including the principles of lawfulness, fairness, transparency, accountability, and accuracy. We conduct Data Protection Impact Assessments (DPIAs) where AI systems are likely to result in high risks to individuals’ rights and freedoms, such as automated decision-making or profiling.

If generative AI tools are used, we do not use personal or end-user data to train AI models. This helps ensure compliance with the purpose limitation and data minimisation principles under UK GDPR.

AI for Staff Productivity and Accessibility

Where AI tools are used solely by staff to assist with drafting, research, or accessibility - for example, to improve writing efficiency or summarise information - these uses do not form part of a business process that affects service delivery or decision-making. As such, no specific notification will be provided for these internal productivity uses.

These uses are considered low-risk and do not involve automated decision-making that produces legal or similarly significant effects. They are also subject to internal governance and safeguards to ensure responsible use.

Examples include:

• Drafting internal reports or meeting notes
• Summarising lengthy documents for quicker review
• Assisting with spelling, grammar, or formatting tasks

We may use your information to create reports and statistics that are anonymous and cannot be linked back to you or individuals such as:  

• for statistical analysis
• for statutory returns
• for audit frameworks
• to see how the council and its partners are supporting individuals
• to help design better services
• to inform funding decisions

Top of page

Automated decision-making

We do not carry out any automated decision-making without any human intervention in providing this service.

Top of page

Collecting information automatically

Please see our Cookies Policy for further information about the information we collect automatically when you use our website.

Top of page

Children’s information

Where we provide services directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.

Top of page

Lawful basis for processing your personal data

The processing of data for law enforcement purposes can only be done by an organisation which is considered as a ‘competent authority’.

Law enforcement purposes are ‘the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security’.

The description of a ‘competent authority’ is laid down in data protection law, and includes but is not limited to, organisations such as police forces, the Financial Conduct Authority, and the Information Commissioner. (Data Protection Act 2018, Schedule 7).

Guidance on how organisations should process data for 'law enforcement purposes' can be found on the Information Commissioner's Office (ICO) website: Data sharing and reuse of data be pompetent authorities for non-law enfocement purposes.

We have a statutory duty to protect the public and the local community. To do this it is necessary for us to process your personal information under the lawful basis of public interest and official authority. This means we process your personal information for carrying out tasks that are laid down in law and collectively described as the administration of justice.

Any personal data, special category data and criminal offence data that we process about individuals is done so in accordance with one or more of the following Articles 6 and 9 and 10 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (DPA 2018).

Article 6(1)

• (c) Legal obligation: the processing is necessary for the council to comply with the law (not including contractual obligations).
• (e) Public task: the processing is necessary for the council to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
• (f) Legitimate interests: the processing is necessary for the council’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Article 9(2)

• (a) Explicit consent
• (b) Employment, social security and social protection (if authorised by law)
• (g) Reasons of substantial public interest (with a basis in law)

This is supported by Schedule1, Part 2 (6) of the Data Protection Act 2018 and the legal framework such as:

• Local Government Act 1972
• Food Hygiene (England) Regulations 2013
• Consumer Rights Act 2015
• Town and Country Planning Act 1990
• Traffic Management Act 2004
• Anti-social Behaviour, Crime and Policing Act 2014

Where we process information relating to criminal convictions and offences, this is under Article 10 UK GDPR that covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences, or proceedings for an offence committed or alleged to have been committed, including sentencing.

Some of the Schedule 1 conditions for processing special category and criminal offence data require an Appropriate Policy Document (APD) to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice.

Our Appropriate Policy Document provides further information about this processing.

Top of page

How long we keep your personal data

We keep your information only for as long as is necessary for the particular purpose or purposes for which it is held.

Top of page

Data sharing

We will only share your information where it is appropriate to, with:

• other CYC services
• other councils, government departments and agencies
• other organisations such as NHS and the Police
• third parties including our data processors, partners or contractors, who undertake work on our behalf
• internal and external auditors

In some circumstances, such as under a court order or safeguarding, we are legally obliged to share your information.

We will always satisfy ourselves that we have a lawful basis on which to share the information and document our decision making.

Additionally, we are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives (TNA) for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.

Top of page

Data processors and/or third parties

When we have third parties providing parts or all of our services, systems, software, platforms, applications (apps) etc for us, we have contracts or agreements in place with them. These include

• the council’s use of Microsoft 365 as its main operating system; read the Microsoft Privacy Statement, alongside our contract with Phoenix Software Limited; read the Phoenix Data protection information
• the council's use of Canon (UK) Ltd as its main multi-functional print devices; read the Canon (UK) Ltd Privacy Notice
• Civica, for online payments. You can find out how they use your information in the Civica Privacy Notice
• Eventbrite, for arranging and organising events. You can find out how they use your information in the Eventbrite Privacy Policy
• Mentimeter, at events for interactive presentation software. You can find out how they use your information in the Mentimeter Privacy Policy
• Microsoft Forms, as part of MS365. You can find out how they use your information in the Microsoft Privacy Statement
• Microsoft Teams, to contact you, to gather information from you, or if we are recording or transcribing our discussion or meeting with you, we will let you know. You can find more details about this in the City of York Council Microsoft Office 365 (MS365) Teams Meeting recording and transcription privacy notice
• SurveyMonkey, for our surveys or consultations. You can find out how they use your information in the SurveyMonkey Privacy Notice
• Veritau Public Sector Limited (VPS), who provides services to the council such as internal audits. You can find out how they use your information in the Veritau Privacy Policy
• WhatsApp, to contact you. You can find out how they use your information in the WhatsApp Privacy Policy
• YouTube, where we provide information in British Sign Language via the City of York Council YouTube channel, please read YouTube Privacy Settings and Google Privacy Policies
• Zimma Ltd, trading as Ticket Tailor, for arranging and organising events. You can find out how they use your information in the Ticket Tailor Privacy Policy
• Zoom Pro or Business version of Zoom (version 5), to host some public facing meetings, training sessions across different services in the council. Where these meetings are recorded, recordings will be kept locally on our server and will not be retained by Zoom. You can find out how they use your information in the Zoom Compliance Information
• organisations to support the council’s corporate transformation programme such as Impower. Read the Impower Privacy Notice
• other specialist or assistive systems, software, platforms, applications (apps), to help provide our services and support to you and our staff

Top of page

Transfers of personal data

We don’t routinely transfer personal data outside of the UK but when this is necessary we ensure that we have appropriate safeguards in place and that is done in accordance with the UK data protection and privacy legislation.

We do not routinely transfer personal data, special categories of personal data or criminal offence data, outside of the UK but when this is necessary, we ensure that we have appropriate safeguards in place and that it is done in accordance with the UK data protection and privacy legislation.

Top of page

How we protect your information

We are committed to keeping your information safe and secure. There are several ways we do this, such as:

• IT security safeguards such as firewalls, encryption, and anti-virus software
• on-site security safeguards to protect physical files and electronic equipment
• training for all staff and elected councillors
• policies and procedures

Top of page

Your rights in relation to this processing

To find out about your rights under data protection law, you can go to the Information Commissioner's Office website.

You can also find information about your rights in our Privacy Notice.

If you have any questions about this privacy notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us on email: information.governance@york.gov.uk, or on telephone: 01904 555719, or write to:

Top of page

Also see

• Website terms and disclaimer
• Data Protection Policy Statement
• Accessibility statement
• Cookies policy
• Copyright statement