We created this privacy notice in October 2021 and will keep it under review. It was last updated in March 2022. When we use your personal information, City of York Council (CYC) complies with data protection legislation, and is the registered ‘Controller’. Our data protection notification is registered with the Information Commissioner’s Office (ICO) – reference Z5809563.
You need to read and be aware of this privacy notice if you attend an event, meeting, briefing, or training session where we use MS365 and also for when they may be recorded and/or transcribed, using MS365 (or other agreed media platform).
View the privacy and transparency information for all of the City of York Council (CYC).
- personal data
- collecting personal data
- using personal data
- our legal basis for collecting and sharing personal data
- sharing personal data
- retaining personal data
- transferring personal data abroad
- further processing of personal data
- your rights relating to personal data
Personal data
Personal information recorded or transcribed in our MS365 Teams environment relates either to directly consenting participants in recorded meetings or to data where the council has an established legal basis for processing or explicit consent has been recorded for the business processing.
The categories of personal information held in relation to recordings and transcriptions are for the most part personal information relating to participant identity, possibly including contact information, and their personal contributions to required business processes.
The recording could contain:
- your video stream (including images of yourself), if you choose to enable your video device during the meeting. Anything or anyone else that may be in the background could be recorded; this could mean that if you have your picture or video image on screen or might include whatever you have in the background if you are working from home. You can choose to put up a background in Microsoft Teams meetings to stop any additional pictures of your home being recorded
- your audio stream, if you choose to enable your audio device during the meeting; this could include any opinions you contribute and anything you say about yourself
- chat within the meeting could also be captured in the meeting recording
Therefore, anyone attending the recorded meeting may have aspects of their personal information recorded, if they actively participate or not.
See further details about how we define personal data and non-personal data.
Collecting personal data
The council uses MS365 Teams to hold meetings. In some cases these may be recorded and/or transcribed. This will be to provide a record of discussions and agreements held within the meeting. For example:
- to establish participant identities and further contact details if required
- to have a record and potential transcript where agreed
- to record formal Council Committee meetings where agreed
- to record business meetings where requested by the meeting organiser to support ongoing dissemination and to create records of discussions, decisions and progress, where agreed
- to support participant accessibility where agreed
- to support specific situations that require a recorded session
There are specific situations where the council would not find it acceptable to use Teams recordings, even where they may be included in the general purposes above for example grievance and disciplinary meetings.
Using personal data
We use meeting recordings and where appropriate, the transcription facility to produce:
- informal notes of any discussions in the recorded meeting
- formal records of any discussions, actions, agreements, or decisions in the recorded meeting
If a recording is going to take place, you will be informed both in the invitation and on the day of recording the session (normally verbally), prior to any recording taking place. You will be told of the purpose of the recording and what other purposes it will be used for.
If the meeting is not being recorded or transcribed, then we'll make that clear in the invite or joining instructions.
View Microsoft's Privacy Statement.
Our legal basis for using personal data
The legal basis for this processing will be related to the topic and data in any agreed meeting recording, the most likely being, but not limited to:
- explicit consent is given by participants
- processing necessary to ensure compliance with a legal obligation
- processing necessary for the performance of a contract to which the data subject is a party
- processing relating to a task carried out in the public interest
You can withdraw your consent at any time by contacting the person who sent you the meeting invite
Sharing personal data
We'll only share your personal information with other council services as appropriate. Recordings and/or transcriptions may also be viewed by meeting invitees who were unable to attend where appropriate.
Sharing data under Data Protection legislation
We may be required or permitted, under data protection legislation, to disclose your personal data without your explicit consent, for example if we have a legal obligation to do so, such as for:
- law enforcement
- fraud or tax investigations
- regulation and licensing
- criminal prosecutions
- court proceedings
This includes exchanging information with other government departments for legal reasons. We won’t share your information with any other organisations for marketing, market research or commercial purposes.
Retaining personal data
Meeting recordings and/or transcriptions will typically be deleted within 1 year if there is no further need to retain them.
However, if they are retained as evidence of an action or decision, they will be moved from their original location into the relevant system on the councils secure network.
Recordings and transcriptions are securely stored the council’s secure network and will be appropriately and securely deleted when no longer required.
At the end of the retention period, we may pass any relevant information to the City Archives where it is required or appropriate to do so.
Transferring personal data abroad
We may process your personal data using services hosted outside the UK or European Economic Area, but only where there are safeguards in place such as a data processing agreement that complies with obligations equivalent to the principles of data protection legislation.
Further processing of personal data
If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we'll provide you with a new notice.
The new notice will:
- explain this new use before we start the processing
- set out the relevant purposes and processing conditions
Where and whenever necessary, we'll seek your consent to the new processing, if we start to use your personal data for a purpose not mentioned in this Privacy Notice.
Your rights relating to personal data
When we collect your personal data we'll tell you how we are going to use it. Where we process your personal data, you have a number of rights under data protection law.
See further details of your rights relating to personal data.