City of York Council Microsoft Office 365 (MS365) Teams Meeting including recording and transcription privacy notice

City of York Council (CYC) current data protection notification is registered with the Information Commissioner’s Office (ICO) – reference Z5809563. We regularly review this privacy notice, and it was last updated in September 2025.

CYC is committed to ensuring that your information is handled in accordance with the principles set out in data protection legislation and guidance from the Information Commissioner’s Office (ICO).

This privacy notice tells you what to expect when we collect personal information about you. It applies to when you attend an event, meeting, briefing, or training session where we use MS365 and for when they may be recorded and/or transcribed, using MS365 (or other agreed media platform).

CYC is the controller for this information unless we specifically state otherwise in this privacy notice.

You can contact the council’s Data Protection Officer at information.governance@york.gov.uk or 01904 555 719, or write to:

This privacy notice should be read in conjunction with other CYC privacy notices that are available in our Privacy Notice and/or CYC policies and procedures.

When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this document.

• How we collect your information
• What personal data we process and why
• Automated decision-making
• Collecting information automatically
• Children's information
• Lawful basis for processing your personal data
• How long we keep your personal data
• Data sharing
• Data processors and/or third parties
• Transfers of personal data
• How we protect your information
• Your rights in relation to this processing

How we collect your information

We get information about you from the following sources:

• directly from you
• from third parties acting on your behalf such as family member(s), advocates, and so on
• from our commissioned partners or contractors who undertake work on our behalf

Top of page

What personal data we process and why

Any information recorded or transcribed in our MS365 Teams environment relates either to directly consenting participants in recorded meetings or to data where the council has an established legal basis for processing or explicit consent has been recorded for the business processing.

The categories of personal information held in relation to recordings and transcriptions are for the most part personal information relating to participant identity, possibly including contact information, and their personal contributions to required business processes.

The recording could contain:

• your video stream (including images of yourself) if you choose to enable your video device during the meeting. Anything or anyone else that may be in the background could be recorded. This could mean that if you have your picture or video image on screen it might include whatever you have in the background if you are working from home. You can choose to put up a background in Microsoft Teams meetings to stop any additional pictures of your home being recorded
• your audio stream, if you choose to enable your audio device during the meeting. This could include any opinions you contribute and anything you say about yourself
• chat within the meeting could also be captured in the meeting recording

Therefore, anyone attending the recorded meeting may have aspects of their personal information recorded if they actively participate or not.

The council uses MS365 Teams to hold meetings. In some cases, these may be recorded and or transcribed. This will be to provide a record of discussions and agreements held within the meeting. For example:

• to establish participant identities and further contact details if required
• to have a record and potential transcript if agreed
• informal notes of any discussions in the recorded meeting
• formal records of any discussions, actions, agreements, or decisions in the recorded meeting
• to record formal Council Committee meetings where agreed
• to record business meetings where requested by the meeting organiser to support ongoing dissemination and to create records of discussions, decisions, and progress, if agreed
• to support participant accessibility if agreed
• to support specific situations that require a recorded session

There are specific situations where the council would not find it acceptable to use Teams recordings, even where they may be included in the general purposes above for example grievance and disciplinary meetings.

If a recording is going to take place, you will be informed both in the invitation and on the day of recording the session (normally verbally), prior to any recording taking place. You will be told of the purpose of the recording and what other purposes it will be used for.

Where we rely on your consent, you can withdraw your consent at any time by contacting the person who sent you the meeting invite.

Top of page

Automated decision-making

We do not carry out any automated decision-making when using MS365 Teams recording and or transcription.

Top of page

Collecting information automatically

Please see our Cookies Policy for further information about the information we collect automatically when you use our website.

Top of page

Children’s information

Where we provide services directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.

Top of page

Lawful basis for processing your personal data

Any personal data, special category data or and criminal offence data that we process about individuals is done so in accordance with one or more of the following Articles 6, 9 and 10 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (DPA 2018).

Article 6(1)

• (a) explicit consent is given by participants
• (b) Contract: the processing is necessary for a contract the council has with you, or because you have asked us to take specific steps before entering into a contract.
• (e) Public task: the processing is necessary for the council to perform a task in the public interest or for the council’s official functions, and the task or function has a clear basis in law.
• (f) Legitimate interests: the processing is necessary for the council’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This will not be relied on where the council is processing data to perform any official tasks.)

Article 9(2)

• (a) Explicit consent
• (b) Employment, social security, and social protection (if authorised by law)
• (g) Reasons of substantial public interest (with a basis in law)

This is supported by Schedule 1, Part 2(6) of the Data Protection Act 2018 and will be related to the topic and data in any agreed meeting recording and or transcription.

Where we process personal data relating to criminal convictions and offences, this is also under Article 10 UK GDPR that covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences, or proceedings for an offence committed or alleged to have been committed, including sentencing.

Some of the Schedule 1 conditions for processing special category and criminal offence data require an Appropriate Policy Document (APD) to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice.

Our Appropriate Policy Document provides further information about this processing.

Top of page

How long we keep your personal data

We will only keep your information for as long as it is needed then it will be securely and confidentially deleted or disposed of.

You can find details on how long the council keeps records in our Council retention schedule.

Top of page

Data sharing

We will only share your information where it is appropriate to, with:

• other meeting invitees who were unable to attend the meeting
• other CYC services
• other councils, government departments and agencies
• other organisations such as NHS
• third parties including our data processors, partners or contractors, who undertake work on our behalf
• internal and external auditors

In some circumstances, such as under a court order or safeguarding, we are legally obliged to share information.

We will always satisfy ourselves that we have a lawful basis on which to share the information and document our decision-making.

Additionally, we are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives (TNA) for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.

Top of page

Data processors and/or third parties

When we have third parties providing parts or all of our services, systems, software, platforms, applications (apps) for us, we have contracts or agreements in place with them. These include:

• Veritau Public Sector Limited (VPS), who provides services to the council such as internal audits. You can find out how they use your information in the Veritau Privacy Policy
• other specialist or assistive systems, software, platforms, applications (apps), to help provide our services and support to you and our staff
• YouTube, where we provide information in British Sign Language via the City of York Council YouTube channel, please read YouTube Privacy Settings and Google Privacy Policies

Top of page

Transfers of personal data

We don’t routinely transfer personal data, special categories of personal data or criminal offence data outside of the UK but when this is necessary, we ensure that we have appropriate safeguards in place and that is done in accordance with the UK data protection and privacy legislation.

Top of page

How we protect your information

We're committed to keeping your information safe and secure. There are several ways we do this, such as:

• IT security safeguards such as firewalls, encryption, and anti-virus software
• on-site security safeguards to protect physical files and electronic equipment
• training for all staff and elected councillors
• policies and procedures

Top of page

Your rights in relation to this processing

To find out about your rights under Data Protection law, you can go to the Information Commissioner's Office (ICO) website.

You can also find information about your rights at our Privacy Notice.

If you have any questions about this privacy notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us on email: information.governance@york.gov.uk, or on telephone: 01904 555719, or write to:

Top of page

Also see

• Website terms and disclaimer
• Data Protection Policy Statement
• Accessibility statement
• Cookies policy
• Copyright statement