City of York Council (CYC) current data protection notification is registered with the Information Commissioner’s Office (ICO) – reference Z5809563. We regularly review this privacy notice, and it was last updated in January 2026.
CYC is committed to ensuring that your information is handled in accordance with the principles set out in data protection legislation and guidance from the Information Commissioner’s Office (ICO).
This privacy notice tells you what to expect when we process your information, and it applies to web services.
However, the information we will process about you will vary depending on the service we are providing to you.
CYC is the controller for this information unless we specifically state otherwise in this privacy notice.
You can contact the council’s Data Protection Officer at information.governance@york.gov.uk or telephone: 01904 555719, or write to:
Data Protection OfficerCity of York Council
West Offices
Station Rise
York
YO1 6GA
This privacy notice should be read in conjunction with other CYC privacy notices that are available in our Privacy Notice and/or CYC policies and procedures.
When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this privacy notice.
- How we collect your information
- What personal data we process and why
- Use of Artificial Intelligence (AI)
- AI for Staff Productivity and Accessibility
- Automated decision making
- Collecting information automatically
- Children's information
- Lawful basis for processing your personal data
- How long we keep your personal data
- Data sharing
- Data processors and or third parties
- Transfers of personal data
- How we protect your information
- Your rights in relation to this process
How we collect your information
We get your information about you from the following sources:
- directly from you
- from third parties acting on your behalf such as family member(s), advocates, etc
- from our commissioned partners or contractors who undertake work on our behalf
What personal data we process and why
We will only process the information that is necessary, such as:
- name
- address
- contact details
- health or diability information
We will use your information to:
- provide you with the correct information
- signpost you to the appropriate service area
- help to fix an error, or explain a solution
This table illustrates which Web Services areas are covered by this privacy notice.
| Service area | Covered by this privacy notice |
|---|---|
| Comment on this page online form | Yes |
| Feedback online form | Yes |
| Emails to webadmin@york.gov.uk | Yes |
| Telephone calls transferred to Web Services | Yes |
| Face to face contact with Web Services | Yes |
| Consultations and surveys undertaken by Web Services | Yes |
| Online forms created within our Content Management System (CMS) | No, these are covered by the service area to which the data is submitted |
| My Account | No, My Account is covered by ICT Services* |
| Accounts outside of My Account | No, these are covered by the service area providing the system with which you have an account* |
| Web Chat | No, Web Chat is covered by Customer Services* |
| Online payments made via the CYC website (Civica) | No, this is covered by online payments* |
| Emails to addresses other than webadmin | No, these are covered by the service area receiving the email |
| Online interactions/social media | No, social media is covered by Communications |
| Subdomains of york.gov.uk | No, these are covered by the service area responsible for the service delivered on the domain* |
| Galaxy websites** and online forms within them | No, these are covered by the service area responsible for the service delivered by the galaxy website* |
| Partnership websites (those governed by CYC, either wholly or in partnership, hosted outside of our CMS) and online forms within them | No, these are covered by the service area responsible for the service delivered by the partnership website* |
* These privacy notices are available from the relevant service area (see: Service Privacy Notices) or directly from galaxy websites or partnership websites when you visit.
** A 'galaxy website' is one that's governed by City of York Council (CYC), either wholly or in partnership, and hosted within our content management system (CMS).
This privacy notice does not cover 'partnership websites' nor 'external websites' we may link to; we encourage you to read the privacy notices on any other websites you visit.
Our website and galaxy websites may include email addresses for external organisations (those addresses that don't contain '@york.gov.uk'); we cannot guarantee what will happen to your personal data if you email an external organisation.
We will also collect your comments, feedback and opinions if you choose to take part in our surveys, consultation etc. You can withdraw your consent to these at any time by emailing: webadmin@york.gov.uk.
Use of Artificial Intelligence (AI)
We may use Artificial Intelligence (AI) technologies to support or enhance council services. Where AI is involved in a process that directly affects your interaction with us, we will inform you before your user journey begins. This ensures transparency and helps maintain trust in how we use AI.
Our use of AI complies with the UK General Data Protection Regulation (UK GDPR), including the principles of lawfulness, fairness, transparency, accountability, and accuracy. We conduct Data Protection Impact Assessments (DPIAs) where AI systems are likely to result in high risks to individuals’ rights and freedoms, such as automated decision-making or profiling.
If generative AI tools are used, we do not use personal or end-user data to train AI models. This helps ensure compliance with the purpose limitation and data minimisation principles under UK GDPR.
AI for Staff Productivity and Accessibility
Where AI tools are used solely by staff to assist with drafting, research, or accessibility - for example, to improve writing efficiency or summarise information – these uses do not form part of a business process that affects service delivery or decision-making. As such, no specific notification will be provided for these internal productivity uses.
These uses are considered low-risk and do not involve automated decision-making that produces legal or similarly significant effects. They are also subject to internal governance and safeguards to ensure responsible use.
Examples include:
- Drafting internal reports or meeting notes
- Summarising lengthy documents for quicker review
- Assisting with spelling, grammar, or formatting tasks
We may use your information to create reports and statistics that are anonymous and cannot be linked back to you, your family, or individuals such as:
- statistical analysis
- statory returns
- audit framework
- see how the council and its partners are supporting individuals
- help design better services
- inform funding decisions
Automated decision making
We do not carry out any automated decision making in web services.
Collecting information automatically
Please see our Cookies policy for further information about the information we collect automatically when you use our website.
Children's information
Where we provide servicies directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.
Lawful basis for processing your personal data
Any personal data and special category data that we process about individuals is done so in accordance with one or more of the following Articles 6 and 9 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (DPA 2018).
Article 6(1)
(a) Consent: the individual has given clear consent for the council to process their personal data for a specific purpose.
(e) Public task: the processing is necessary for the council to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for the council’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Article 9(2)
(a) Explicit consent
(g) Reasons of substantial public interest (with a basis in law)
This is supported by Schedule1, Part 2 (6) of the Data Protection Act 2018 and the following legal framework:
Some of the Schedule 1 conditions for processing special category data require an Appropriate Policy Document (APD) to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice.
Our Appropriate Policy Document – City of York Council provides further information about this processing.
How long we keep your personal data
We will only keep your information for as long as it is needed then it will be securely and confidentially deleted or disposed of.
You can find details on how long the council keeps records at Council retention schedule - City of York Council.
Data sharing
We will only share your information where it is appropriate to, with:
- othe CYC services
- other councils, government departments and agencies
- other organisations such as NHS
- third parties including our data processors, partners or contractors, who undertake work on our behalf
- internal and external auditors
In some circumstances, such as under a court order or safeguarding, we are legally obliged to share your information.
We will always satisfy ourselves that we have a lawful basis on which to share the information and document our decision making.
Additionally, we are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives (TNA) for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.
Data processors and or third parties
When we have third parties providing parts or all of our services, systems, software, platforms, applications (apps) etc for us, we have contracts or agreements in place with them. These include
- Content management system - Privacy and Cookies Policy - Jadu
- the council’s use of Microsoft 365 as its main operating system and platform. Read the Microsoft Privacy Statement alongside our contract with Phoenix Software Limited: Data Protection | Phoenix Software
- organisations to support the council's corporate transformation programme such as Impower. Read the Impower Privacy Notice.
- Zoom Pro or Business version of Zoom (version 5) to host some public facing meetings, training sessions etc across different services in the council. Where these meetings are recorded, recordings will be kept locally on our server and will not be retained by Zoom. You can find Zoom’s privacy statement at Privacy | Zoom and their certifications at Legal Compliance | Zoom
- Microsoft Teams, to contact you, to gather information from you, or if we are recording or transcribing our discussion or meeting with you, we will let you know. You can find more details about this in the City of York Council Microsoft Office 365 (MS365) Teams Meeting recording and transcription privacy notice.
- SurveyMonkey for surveys or consultation etc. You can find out how they use information at Privacy Notice | SurveyMonkey
- Zimma Ltd trading as Ticket Tailor for arranging and organising events etc. You can find out how they use information at https://www.tickettailor.com/legal/privacy-policy
- Eventbrite for arranging and organising events etc. You can find out how they use information at Eventbrite Privacy Policy | Eventbrite Help Center
- Delib’s CitizenSpace (digital citizen engagement platform). You can find out how they use information at Delib | Legal - Privacy Notice
- Granicus/Gov Delivery to send you updates, newsletters etc. You can find out how they use information at Privacy Policy | Granicus
- WhatsApp to contact you. You can find out how they use information at Privacy Policy - UK (whatsapp.com)
- Civica for online payments. You can find out how they use information at Data Privacy Notice | Civica
- the council’s use of Paygate for BACS for payments and collections https://www.paygate.uk/privacy-statement
- the council’s use of MentiMeter at events Interactive presentation software - Mentimeter
- Microsoft forms as part of MS365 You can find out how they use information at https://www.microsoft.com/en-gb/privacy/privacystatement
- Veritau Public Sector Limited (VPS) who provides services to the council such as internal audit Privacy policy - Veritau
- Specialist or assistive systems, software, platforms, applications (apps) to help provide our services and support to you and our staff
- Where we provide information in British Sign Language via the City of York Council YouTube channel please read YouTube Privacy Settings and Google Privacy Policies
Transfers of personal data
We do not routinely transfer personal data, special categories of personal data or criminal offence data, outside of the UK but when this is necessary, we ensure that we have appropriate safeguards in place and that is done in accordance with the UK data protection and privacy legislation.
How we protect your information
We're committed to keeping your information safe and secure. There are several ways we do this, such as:
- IT security safeguards such as firewalls, encryption, and anti-virus software
- on-site security safeguards to protect physical files and electronic equipment
- training for all staff and elected councillors
- policies and procedures
Your rights in relation to this processing
To find out about your rights under Data Protection law, you can go to the Information Commissioners Office (ICO) For the public | ICO
You can also find information about your rights at Our Privacy Notice – City of York Council
If you have any questions about this privacy notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us on email: information.governance@york.gov.uk, or on telephone: 01904 555719, or write to:
Data Protection OfficerCity of York Council
West Offices
Station Rise
York YO1 6GA
Also see