Schools and education

Inclusive Education – Admissions, FAM, Appeals and Free School Meal Privacy Notice

City of York Council (CYC) current data protection notification is registered with the Information Commissioner’s Office (ICO) – reference Z5809563. We regularly review this privacy notice, and it was last updated in February 2026.

CYC is committed to ensuring that personal data is handled in accordance with the principles set out in data protection legislation and guidance from the Information Commissioner’s Office (ICO).

This privacy notice tells you what to expect when we process your information, and it applies to schools’ services including:

  • Schools admissions
  • Fair access protocol
  • School appeals 
  • Free school meals
  • School services

CYC is the controller for this information unless we specifically state otherwise in this privacy notice. 

You can contact the council’s Data Protection Officer at:

West Offices
Station Rise
York
YO1 6GA

Telephone: 01904 555719.

Email: information.governance@york.gov.uk.

This privacy notice should be read in conjunction with other CYC privacy notices that are available in our Privacy Notice and/or CYC policies and procedures.

When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this document.

How we collect your information

We get information about you from the following sources:

  • directly from you
  • parent, carer, or guardian
  • Common Transfer Files (CTFs)
  • secure file transfers from schools, Academy Trusts and other public sector bodies.
  • Census data from Office for National Statistics (ONS)
  • when you take part in our surveys or consultation

Primary Care Trusts (PCTs) may also provide individual schools and Local Authorities (LA) with aggregated health information which will not identify individual children.

Top of page

What personal data we process and why

We process the following personal data, special categories of personal data and criminal offence data:

  • names
  • contact details such as addresses, email addresses, phone numbers etc
  • personal identifiers such as dates of birth (DOB), National Insurance Number (NINO) etc
  • characteristics such as ethnicity, language
  • safeguarding information such as court orders and professional involvement
  • special educational needs, including the needs and ranking
  • attendance such as sessions attended, number of absences, absence reasons and any previous schools attended
  • behavioural information such as exclusions and any relevant alternative provision placements put in place
  • details of current school
  • medical information
  • family income information (including any social security benefits)
  • your opinions, comments and feedback when you take part in our surveys and consultation

If you take part in our surveys or consultations you can withdraw your consent at any time by contacting the appropriate service such as for home to School or College transport email: education@york.gov.uk.

If you take part in our admissions consultations, you can withdraw your consent at any time by email: admissionsconsultation@york.gov.uk.

We use your information to:

  • provide you with our services i.e., enable us to carry out services we are responsible for
  • free school meal eligibility checking
  • respond to general education queries etc
  • allocating school places
  • processing school applications and appeals
  • support the education provision for young people living in York up to the age of 20 (and beyond this age for those with a special education need or disability).
  • derive statistics for reports and to inform decisions such as the funding of schools and planning of school places
  • provide research and statistical reports to support the PCTs to develop, monitor and evaluate the performance of local health services
  • assess performance and to set targets
  • any additional information that's necessary for us to assess and provide you with the service you require (including disability requirements)

When we use the information for reporting, research, and statistical purposes, it will be anonymised which means the information will be turned into a form that cannot be linked back to you and does not identify individuals.

When you complete an online form on the council’s website and you have provided your email address, we will send you a copy of your completed online form.  

Top of page

Artificial Intelligence

We may use Artificial Intelligence (AI) technologies to support or enhance council services. Where AI is involved in a process that directly affects your interaction with us, we will inform you before your user journey begins. This ensures transparency and helps maintain trust in how we use AI.

Our use of AI complies with the UK General Data Protection Regulation (UK GDPR), including the principles of lawfulness, fairness, transparency, accountability, and accuracy. We conduct Data Protection Impact Assessments (DPIAs) where AI systems are likely to result in high risks to individuals’ rights and freedoms, such as automated decision-making or profiling.

If generative AI tools are used, we do not use personal or end-user data to train AI models. This helps ensure compliance with the purpose limitation and data minimisation principles under UK GDPR.

AI for Staff Productivity and Accessibility

Where AI tools are used solely by staff to assist with drafting, research, or accessibility—for example, to improve writing efficiency or summarise information—these uses do not form part of a business process that affects service delivery or decision-making. As such, no specific notification will be provided for these internal productivity uses.

These uses are considered low-risk and do not involve automated decision-making that produces legal or similarly significant effects. They are also subject to internal governance and safeguards to ensure responsible use. Examples include:

  • drafting internal reports or meeting notes
  • summarising lengthy documents for quicker review
  • assisting with spelling, grammar, or formatting tasks

We may use your information to create reports and statistics that are anonymous and cannot be linked back to you, your family, or individuals such as:

  • statistical analysis
  • statutory returns
  • audit framework
  • see how the council and its partners are supporting individuals
  • help design better services
  • inform funding decisions

Top of page

Automated decision-making

We do not carry out any automated decision making without any human intervention.

Top of page

Collecting information automatically

Please see our Cookies Policy for further information about the information we collect automatically when you use our website.

Top of page

Children’s information

Where we provide services directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.

Top of page

Lawful basis for processing your personal data

Any personal data including special category data and criminal offence data that we process about individuals is done so in accordance with Article 6, 9 and 10 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (DPA 2018).

  • Article 6(1)
    • (a) Consent: the individual has given clear consent for the council to process their personal data for a specific purpose.
    • (c) Legal obligation: the processing is necessary for the council to comply with the law (not including contractual obligations).
    • (e) Public task: the processing is necessary for the council to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
  • Article 9(2)
    • (a) Explicit consent
    • (b) Employment, social security and social protection (if authorised by law)
    • (g) Reasons of substantial public interest (with a basis in law)

This is supported by Schedule1, Part 2 (6) of the Data Protection Act 2018 and legislation such as:

  • Education Act 1996
  • Localism Act 2011 section 1(1)
  • Department for Education’s Legal Compliance Guide
  • Section 512ZB of the Education Act 1996 states: Provision of free school lunches and milk
  • Education Act 1996 (Section 512ZB)
  • Admissions – School admission code 2021 and School Admission Appeals Code that was issued under s.84 of the School Standards and Framework Act 1998
  • Exclusions – The School Discipline (Pupil Exclusions and Reviews) (England)
  • Regulations 2012 and s.52 of the Education Act 2002
  • Transport – Education Act 1996 and statutory guidance - Home-to-school travel and transport 2014

Where we process personal data relating to criminal convictions and offences, this is also under Article 10 UK GDPR that covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences, or proceedings for an offence committed or alleged to have been committed, including sentencing.

Some of the Schedule 1 conditions for processing special category and criminal offence data require an Appropriate Policy Document (APD) to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice.

Our Appropriate Policy Document provides further information about this processing.

Top of page

How long we keep your personal data

We will only keep your information for as long as it is needed and then it will be securely and confidentially destroyed or deleted.

You can find more details about how long the council keeps records in the council retention schedule.

Top of page

Data sharing

We will only share your information with other council services where it is appropriate to such as:

  • Business Intelligence Unit
  • Families Information Service
  • professionals from health, social care, and Early Help teams
  • School Admissions and Appeals Service clerks
  • Children and Young People Transport team
  • Members of independent panels and appeals panels or committees such as home to school transport appeals committee

We will only share your information with organisations, agencies, government departments, etc where it is appropriate to, such as:

  • youth support services (pupils aged 13+)
  • government departments such as Department of Work and Pensions (DWP) etc
  • other local authorities and public sector bodies
  • schools, academies, and other providers of education
  • external providers of our commissioned services such as transport providers
  • auditing services
  • post-16 education and training providers to secure appropriate support for individuals
  • education establishments which show what their pupils go on to do after the age of 16.

We share some of the information we collect with the Department for Education (DfE) to enable them to:

  • produce statistics
  • assess our performance
  • determine the destinations of young people after they have left school or college
  • evaluate government funded programmes

Decisions on whether the DfE releases personal data to third parties are subject to a robust approval process and are based on:

  • a detailed assessment of who is requesting the data
  • the purpose for which it is required
  • the level and sensitivity of data requested
  • the arrangements in place to store and handle the data

To be granted access to pupil level data, requesters must comply with strict terms and conditions covering the confidentiality and handling of data, security arrangements and retention and use of the data.

See guidance on GOV.UK regarding the national pupil database.

See guidance on GOV.UK regarding DfE external data sharing, for information on which third party organisations (and for which project) pupil level data has been provided to.

In some circumstances, such as under a court order or safeguarding, we are legally obliged to share information.

We will always satisfy ourselves that we have a lawful basis on which to share the information and document our decision-making.

Additionally, we are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives (TNA) for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.

Top of page

Data processors and/or third parties

Where we have third parties providing parts or all of our services for us, we have contracts or agreements in place with them. These are listed below.

If you require more information about how the DfE store and use your personal data please see information on GOV.UK regarding the DfEs data protection policy.

The Access Group provide parts of our services and we have a contract in place with them. You can find more information about them in The Access Group Privacy Notice.

Where we use Fix Our Food you can find out how they use your information in the Fix Our Food Privacy Policy.

Other specialist or assistive systems, software, platforms, applications (apps), to help provide our services and support to you and our staff.

Top of page

Transfers of personal data

We do not routinely transfer personal data outside of the UK but when this is necessary, we ensure that we have appropriate safeguards in place and that is done in accordance with the UK data protection and privacy legislation.

Top of page

How we protect your information

We're committed to keeping your information safe and secure. There are several ways we do this, such as:

  • IT security safeguards such as firewalls, encryption, and anti-virus software
  • on-site security safeguards to protect physical files and electronic equipment
  • training for all staff and elected councillors
  • policies and procedures

Top of page

Your rights in relation to this processing

To find out about your rights under data protection law, you can go to the Information Commissioner's Office website.

You can also find information about your rights in our Privacy Notice.

If you have any questions about this privacy notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us on email: information.governance@york.gov.uk, or on telephone: 01904 555719, or write to:

Data Protection Officer
City of York Council
West Offices
Station Rise
York YO1 6GA

Top of page

Also see

Data Protection Officer

West Offices, Station Rise, York, YO1 6GA

Telephone: 01904 555719

Comment on this page