City of York Council (CYC) complies with the UK General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018, and is the registered with the Information Commissioner’s Office (ICO), reference: Z5809563.
We regularly review this privacy notice, and it was last updated in December 2023.
CYC is committed to ensuring that information is handled in accordance with the principles set out in data protection legislation and guidance from the Information Commissioner’s Office (ICO).
This Privacy Notice explains how and why we process your information, under Part 3 of the Data Protection Act 2018 for law enforcement purposes and the steps we take to keep your information safe.
CYC is the controller for the personal data we process, unless otherwise stated. You can contact the council’s Data Protection Officer at:West Offices
Telephone: 01904 554145.
You can find more information about the role of the Data Protection Officer in our Data Protection Policy Statement.
This privacy notice should be read in conjunction with other relevant specific privacy notices that are available in our Privacy Notice and/or other relevant policies and procedures.
When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this privacy notice.
- How we collect your information
- What personal data we process and why
- Automated decision-making
- Collecting information automatically
- Children's information
- Lawful basis for processing your personal data
- How long we keep your personal data
- Data sharing
- Data processors and/or third parties
- Transfers of personal data
- How we protect your information
- Your rights in relation to this processing
How we collect your information
To carry out the law enforcement purposes described in this privacy notice, we may obtain, use, and disclose information relating to a wide variety of individuals including but not limited to:
- offenders and suspected offenders
- witnesses or reporting persons
- individuals passing information to us
- victims and complainants, both current, past, and potential
We get information from:
- other law enforcement agencies and local authorities
- emergency services such as Police, Fire Service, National Health Service or Ambulance
- HM Revenue and Customs
- licensing authorities
- legal representatives
- other prosecuting authorities such as solicitors, courts
- partner agencies involved in crime and disorder strategies
- private sector organisations working with or for us on anti-crime strategies
- voluntary sector organisations
- governmental agencies and departments
- suspected or known perpetrators of offences and relatives, guardians or other persons associated with the individual victims
- City Of York Council CCTV systems and body worn video
- correspondence sent to us, including anonymous reports and concerns
We may also obtain details from the council’s own information systems, this may include ‘general data’ processed for purposes under Part 2 of the Data Protection Act 2018.
What personal data we process and why
We process the following personal data, special categories of data, and criminal offence data:
- your name and address
- employment details
- financial details
- racial or ethnic origin
- religious or other beliefs of a similar nature
- physical or mental health condition
- sexual life
- offences and alleged offences
- criminal proceedings
- outcomes and sentences
- physical identifiers
- sound and visual images
- criminal intelligence
- information relating to safety
- incidents and accident details
At this time, we do not process any DNA, fingerprints, other genetic samples, or facial recognition data for law enforcement purposes.
We are responsible for delivering a wide range of public services and functions. This includes a number of law enforcement functions associated with:
- Trading Standards
- Environmental Enforcement
- Youth Justice Service
- Children’s Services (for example non-attendance at school; child employment; child performance)
- Health and Safety
We do not carry out any automated decision making without any human intervention in providing this service.
Collecting information automatically
Please see our Cookies Policy for further information about the information we collect automatically when you use our website.
Where we provide services directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.
Lawful basis for processing your personal data
The processing of data for law enforcement purposes can only be done by an organisation which is considered as a ‘competent authority’.
Law enforcement purposes are ‘the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security’.
The description of a ‘competent authority’ is laid down in data protection law, and includes but is not limited to, organisations such as police forces, the Financial Conduct Authority, and the Information Commissioner. (Data Protection Act 2018, Schedule 7).
We have a statutory duty to protect the public and the local community. To do this it is necessary for us to process your personal information under the lawful basis of public interest and official authority. This means we process your personal information for carrying out tasks that are laid down in law and collectively described as the administration of justice.
The Administration of Justice, includes:
- the prevention and detection of crime
- apprehension and prosecution of offenders
- protecting life and property
- preserving order
- maintenance of law and order
- national security
- defending civil proceedings
- any duty or responsibility of the council arising from common or statute law
Guidance on how organisations should process data for ‘law enforcement purposes’ can be found on the Information Commissioner’s Office (ICO) website: Data sharing and reuse of data by competent authorities for non-law enforcement purposes.
Where we process personal data relating to criminal convictions and offences, this is also under Article 10 UK GDPR that covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences, or proceedings for an offence committed or alleged to have been committed, including sentencing.
Some of the Schedule 1 conditions for processing special category and criminal offence data require an Appropriate Policy Document (APD) to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice.
Our Appropriate Policy Document provides further information about this processing.
How long we keep your personal data
We keep your information only for as long as is necessary for the particular purpose or purposes for which it is held.
To enable us to meet our statutory duties we may be required to share your information with other organisations that process information for a similar reason or to keep people safe.
These organisations include:
- the police and other law enforcement agencies
- partner agencies working on crime reduction initiatives
- partners in the Criminal Justice arena
- other local authorities
- other bodies or individuals where it is necessary to prevent harm to individuals
Disclosures of information are considered on a case-by-case basis, using only the personal information appropriate to a specific purpose and circumstances, and with necessary controls in place.
We will also disclose information to other bodies or individuals when required to do so, or under an act of legislation, a rule of law, and by court order. This may include:
- the Police
- Serious Fraud Office
- National Fraud Initiative
We will always satisfy ourselves that we have a lawful basis on which to share the information and document our decision making.
Additionally, we are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives (TNA) for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.
Data processors and/or third parties
Where we have third parties providing parts or all of our services for us, we have contracts or agreements in place with them.
Transfers of personal data
We don’t routinely transfer personal data outside of the UK but when this is necessary we ensure that we have appropriate safeguards in place and that is done in accordance with the UK data protection and privacy legislation.
How we protect your information
We handle information according to the requirements of Part 3 of the UK Data Protection Act 2018 and we're committed to keeping your information safe and secure. There are several ways we do this, such as:
- IT security safeguards such as firewalls, encryption, and anti-virus software
- on-site security safeguards to protect physical files and electronic equipment
- training for all staff and elected councillors
- policies and procedures
- maintain compliance with the Public Services Network (PSN) Code of Connection
Your rights in relation to this processing
To find out about your rights under data protection law, you can go to the Information Commissioner's Office website.
You can also find information about your rights in our Privacy Notice.
If you have any questions about this privacy notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us on email: firstname.lastname@example.org, or on telephone: 01904 554145, or write to:Data Protection Officer
City of York Council
York YO1 6GA