Our corporate privacy notice as well as service specific privacy information. Following Britain’s departure from the EU, all references to GDPR now refer to UK GDPR.
Information here will help you understand how and why we process your personal data and relates to the whole council. We also have specific privacy notices for each area of the council, showing how each service within the council may process your data.
If you are a local authority employee, or if your employer buys HR services from us, then you may wish to read our employment specific privacy notices.
Please see our Coronavirus (Covid-19) Privacy Notice for details on how the Council processes your information in relation to Coronavirus (Covid-19).
For more information about how we are processing the data of those volunteering for us during this time please see our Covid-19 volunteer privacy notice document.
|Personal data||Any information related to a living person, that could be used to directly or indirectly identify that person.|
|Special category data||
Special category data is personal data which is more sensitive, and so needs more protection. This could be:
|Data controller||An organisation or individual that determines why personal data is been collected and is responsible for the security of that data.|
|Data processor||A contractor, organisation or individual (not an employee) who uses personal data on behalf of the data controller.|
|Data processing||Any action taken with personal data. This includes the collection, use, disclosure, destruction and holding of data.|
|Data subject||A living person who the personal data is about.|
|Data protection officer||The role of the data protection officer is to make sure that the organisation processes personal data in compliance with data protection law.|
|Consent||A freely given choice about how personal data is used in an organisation (for example, opting in to marketing emails).|
North Yorkshire County Council is a ‘data controller’ as defined by Article 4(7) of the General Data Protection Regulation (GDPR). This means that we have a duty of care towards the personal data that we collect and use.
We have appointed Veritau Ltd to be our data protection officer. Their contact details are:
Data Protection Officer
In order to provide our services, we need to collect and use your personal data and sometimes your special category personal data.
There will be instances where we will anonymise your data. For example, in a survey we may not need your contact details. In which case, we'll only collect your survey responses.
We collect this data so that we can:
- deliver, manage, and check the quality of services that we offer;
- investigate complaints or concerns raised by you or other individuals; and
- assist with the research and planning of new council services.
We may hold your name, contact details, and address on our databases so that we can provide services to you, and easily identify you if you contact us. This includes our customer contact system, departmental back office systems, and our online systems. Council officers may only access your personal data if they need it for a task they are working on. There are procedures and checks in place to ensure that our staff can not use your data for their own personal benefit.
Third party processors
In order to deliver the best possible service we often use third party organisations. These organisations will sometimes need access to your personal data in order to complete their work. If we do use a third party organisation we will always have an agreement in place to ensure that the other organisation keeps your data secure.
Sometimes we have to pass your data to other organisations. This could be because of a legal requirement or because a court orders us to do so. For example, we may need to share information with the police to help prevent or detect a crime. We may not have to tell you if we do share with other organisations in this way.
Our internal auditors, counter fraud service, data protection officer, and external auditors may also have access to your personal data in order to complete their work. We will only share personal data with another organisation if we have a lawful basis to do so, and we will always keep records of when your data has been disclosed to another organisation.
National Fraud Initiative
We are committed to keeping the personal data that we hold safe from loss, corruption or theft. There are several ways we do this, including:
- training for all staff and elected councillors on how to handle personal data;
- policies and procedures detailing what council officers can and can not do with personal data;
- IT security safeguards such as firewalls, encryption, and anti-virus software; and
- on-site security safeguards to protect physical files and electronic equipment.
Unless we are using your data based on consent or to carry out obligations under contract, then we are using our legal powers. There are various different legal reasons for us to collect and use your personal data. The service specific privacy notices, which can be found at the end of this page, will tell you which legal power we are using according to which council service is using your data.
Conditions for criminal offence data, enforcement investigations and prosecutions
Where we are undertaking an investigation we are processing personal information under Part III of the Data Protection Act 2018 (DPA) for law enforcement purposes. The six law enforcement principles are similar to UK GDPR’s, however the transparency requirements are different, due to the potential to prejudice an ongoing investigation in certain circumstances.
When processing sensitive data, we must be able to demonstrate that the processing is strictly necessary and satisfies one of the conditions in Schedule 8 of the DPA or is based on consent.
We will only keep your personal data for as long as it is needed for the purpose it was collected for, or for as long as is required by legislation. There are different retention periods for different types of information. The service specific privacy notices, which can be found at the end of this notice, will tell you how long each service area may keep your information for. Please be aware that some of these retention periods may need to be extended due to Public Inquires (such as The Independent Inquiry into Child Sexual Abuse) or other external legal requirements.
Usually, the information that we hold is all held within the UK. However, some information may be held on computer servers which are outside of the UK. We will take all reasonable steps to make sure your data is not processed in a country that the UK government does not see as ‘safe’. If we do need to send your data out of the EU we will ensure it has extra protection from loss or unauthorised access.
Data protection legislation gives you, the data subject, a number of rights in regards to your personal information. You can find out about your data protection and subject access rights here.
If you have concerns about the way in which we have handled your personal data then please contact our data protection officer:
Data Protection Officer
You can complain to the Information Commissioner’s Office (the data protection regulator) about the way in which we have handled your personal data:
First Contact Team
Information Commissioner’s Office