This notice should be read in conjunction with our corporate privacy notice.
Who are we?
North Yorkshire Council is a ‘Data Controller’ as defined by Article 4(7) of the UK General Data Protection Regulation (UK GDPR).
What personal information do we collect?
In order to deliver our service, we need to collect the following personal data:
- names and contact details
- addresses
- date of birth
- financial information
- call recordings
- video and CCTV recordings of public areas
- photographs or video recordings
We may also collect certain categories of special category data:
- health information including dietary requirements, allergies and health conditions
Why do we collect your personal information and what is our lawful basis for processing?
Heritage services - historic environment record
Purpose
The historic environment record is a system for recording information about historic sites and monuments, such as archaeological sites and finds, designated sites, historic landscapes and buildings and other landscape features. It includes a computerised index system, as well as hard copy detailed information on maps, photographs, reports, journals and other files. The information can be used for research, to assess development proposals and to manage and enhance North Yorkshire's historic environment and landscape.
Lawful basis
UK GDPR Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest.
UK GDPR Article 6 (1)(a) - the data subject has given consent to the processing of their personal data for one or more specific purposes. Applies only in cases where a contributor wishes to be credited by name against the recorded find.
Community sport activity
Purpose
We deliver inclusive programmes of activity to support health and wellbeing, increase physical activity levels and prevent social isolation. Currently, this programme delivers the following activities:
- Primetime, Stillington
- Primetime, Northallerton
- Strong and Steady, Stokesley
- Primetime, Bedale
Lawful basis
UK GDPR Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Regarding marketing information, we rely on the following lawful basis:
UK GDPR Article 6(1)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
When processing special category data, we will rely on the following lawful basis:
UK GDPR Article 9(2)(g) - the processing of your special category data is necessary for reasons of substantial public interest (with a basis in law), meeting Schedule 1, Part 2 of the Data Protection Act 2018 as below:
- (16) Support for individuals with a particular disability or medical condition
Scarborough Spa and Whitby Pavilion
Purpose
Scarborough Spa and Whitby Pavilion is an entertainment and conferencing venue which offers a variety of services including banqueting, business events, room hire, weddings, cinema and theatre.
Lawful basis
UK GDPR Article 6 (1)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
UK GDPR Article 6 (1)(b) - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. For example, room hire or event bookings.
UK GDPR Article 6 (1)(f) - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Leisure Service
Purpose
We provide a range of leisure services.
Lawful basis
For the use of your image/videos in marketing material and for where you have opted in to receive marketing communications, we rely on:
UK GDPR Article 6(1)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
For all other processing activity, we will rely upon the following lawful basis:
UK GDPR Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
UK GDPR Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
UK GDPR Article 6(1)(f) – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
When processing special category data, the council will rely on the following lawful basis:
UK GDPR Article 9(2)(g) – processing of your special category data is necessary for reasons of substantial public interest (with a basis in law), meeting schedule 1, part 2 of the Data Protection Act 2018 as below:
- (18) Safeguarding of children and of individuals at risk
Library and information service
Purpose
To provide access to services offered
Lawful basis
UK GDPR Article 6 (1)(a)- the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
UK GDPR Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
The legislation, policies and guidance that relates to these services include, but is not limited to:
- Ancient Monuments and Archaeological Areas Act
- National Planning Policy Framework
- Town and Country Planning Act 1990
Who do we share this information with?
In the course of delivering culture, libraries and leisure, we may need share your information with a number of external agencies who are key to delivering our services. These include:
- Historic England
- Heritage Gateway
- Heritage contractors
- Universities and researchers
- Public Health
- Alliance Leisure
How long do we keep your information for?
Heritage services – historic environment record
| Data held | Retention period |
|---|---|
| Archaeological search requests from members of the public - personal data | 1 year |
| Archaeological search requests from members of the public - search location, date and nature of query | In perpetuity |
Community sport activity
| Data held | Retention period |
|---|---|
| Personal data such as name, address and contact details | 1 year after collection |
| Special category health data | 1 year after collection |
Scarborough Spa and Whitby Pavilion
| Data held | Retention period |
|---|---|
| Hard copy correspondence | 1 year |
| Service requests | 1 year |
| E-marketing data base and newsletters | Until requested to be removed by data subject |
| Social media competitions | 1 year |
| Business contacts | Until the end of relationship |
| E-marketing campaigns for business customers | Three years post campaign |
Leisure services
| Data held | Retention period |
|---|---|
| Financial data | 6 years. Three years or if a minor, under 18, until the individual reaches 21 years old |
| Accident data | 1 year after leaving |
| Membership contracts, direct debit mandates | 1 year after leaving |
| Health data for programmes | 1 year after non-use of facilities |
| Health data from our gym inductions or gym GP referrals | 1 year after non-use of facilities |
| Customer comment cards | 1 year |
Library and information service
| Data held | Retention period |
|---|---|
| Membership details | If account is not renewed, membership with be deactivated 24 months after expiry and if there is no activity within this time period |
| Library account renewed every three years | After 24 months all personal data will be deleted/anonymised |
Other relevant transparency information
Other data that we may hold about you is only kept for as long as is necessary and all data is retained in line with our record retention and disposal schedule (RRDS).
For more information about how we use your data, including your privacy rights and the complaints process, please see our corporate privacy notice.