This notice should be read in conjunction with our corporate privacy notice.
Who are we?
North Yorkshire Council is a ‘Data Controller’ as defined by Article 4(7) of the UK General Data Protection Regulation (UK GDPR).
What personal information do we collect?
In order to deliver our HR service, we need to collect both personal and special category data depending on the specific service being delivered.
Personal data may include:
- names and contact details
- date of birth
- emergency names and contact details
- case details/case history
- recorded images, such as photos or videos
- employment history (for example, job application, employment references or secondary employment)
- right to work information
- identification documents
- National Insurance number
- education history (for example, qualifications)
- employment history (for example, job application, employment references or secondary employment)
- family and relationships details
- unique reference numbers
- payment details (including card or bank information for transfers and direct debits)
- health and safety information
Information about any previous membership of other public service pension schemes and other LGPS administering authorities, including your date of leaving and whether the previous scheme/authority assessed your eligibility for underpin protection.
We also collect the following special category data:
- religious or philosophical beliefs
- trade union membership
- health information (including dietary requirements, allergies and health conditions)
- criminal offence data (including Disclosure Barring Service (DBS), Access NI or Disclosure Scotland checks)
- health and safety information
- racial or ethnic origin
Why do we collect your personal information and what is our lawful basis for processing?
Service
Disciplinary procedure
Purpose
If an allegation is made against you, which warrants investigation, then the council will appoint an investigating officer who will conduct a fact-finding exercise and either present their findings to a disciplinary panel or provide information for disciplinary action to be taken outside of the formal procedure.
Lawful basis
GDPR Article 6(1)(b) - the processing of your personal information is necessary for the performance of a contract to which you are party (employment contract).
GDPR Article 9(2)(b) - the processing of your special category data is necessary for the carrying out of obligations and exercising specific rights of the controller or of the data subject in the field of employment.
Service
Employment
Purpose
The HR and payroll services comprise of the following teams who deal with and advise on all employment and HR-related matters for the council:
- employment support service
- HR shared service team
- pay and reward
- resourcing solutions
- NYHR (Schools)
- directorates HR business partners (HRBP’s)
Lawful basis
UK GDPR Article 6(1)(b) - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
In connection with certain job roles, the council may need to collect criminal information. For the processing of personal data relating to criminal convictions and offences, processing meets schedule 1, part 1 of the data protection act 2018 as below:
- (1) Employment, social security and social protection
For the processing of data related to substance use testing the council will rely on the following lawful basis:
UK GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
When processing special category data, the council will rely on the following lawful basis.
UK GDPR Article 9(2)(b) - processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by law meeting schedule 1, part 1 of the data protection act 2018 as below:
- (1) employment, social security and social protection
- (2) health and social care purposes
UK GDPR Article 9 (2)(g) – processing is necessary for reasons of substantial public interest with processing meeting schedule 1, part 2 of the data protection act 2018 as below:
- (8) Equality of opportunity or treatment
You may wish to read the following in relation to your employment:
- occupational health
- pensions
- resolving Issues at Work
- disciplinary proceedings
- disclosure and barring service (DBS) checks
Service
Learning Zone
Purpose
The training and learning service is administered by the training and learning team in North Yorkshire Council. This is a service that is traded out to other organisations.
Lawful basis
The training and learning service process your personal data to fulfil obligations under employment contract (for instance, that your employer will provide you with adequate training). This might be a contract with North Yorkshire Council or an external organisation that buys in to the service.
UK GDPR Article 6(1)(b) - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
When processing special category data, the council will rely on the following lawful basis:
UK GDPR Article 9(2)(b) - processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by law meeting Schedule 1, Part 1 of the Data Protection Act 2018 as below:
- (1) Employment, social security and social protection
Service
North Yorkshire Pension Fund
Purpose
The North Yorkshire Pension Fund (NYPF, The Fund) is responsible for the administration of the local government pension scheme (LGPS).
North Yorkshire Pension Fund collects and processes this data to provide you and your beneficiaries with pension benefits. We will also use this personal data for statistical and financial modelling and reference purposes (for example, when we assess how much money is needed to provide members' benefits and how that money should be invested) and to comply with our legal obligations.
We may also process your personal data to assess and, if appropriate, action a request you make to transfer your benefits out of the fund.
Lawful basis
The lawful basis for our use of your personal data will usually be that we need to process your personal data to satisfy our legal obligations as the Administering Authority of the fund. However, where that lawful basis does not apply then the lawful basis for our use of your personal data will be one or more of the following:
UK GDPR Article 6(1)(a) - the individual has given clear consent for you to process their personal data for a specific purpose. This applies to the pension portal only.
UK GDPR Article 6(1)(b) - the processing of your personal information is necessary for the performance of a contract to which you are party (employment contract). We need to process your personal data to meet our contractual obligations to you in relation to the fund (for example, under an agreement that you will pay additional voluntary contributions to the fund), or to take steps, at your request, before entering into a contract.
UK GDPR Article 6(1)(c) - we need to process your personal data to satisfy our legal obligations as the Administering Authority of the fund.
UK GDPR Article 6(1)(e) - we need to process your personal data to carry out a task in the public interest or in the exercise of official authority in our capacity as a public body.
UK GDPR Article 6(1)(f) - we need to process your personal data for the legitimate interests of administering and managing the fund and liabilities under it, calculating, securing and paying benefits and performing our obligations and exercising any rights, duties and discretions the Administering Authority has in relation to the fund.
UK GDPR Article 9(2)(b) - the processing of your special category data is necessary for the carrying out of obligations and exercising specific rights of the data controller or of the data subject in the field of employment.
If we need to process your personal data to comply with legal obligations or to take steps towards entering or performing an employment contract at your request and you choose not to provide your personal data, we may be unable to enter into or continue that contract with you.
You have the right to withdraw your consent to the processing at any time by notifying the NYYPF in writing. However, if you do not give consent, or subsequently withdraw it, the NYPF may not be able to process the relevant information to make decisions based on it, including decisions regarding the payment of your benefits.
Service
Occupational health and wellbeing
Purpose
The health and wellbeing team are the council’s certified practitioners in occupational health and this is a service that can be traded to other organisations.
Lawful basis
UK GDPR Article 6(1)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
UK GDPR Article 6(1)(b) - processing is necessary for the performance of a contract to which the data subject is party.
When processing special category data, the council will rely on the following lawful basis:
UK GDPR Article 9(2)(h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, meeting Schedule 1, Part 1 of the data protection act 2018 as below:
- (2) Health or social care purposes
Service
Resolving issues at work
Purpose
In most instances when a grievance is raised then your line manager, or another appropriate manager, will attempt to resolve issues informally.
If a grievance needs to be progressed formally then the council will appoint an investigatory officer who will conduct a fact-finding exercise and present their findings to the involved parties.
Lawful basis
GDPR Article 6(1)(b) - the processing of your personal information is necessary for the performance of a contract to which you are party (employment contract).
GDPR Article 9(2)(b) - the processing of your special category data is necessary for the carrying out of obligations and exercising specific rights of the controller or of the data subject in the field of employment.
Service
Vehicle tracking
Purpose
Fleet management services, integrated passenger transport (IPT), process your personal data whilst you are using or being allocated a council-controlled vehicle.
Lawful basis
This information is being processed under article 6(f) legitimate Interests. In this case, the legitimate interests are protecting our fleet from misuse and in relation to the duty of care to employees.
Service
Corporate events
Purpose
We frequently hold conferences and other events for internal and external staff.
Lawful basis
UK GDPR Article 6 (1) (a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes - for corporate events, this purpose will be in relation to photographs of an individual
UK GDPR Article 6 (1) (e) - processing is necessary for the performance of a task carried out in the public interest (where events are held in relation to our functions)
UK GDPR Article 6 (1)(f) – for other event types, processing is necessary for the purposes of the legitimate interests pursued by the controller
With regard to special category data, we will rely on the following lawful basis:
UK GDPR Article 9 (2)(a) - the data subject has given explicit consent to the processing of those personal data for one or more specified purposes - we will rely on this lawful basis for the processing of your dietary information
UK GDPR Article 9(2) - processing is necessary for reasons of substantial public interest - processing is in relation to specific needs and meets schedule 1, part 2 of the data protection act 2018 as below:
- (16) Support for individuals with a particular disability or medical condition
Service
Corporate travel
Purpose
The council processes your personal data in relation to corporate travel.
Lawful basis
Article 6 1 (b) - for the purposes of the employment contract.
Article 9(2)(b) - processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment.
Service
Community Awards 2025
Purpose
To acknowledge and celebrate the fantastic work done by people within the North Yorkshire area, North Yorkshire Council would like residents to nominate people or organisations for their exceptional work.
Lawful basis
UK GDPR Article 6 (1)(a) – the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
UK GDPR Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest.
UK GDPR Article 6(1) (f) Legitimate Interests - processing is necessary for the purposes of the legitimate interests pursued by the controller.
Service
Shared health and safety services
Purpose
The Shared Health and Safety Service acts as the source of competent health and safety advice in accordance with the Management of Health and Safety at Work Regulations.
Lawful basis
UK GDPR Article 6(1)(c) - the processing of your personal information is necessary for compliance with a legal obligation to which the controller is subject. The source act for health and safety is the Health and Safety at Work etc Act 1974 and regulations made under this act.
When processing special category data, the council will rely on the following lawful basis:
UK GDPR Article 9(2)(g) The processing is necessary for reasons of substantial public interest, meeting Schedule 1, Part 2 of the Data Protection Act 2018 as below:
• (6) Statutory and government purposes
The legislation, policies and guidance that relates to these services include, but is not limited to:
- Localism Act 2011 (for events in relation to our functions)
- Disability Discrimination Act 1995 (support for individuals with a particular disability or medical condition at any of our events)
Who do we obtain your information from?
We may receive information from other agencies such as:
- HMRC
- Department of Work and Pension, if applicable
- North Yorkshire Pension Fund
- Local Government Pension Scheme
- any salary sacrifice arrangement you sign up to
- your trade union, if applicable
- Disclosure and Barring Service in order to conduct criminal record checks, if applicable
- occupational health providers
- Medigold Health – Hampton Knight
- Experian (in the event that we need to contact you following the termination of your employment. We may need to confirm your up to date contact address to avoid sending any correspondence to an incorrect address. In order to facilitate this we may perform an Experian credit check using your name and last known address). Please see our credit control privacy notice for further information
- your employer
- your GP
Who do we share this information with?
We may need share your information with a number of external agencies who are key to delivering our services. These include:
- investigatory officers
- disciplinary panel
- appeals panel
- HR team
- Unison representatives
- any individual that you choose to accompany you
- HMRC
- Department of Work and Pension, if applicable
- North Yorkshire pension fund/teachers’ pensions scheme
- any salary sacrifice arrangement you sign up to such as a Vivup or everybody benefits
- legal advisers
- AVC provider
- overseas payment provider
- LGPS National Insurance database
- Capita Pension Solutions
- governments Actuary's Department
- National Fraud Initiative
- government bodies
- dispute bodies
- trade unions recognised by North Yorkshire Council for the purposes of collective bargaining and ensuring effective consultation and employee representation including during restructuring and redundancy processes
- examining bodies, if applicable
- Disclosure and Barring Service to conduct criminal record checks, if applicable
- professional bodies relevant to the role in which you are employed for example, health and care professions council, teaching regulation agency or the disclosure and barring service if an issue is raised regarding your suitability to continue working in your role
- occupational health providers
- prospective future employers, landlords, letting agents, or mortgage brokers where you have asked them to contact the council to seek a reference
- Veritau who provides business assurance and information governance services to the council
- organisations with which the council works closely or in partnership with
- Experian (for current address check)
- Medigold Health – Hampton Knight
- safeguarding leads for example, social care professionals and the Police
- prospective future employers
- landlords
- letting agents
- mortgage brokers
- City and Guilds
- NCFE
- ACE
- OneFile
- TUPE
- independent registered medical practitioner (IRMP)
- your employer
- insurance companies
- event providers
- travel and accommodation third party provider
- the administrators, judges and photographer of the competition
- contractors
How long do we keep your information for?
The following table details the retention periods for records relating to the HR services stated above:
Disciplinary procedure
| Data held | Retention period |
|---|---|
| Written warning | Date of warning plus 12 months |
| Final written warning | Date of warning plus 15 months |
| Action short of dismissal | Date of warning plus timescale determined by the panel |
| Records relating to safeguarding investigations where upheld | Retained until retirement age or 10 years from the allegation (whichever is longer). Safeguarding files are currently frozen pending the Goddard Inquiry. |
| Records relating to safeguarding investigations where unfounded | Removed after investigation completion, however, a note may be kept on the accuser’s file, stating the allegation was unfounded. |
Employment
| Data held | Retention period |
|---|---|
| P45 | 6 years from the end of the tax year in which the employee left North Yorkshire Council. |
| Wisdom (personal) file, includes application forms, clearances, contract, HR letters, sick notes | 6 years from the end of the tax year the employee left; may be extended if a safeguarding enquiry is ongoing. |
| LAGAN cases (workload management system) – includes any pay or HR related queries or cases | 6 years from the end of the tax year the employee left, unless an active safeguarding enquiry applies. |
| Payroll record | 6 years from the end of the tax year the employee left; a skeleton record retained thereafter. |
| Payslip and claims information | 6 years from the end of the tax year in which the employee left North Yorkshire Council. |
Learning Zone
| Data held | Retention period |
|---|---|
| North Yorkshire Council learning records and data | 6 years from when the employee leaves North Yorkshire Council. |
| External learning records and data | 6 years from when the person last logged into Learning Zone. |
| North Yorkshire Council apprenticeships and qualification records and data | 6 Years from when the employee leaves North Yorkshire Council. |
North Yorkshire Pension Fund
| Data held | Retention period |
|---|---|
| Personal data | We retain personal data only as long as necessary to administer the fund and handle queries or complaints, unless longer retention is legally required. In practice, data is kept for the longest of: the period benefits are payable (including to any beneficiary) plus 15 years, where transfers or refunds apply or up to 100 years from the date of birth of the member or any beneficiary. Paper records are kept for 30 years and then securely shredded. Data is kept accurate and regularly reviewed; any no longer required is deleted and inaccuracies are corrected without delay. |
Occupational health and wellbeing
| Data held | Retention period |
|---|---|
| All occupational health records may be kept beyond standard retention periods if an investigation is ongoing, with retention reviewed once the investigation closes. | Records are retained for 6 years after employment ends or until the employee’s 75th birthday, whichever comes first, provided the employer notifies the service of termination. |
| Health surveillance records | Kept for current year plus 40 |
Resolving issues at work
| Data held | Retention period |
|---|---|
| Evidence and investigation outcome | 6 years upon closure |
Vehicle tracking
| Data held | Retention period |
|---|---|
| Telematics data is collected for employees and line managers, including location, driving duration and driving behaviour such as acceleration, braking and cornering. | For employees, telematics data is viewable on the web portal for 28 days, while line managers can view it for 3 months; summary reports remain available for the contract duration. |
| Collected data on the Ctrack system under the control of system operator | Ctrack stores trip summary and related data for the contract term (3 years, with possible 1‑year extensions up to 5 years total) and retains it for an additional 2 years afterward. |
Corporate events
| Data held | Retention period |
|---|---|
| Delegate lists with contact details | 6 months post event, in order for any final communication to occur. |
| Information related to access needs | Stored for 2 weeks post event, unless any issues arise.. |
| Information related to dietary needs | Stored for 2 weeks post event, unless any issues arise. |
| Event photographs of individuals | Stored for 3 years, unless consent is withdrawn. |
Corporate travel
| Data held | Retention period |
|---|---|
| Booking and travel information | 6 years |
Community Awards
| Data held | Retention period |
|---|---|
| Nominees information | 3 months |
| Shortlisted nominees | 6 months. |
| Finalists | Name: 3 years Contact details: 1 year Nominee forms: 6 months Videos and photographs: 1 year Description of reason for nomination: 6 months |
Other relevant transparency information
Personal data may be contained within documents uploaded to our AI Tools. We are the data controller of your personal data when it is used and the AI supplier/contractor is a data processor. These AI Tools will process personal data in accordance with UK GDPR alongside our various data protection policies. The AI tool does not perform any automated decision making and will not use your personal data to develop its products.
For more information about how we use your data, including your privacy rights and the complaints process, please see our corporate privacy notice.