This notice should be read in conjunction with our corporate privacy notice.
Who are we?
North Yorkshire Council is a ‘Data Controller’ as defined by Article 4(7) of the UK General Data Protection Regulation (UK GDPR).
What personal information do we collect?
For FOI/EIR requests we will collect your names, addresses and contact details, your organisation (if applicable) and details of your request.
For all other functions we will collect your names, addresses and contact details, your involvement with the council and details of your request.
For some requests the team may need to validate your identity or your right of access in order to ensure it is only releasing personal information to authorised persons. To do this we will ask you to provide two forms of identification which we can match against our existing records. For more information about this, including the types of ID we collect, please see our data protection and subject access requests page.
The team does not routinely collect special category personal data. However, it is recognised that in order to handle requests and concerns then the team may need to process data considered to be ‘special category’. These include, but not necessarily limited to, details about: criminal conviction history, religious or philosophical beliefs, political opinions or affiliations, trade union membership, mental or physical health, sexual life or sexual orientation, race or ethnic origin.
Why do we collect your personal information and what is our lawful basis for processing?
We require your personal information so that the team can facilitate an information governance service to the council. This includes using your personal data to monitor, track and respond to information requests, locate your records in the council, investigate any data protection concerns and validate your identity.
Service
Information governance
Purpose
The council’s information governance service is administered and run by Veritau. The information governance team are responsible for:
- co-ordinating requests for information under the Freedom of Information (FOI) Act 2000 or Environmental Information Regulations (EIR) 2004
- co-ordinating data protection requests under the Data Protection Act 2018
- handling data protection complaints and concerns
- handling and investigating data breaches
- liaising with the Information Commissioner’s Office (the UK data protection regulator) and any other relevant regulator
- overseeing the council’s information governance strategy
Lawful basis
UK GDPR Article 6 (1) (c) – processing is necessary for compliance with a legal obligation to which the controller is subject
When processing special category data, the council will rely on the following lawful basis:
UK GDPR Article 9 (2) (g) – processing is necessary for reasons of substantial public with processing meeting Schedule 1, Part 2 of the Data Protection Act 2018 as below:
- (6) Statutory and government purposes
How long do we keep your information for?
Information governance
| Data held | Retention period |
|---|---|
| Copies of identification documents | Destroyed upon validation (but a record of what documents and who validated will be kept with your request) |
| FOI or EIR requests and internal reviews | 3 years upon closure |
| Data protection requests, concerns/complaints and internal reviews | 3 years upon closure |
| All requests that have been examined by the information commissioner’s office | 5 years following closure |
| All requests that have been examined by the information tribunal | 6 years upon closure |
| Data breach investigation reports. When a record reaches its retention date we will destroy any paper and/or electronic information affiliated with the request. However, we will keep a skeleton record of your request (which will not include any information that could identify you) indefinitely for audit and statistical purposes. |
6 years upon closure |
Other relevant transparency information
For more information about how we use your data, including your privacy rights and the complaints process, please see our corporate privacy notice.