Privacy notices

Our corporate privacy notice as well as service specific privacy information. Following Britain’s departure from the EU, all references to GDPR now refer to UK GDPR.

This privacy notice is designed to help you understand how and why North Yorkshire Council processes your personal data. This notice should be read in conjunction with the council’s service specific privacy notices.

Information here will help you understand how and why we process your personal data and relates to the whole council. We also have specific privacy notices for each area of the council, showing how each service within the council may process your data.

If you are a local authority employee, or if your employer buys HR services from us, then you may wish to read our employment specific privacy notices.

Corporate privacy notice information

Glossary: definitions of data protection terms and phrases

Term Definition
Personal data Any information related to a living person, that could be used to directly or indirectly identify that person.
Special category data

Special category data is personal data which is more sensitive, and so needs more protection. This could be:

  • race and ethnicity;
  • sex life or sexual orientation;
  • medical information (both physical and mental health);
  • religious or philosophical beliefs;
  • biometric data (thumb prints etc.);
  • genetics (DNA etc.);
  • trade union membership; or
  • political beliefs.
Data controller An organisation or individual that determines why personal data is been collected and is responsible for the security of that data.
Data processor A contractor, organisation or individual (not an employee) who uses personal data on behalf of the data controller.
Data processing Any action taken with personal data. This includes the collection, use, disclosure, destruction and holding of data.
Data subject A living person who the personal data is about.
Data protection officer The role of the data protection officer is to make sure that the organisation processes personal data in compliance with data protection law.
Consent A freely given choice about how personal data is used in an organisation (for example, opting in to marketing emails).

Who are we?

North Yorkshire Council is a ‘data controller’ as defined by Article 4(7) of the UK General Data Protection Regulation (UK GDPR). This means that we have a duty of care towards the personal data that we collect and use.

The council has appointed Veritau to be its data protection officer. Their contact details are:

Information Governance Office
West Offices
Station Rise
North Yorkshire


Tel: 01904 552848

What personal information do we collect?

In order to provide our services, we need to collect and use your personal data and sometimes your special category personal data.

There will be instances where we will anonymise your data. For example, in a survey we may not need your contact details. In which case, we'll only collect your survey responses.

Why do we collect your personal information?

We collect this data so that we can:

  • deliver, manage, and check the quality of services that we offer
  • investigate complaints or concerns raised by you or other individuals
  • assist with the research and planning of new council services

Who has access to your personal data within the council?

We may hold your name, contact details, and address on our databases so that we can provide services to you, and easily identify you if you contact us. This includes our customer contact system, departmental back office systems, and our online systems. Council officers may only access your personal data if they need it for a task they are working on. There are procedures and checks in place to ensure that our staff can not use your data for their own personal benefit.

Who do we obtain your information from?

We collect your personal information directly from your or from your use of council services. However, to facilitate service provision and to enact our statutory functions, the council may obtain your personal data from third parties external to the council this includes but is not limited to:

  • police
  • charities
  • other local authorities
  • government agencies/departments for example, HMRC/DWP
  • judicial agencies for example, courts
  • members of the public
  • healthcare organisations

The service specific privacy notices, which can be navigated at the end of this notice, will list the third parties which the service area may obtain your information from.

Who do we share this information with?

Third party processors

In order to deliver the best possible service, we often use third party organisations. These organisations will sometimes need access to your personal data in order to complete their work. If we do use a third party organisation, we will always have an agreement in place to ensure that the other organisation keeps your data secure.

Other organisations

Sometimes we have to pass your data to other organisations. This could be because of a legal requirement or because a court orders us to do so. For example, we may need to share information with the police to help prevent or detect a crime. We may not have to tell you if we do share with other organisations in this way.

Statutory functions

Our internal auditors, counter fraud service, data protection officer, and external auditors may also have access to your personal data in order to complete their work. We will only share personal data with another organisation if we have a lawful basis to do so, and we will always keep records of when your data has been disclosed to another organisation.

National Fraud Initiative

We also collect and use your data for the national fraud initiative.

How do we protect your personal data?

We are committed to keeping the personal data that we hold safe from loss, corruption or theft. There are several ways we do this, including:

  • training for all staff and elected councillors on how to handle personal data;
  • policies and procedures detailing what council officers can and can not do with personal data
  • IT security safeguards such as firewalls, encryption, and anti-virus software
  • on-site security safeguards to protect physical files and electronic equipment

Do we transfer your data outside of the UK?

Generally, the information that the council hold is all held within the UK. However, some information may be held on computer servers which are outside of the UK. The council will take all reasonable steps to ensure your data is not processed in a country that the UK government does not see as ‘safe’. If the council do need to send your data out of the EU we will ensure it has extra protection from loss or unauthorised access.

How long do we keep your information for?

We will only keep your personal data for as long as it is needed for the purpose it was collected for, or for as long as is required by legislation. There are different retention periods for different types of information. The service specific privacy notices, which can be found at the end of this notice, will tell you how long each service area may keep your information for. Please be aware that some of these retention periods may need to be extended due to public inquires (such as the independent inquiry into child sexual abuse) or other external legal requirements.

What is our lawful basis for processing your information?

There are a number of lawful reasons for the council to collect and use your personal data. The service specific privacy notices, which can be navigated at the end of this notice, will tell you which lawful basis the council is relying on for that specific process.

Conditions for criminal offence data, enforcement investigations and prosecutions

Where we are undertaking an investigation we are processing personal information under Part III of the Data Protection Act 2018 (DPA) for law enforcement purposes. The six law enforcement principles are similar to UK GDPR’s, however the transparency requirements are different, due to the potential to prejudice an ongoing investigation in certain circumstances.

When processing sensitive data, we must be able to demonstrate that the processing is strictly necessary and satisfies one of the conditions in Schedule 8 of the DPA or is based on consent.

What are your data protection rights?

Data protection legislation gives you, the data subject, a number of rights in regard to your personal information. You can find out about your data protection and subject access rights here.

How can you complain about the way in which the council has handled your personal data?

If you have concerns about the way in which the council has handled your personal data then please contact our data protection officer (Veritau) at:

Data Protection Officer
Veritau Ltd
County Hall
Racecourse Lane

Telephone: 01904 55 2848

You can complain to the Information Commissioner’s Office (the data protection regulator) about the way in which we have handled your personal data:

First Contact Team 
Information Commissioner’s Office
Wycliffe House 
Water Lane 
Wilmslow Cheshire

Telephone: 03031 231113
Website: Information Commissioner’s Office

North Yorkshire Council is registered with the Information Commissioner's Office - Registration reference: Z5892471

View our details on the ICO register of data protection fee payers


Privacy notices from other areas of the council


Electoral services

Environmental health

Information governance



Revenues and benefits


Trading standards