Information governance privacy notice

This privacy notice is designed to help you understand how and why North Yorkshire Council processes your personal data. This notice should be read in conjunction with our corporate privacy notice.

Who are we?

North Yorkshire Council is a ‘data controller’ as defined by Article 4(7) of the UK General Data Protection Regulation (UK GDPR). The council’s information governance service is administered and run by Veritau. The information governance team are responsible for:

  • co-ordinating requests for information under the freedom of Information (FOI) Act 2000 or environmental information regulations (EIR) 2004
  • co-ordinating data protection requests under the data protection act 2018
  • handling data protection complaints and concerns
  • handling and investigating data breaches
  • liaising with the Information commissioner’s office (the UK data protection regulator) and any other relevant regulator
  • overseeing the council’s information governance strategy

Veritau is also the council’s appointed data protection officer. This function is carried out by the information governance team. Their contact details are:

Information Governance Office


West Offices

Station Rise


North Yorkshire



Tel: 01904 552848

What personal information do we collect?

For FOI/EIR requests we will collect your name, your contact details, your organisation (if applicable), and details of your request.

For all other functions we will collect your name, your contact details, your involvement with the council, and details of your request.

For some requests the team may need to validate your identity or your right of access in order to ensure it is only releasing personal information to authorised persons. To do this we will ask you to provide two forms of identification which we can match against our existing records. For more information about this, including the types of ID we collect, please see our data protection and subject access requests page.

The team does not routinely collect special category personal data. However, it is recognised that in order to handle requests and concerns then the team may need to process data considered to be ‘special category’. These include, but not necessarily limited to, details about: criminal conviction history, religious or philosophical beliefs, political opinions or affiliations, trade union membership, mental or physical health, sexual life or sexual orientation, race or ethnic origin.

Why do we collect your personal information?

We require your personal information so that the team can facilitate an information governance service to the council. This includes using your personal data to monitor, track and respond to information requests, locate your records in the council, investigate any data protection concerns, and validate your identity.

Who do we share this information with?

In order to provide an efficient and robust service the information governance team may need to share your personal data with other officers and service areas across the council. We will only do so if we can’t satisfy your request or concern internally.

Generally the information we hold about you will be kept within the council.

However, we may be required to disclose your personal information to regulatory bodies (for example the information commissioner’s office or the local government ombudsman) if a legal obligation compels us to do so.

If you make a request for information that the council does not hold then you may request us to transfer your request, including your personal data, to an authority that may hold the requested information. We will only do this upon your instruction.

How long do we keep your information for?

Data held

Retention period

Copies of identification documents

Destroyed upon validation (but a record of what documents and who validated will be kept with your request).

FOI or EIR requests and internal reviews

Three years upon closure

Data protection requests, concerns/complaints and internal reviews

Three years upon closure

All requests that have been examined by the information commissioner’s office

Five years following closure

All requests that have been examined by the information tribunal

Six years upon closure

Data breach investigation reports

Six years upon closure

When a record reaches its retention date we will destroy any paper and/or electronic information affiliated with the request. However, we will keep a skeleton record of your request (which will not include any information that could identify you) indefinitely for audit and statistical purposes.

What is our lawful basis for processing your information?

North Yorkshire Council relies on the following lawful basis to process your personal data:

  • UK GDPR Article 6 (1) (c) – Processing is necessary for compliance with a legal obligation to which the controller is subject

When processing special category data, the council will rely on the following lawful basis:

UK GDPR Article 9 (2) (g) – Processing is necessary for reasons of substantial public with processing meeting Schedule 1, Part 2 of the Data Protection Act 2018 as below:

  • (6) Statutory and government purposes

For more information about how we use your data, including your privacy rights and the complaints process, please see our corporate privacy notice.