Shared health and safety services privacy notice

This privacy notice is designed to help you understand how and why the shared health and safety service processes your personal data. This notice should be read in conjunction with the council's corporate privacy notice.

Who are we?

North Yorkshire Council is a ‘Data Controller’ as defined by Article 4(7) of the UK General Data Protection Regulation (UK GDPR). The Shared Health and Safety Service acts as the source of competent health and safety advice in accordance with the Management of Health and Safety at Work Regulations.
The council has appointed Veritau to be its Data Protection Officer. Their contact details are:

Information Governance Office
West Offices
Station Rise
North Yorkshire


Tel: 01904 552848

What personal information do we collect?

The Shared Health and Safety Service collects personal information following an accident or an incident, or after an individual specific risk assessment or if the Multi Agency Public Protection Arrangements (MAPPA) identify an individual as a threat to staff. This will include the name, address and contact details of the subject of the accident, incident, or risk assessment, and may contain information of injuries and/or medical conditions if appropriate. This also includes of the names of individuals who have been abusive, threatening and or violent towards staff. 

Why do we collect your personal information?

The council has statutory responsibilities in relation to health and safety and in some cases needs to collect personal data in order to fulfil these responsibilities. This information may include, but is not limited to:

  • personal information including name, address and date of birth
    • For those individuals who may pose a risk to staff this may also include alias names and associated addresses
  • IP address
  • witness statements
  • medical information relevant to the injury
  • relevant correspondence/records (e.g. emails, risk assessments, previous incident reports)
  • training and other similar records
  • CCTV

Who do we share this information with?

As well as the investigating officers and others who are party to the investigation (such as managers), Senior Managers who have to ensure controls are implement, the Council may also share this information with individuals within the HR Team, Unison Representatives, and if appropriate insurance/legal advisors.

How long do we keep your information for?

Data Held Retention period
Accident/Incident Records including investigation reports and supporting documentation

In accordance with legal requirements depending upon circumstances of the incident.

Children’s information must be kept until their 21st birthday (or to their 28th birthday if the young person has special educational needs.) Adults’ information must be kept for three years after the incident. Information relating to asbestos or other health-related incidents is kept for 40 years.

Individual risk assessments Fire risk assessment - 6 years 
Risk assessments on asbestos - 60 years
Those individuals who may pose a risk to staff In accordance with the retention periods contained within the Violence and Aggression to Staff Health and Safety Arrangements that is:
Children/Young Persons under 18 (only in exceptional circumstances with authorisation of an Assistant Director from Childrens Services) - 1 year
Verbally abusing staff - 1 year
Threats to assault staff/harassment - 2 years
Member of staff threatened with a weapon - 2 years
Actual violence (where police have been involved) - 5 years
Multi Agency Public Protection Arrangements (MAPPA) Offender - Dependent on licence plus 3 years 

What is our lawful basis for processing your information?

North Yorkshire Council relies on the following lawful basis to process your personal data:

UK GDPR Article 6(1)(c) The processing of your personal information is necessary for compliance with a legal obligation to which the controller is subject. The source act for health and safety is the Health and Safety at Work etc Act 1974 and regulations made under this act.

When processing special category data, the Council will rely on the following lawful basis:
UK GDPR Article 9(2)(g) The processing is necessary for reasons of substantial public interest, meeting Schedule 1, Part 2 of the Data Protection Act 2018 as below:

•    (6) Statutory and government purposes

For more information about how we use your data, including your privacy rights and the complaints process, please see our corporate privacy notice.