Shared health and safety services privacy notice

This privacy notice is designed to help you understand how and why the shared health and safety service processes your personal data. This notice should be read in conjunction with our corporate privacy notice.

Who are we?

North Yorkshire Council is a ‘data controller’ as defined by article 4(7) of the UK General Data Protection Regulation (UK GDPR). The shared health and safety service acts as the source of competent health and safety advice in accordance with the management of health and safety at work regulations.

The council has appointed Veritau to be its Data Protection Officer. Their contact details are:

Information Governance Office
West Offices
Station Rise
North Yorkshire


Tel: 01904 552848

What personal information do we collect?

The shared health and safety service collects personal information following an accident or an incident, or after an individual specific risk assessment. This will include the name, address and contact details of the subject of the accident, incident, or risk assessment, and may contain information of injuries and/or medical conditions if appropriate.

Why do we collect your personal information?

The council has statutory responsibilities in relation to health and safety and in some cases needs to collect personal data in order to fulfil these responsibilities. This information may include but is not limited to:

  • personal information including name, address and date of birth
  • IP address
  • witness statements
  • medical information relevant to the injury
  • relevant correspondence/records (e.g. emails, risk assessments, previous incident reports)
  • training and other similar records
  • CCTV

Who do we share this information with?

As well as the investigating officers and others who are party to the investigation (such as managers), the council may also share this information with individuals within the HR team, unison representatives, and if appropriate insurance/legal advisors.

How long do we keep your information for?

Data Held

Retention period

Accident/Incident records including investigation reports and supporting documentation

In accordance with legal requirements depending upon circumstances of the incident.

Children’s information must be kept until their 21st birthday (or to their 28th birthday if the young person has special educational needs.) Adults’ information must be kept for three years after the incident. Information relating to asbestos or other health-related incidents is kept for 40 years.

Individual risk assessments

In accordance with legal requirements depending upon circumstances.

For example, information relating to a fire risk assessment should be kept for 6 years for insurance purposes, but risk assessments on asbestos must be kept for 60 years. If you would like to know the specific retention periods of a certain type of information please contact Stuart Langston,

What is our lawful basis for processing your information?

  • Article 6(1)(c) The processing of your personal information is necessary for compliance with a legal obligation to which the controller is subject - the source act for health and safety is the health and safety at work etc act 1974 and regulations made under this act
  • Article 9(2)(g) The processing is necessary for reasons of substantial public interest

For more information about how we use your data, including your privacy rights and the complaints process, please see our corporate privacy notice.