City of York Council (CYC) complies with the UK General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018, and is registered with the Information Commissioner’s Office (ICO), reference: Z5809563.
We regularly review this privacy notice, and it was last updated in November 2023.
CYC is committed to ensuring that information is handled in accordance with the principles set out in data protection legislation and guidance from the Information Commissioner’s Office (ICO).
This Privacy Notice explains how and why we process your information, under Part 3 of the Data Protection Act 2018 for law enforcement purposes and the steps we take to keep your information safe.
CYC is the controller for the personal data we process, unless otherwise stated. You can contact the council’s Data Protection Officer at:
West OfficesStation Rise
York
YO1 6GA
Telephone: 01904 554145.
Email: information.governance@york.gov.uk.
You can find more information about the role of the Data Protection Officer in our Data Protection Policy Statement.
This privacy notice should be read in conjunction with other relevant specific privacy notices that are available in our Privacy Notice.
When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this privacy notice.
- How we collect your information
- What personal data we process and why
- Automated decision-making
- Collecting information automatically
- Children's information
- Lawful basis for processing your personal data
- How long we keep your personal data
- Data sharing
- Data processors and/or third parties
- Transfers of personal data
- How we protect your information
- Your rights in relation to this processing
How we collect your information
We get information about you from the following sources:
- directly from you
- from our social care teams
- Department for Work and Pensions (DWP)
- third parties or organisations acting on your behalf for example, citizens advice, advocacy services or other charitable organisations.
- From medical service organisations, for example a GP, hospital, or physiotherapist
What personal data we process and why
The Blue Badge scheme is a central government directive owned by the Department for Transport (DfT); however, each local authority is responsible for holding the information for their customers.
We process the following personal data and special category data when you apply for and use a Blue Badge:
- name
- address
- contact details (email address and phone numbers)
- date of birth
- gender
- town and country of birth
- marital Status
- National Insurance Number
- vehicle registration number (if applicable)
- previous Blue Badge details (if applicable)
- proof of identity (such as driving licence, passport)
- proof of address (such as council tax bill, utility bill)
- details of any person or organisation applying on your behalf
- details of any person with legal responsibility for you
- any other personal information that you may supply in your supporting documentation
We will also collect the following special category data:
- photograph
- details about your disability, health or long-term condition, pain medication and assessment of your walking ability.
- evidence to support your eligibility for a Blue Badge (such as Certificate of Visual Impairment, evidence of entitlement to benefits or allowances you receive relating to your personal needs)
- payment details may be taken if you pay by card
When using your Blue Badge to access the city centre to be dropped off or picked up we may also collect:
- name of the person driving
- registration number of the car
- time of drop-off and collection
We will use your information to:
- process your application
- process the Blue Badge payment
- answer any appropriate questions relating to your application or use of a Blue Badge
- assess your application to see whether it meets one of the automatic qualifying criteria, or if further assessment is required
- provide you with any relevant advice
- investigate any instances where a Blue Badge is allegedly being misused
- carry out our enforcement functions
- send you letters, email notifications and process online payments
- create a secure record of your application on our Case Management System (CMS)
- maintain a register showing the holders of Blue Badges issued by the council and link this to the central badge register called “Manage Blue Badges”
Following assessment of your application for a Blue Badge, you may be asked to attend (by telephone or in person) an assessment with an expert assessor, where further information may also be gathered. We will ask you to participate in an assessment, you are not required to do so but it may affect the outcome of your application if you do not participate.
Automated decision-making
We do not carry out any automated decision-making without any human intervention in providing this service.
Collecting information automatically
Please see our Cookies Policy for further information about the information we collect automatically when you use our website.
Children’s information
Where we provide services directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.
Lawful basis for processing your personal data
Any personal data including special category data and criminal offence data that we process about individuals is done so in accordance with Article 6, 9 and 10 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (DPA 2018).
The legal basis for processing your personal data is in accordance with the following:
- 6(1)(c) - Processing is necessary for compliance with a legal obligation
- Article 6(1)(e) - Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
This is supported by the following legal framework:
- Blue Badge (Disabled Persons’ Parking) Scheme introduced under Section 21 of the Chronically Sick and Disabled Persons Act 1970
- Disabled Persons (Badges Act 2013 for Motor Vehicles) (England) (Amendment) Regulations 2019
The legal basis for processing your special category data is in accordance with the following:
- 9(2)(g) - Processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards
This is supported by Schedule1, Part 2 (6) of the Data Protection Act 2018 and the following legal framework:
- Blue Badge (Disabled Persons’ Parking) Scheme introduced under Section 21 of the Chronically Sick and Disabled Persons Act 1970
- Disabled Persons (Badges Act 2013 for Motor Vehicles) (England) (Amendment) Regulations 2019
Where we process personal data relating to criminal convictions and offences, this is also under Article 10 UK GDPR that covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences, or proceedings for an offence committed or alleged to have been committed, including sentencing.
Some of the Schedule 1 conditions for processing special category and criminal offence data require an Appropriate Policy Document to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice.
Our Appropriate Policy Document provides further information about this processing.
How long we keep your personal data
Blue Badges expire after 3 years. You will need to reapply for your Blue Badge and submit a new application before it has expired.
When a badge has expired or has been cancelled, your information will be destroyed 24 months from the date the badge has expired. If a badge is cancelled due to alleged misuse, we must keep the information for 24 months in case this decision is appealed and ultimately revoked. In the event of the alleged misuse being investigated by the council’s fraud team, your information will be retained for 6 years from the date the investigation is closed.
If an application has been refused, we will still keep your information for 12 months to allow for any appeals or subsequent applications to be considered accurately and effectively.
Data sharing
We will share your information with third party external organisations to process your application and monitor access to the city centre. These are listed below.
We will also share your information with other council services in order to protect the integrity of the Blue Badge service and to investigate any potential misuse of a Blue Badge where appropriate, including:
- Veritau, our fraud team
- Parking Services, for enforcement and administration
- Gough and Kelly, the company used to manage access to the city centre by Blue Badge holders
In some circumstances, such as under a court order or safeguarding, we are legally obliged to share information. We may also share information about you with third parties including our data processors, government agencies and external auditors.
We will always satisfy ourselves that we have a lawful basis on which to share the information and document our decision-making.
Additionally, we are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives (TNA) for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.
Data processors and/or third parties
The following are a list of third-party external organisations who we work with in connection with Blue Badges:
- Department for Transport (DfT)
- Department for Work and Pensions
- NEC Software Solutions
- Valtech - the company managing the Central Blue Badge register called ‘Manage Blue Badges’
- APS Group - the printer and distributer of Blue Badges
- Access Independent - Independent Mobility Assessment providers
- GOV.UK - the central government website which allows you to apply online
- Government Digital Service - used for sending email notifications and for processing online payments
Transfers of personal data
We don’t routinely transfer personal data outside of the UK but when this is necessary we ensure that we have appropriate safeguards in place and that is done in accordance with the UK data protection and privacy legislation.
How we protect your information
We're committed to keeping your information safe and secure. There are several ways we do this, such as:
- IT security safeguards such as firewalls, encryption, and anti-virus software
- on-site security safeguards to protect physical files and electronic equipment
- training for all staff and elected councillors
- policies and procedures
Your rights in relation to this processing
To find out about your rights under data protection law, you can go to the Information Commissioner's Office website.
You can also find information about your rights in our Privacy Notice.
If you have any questions about this privacy notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us on email: information.governance@york.gov.uk, or on telephone: 01904 554145, or write to:
Data Protection OfficerCity of York Council
West Offices
Station Rise
York YO1 6GA