City of York Council (CYC) complies with the UK General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018, and is registered with the Information Commissioner’s Office (ICO), reference: Z5809563.
We regularly review this privacy notice, and it was last updated in November 2024.
CYC is committed to ensuring that information is handled in accordance with the principles set out in data protection legislation and guidance from the Information Commissioner’s Office (ICO).
This Privacy Notice explains how and why we process your information, under Part 3 of the Data Protection Act 2018 for law enforcement purposes and the steps we take to keep your information safe.
CYC is the controller for the personal data we process, unless otherwise stated. You can contact the council’s Data Protection Officer at:
West OfficesStation Rise
York
YO1 6GA
Telephone: 01904 554145.
Email: information.governance@york.gov.uk.
You can find more information about the role of the Data Protection Officer in our Data Protection Policy Statement.
This privacy notice should be read in conjunction with other relevant specific privacy notices that are available in our Privacy Notice.
When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this privacy notice.
- How we collect your information
- What personal data we process and why
- Automated decision-making
- Collecting information automatically
- Children's information
- Lawful basis for processing your personal data
- How long we keep your personal data
- Data sharing
- Data processors and/or third parties
- Transfers of personal data
- How we protect your information
- Your rights in relation to this processing
How we collect your information
We get information about you from the following sources:
- When you contact us
- When we receive a referral from GP, setting etc.
- Your feedback when you attend groups or events
- Your feedback if you choose to take part in our surveys or consultation
- When you attend courses
The amount and type of personal data we collect from you will depend on why and how you are contacting or interacting with us at the Healthy Child Service, and the type of service you are requesting. You can contact or interact us via phone, email, online or in person.
What personal data we process and why
We process the following information:
- personal identifiers and contacts, such as name, unique pupil number, contact details and address
- information about the health, development, and social history of family members
- characteristics such as ethnicity, language, disability, and special educational needs
- courses, groups, and events attended.
If you choose to take part in our surveys or consultation, we will process your opinions, thoughts, and feedback about the service we have provided to you. You can withdraw your consent at any time by contacting: HCS-secure@york.gov.uk or telephone: 01904 555475.
We may contact you using SMS, email, telephone, or letter to contact you about the services available to you and your family. If you wish to stop receiving SMS or email messages from us, please contact us on email: hcs-secure@york.gov.uk, or telephone: 01904 555475.
The information we collect may be included in presentations, statistics, and reports. Any presentations, reports and statistics for publication or use outside of the authorised council staff, will be anonymised, and cannot be linked back to you, your family, or individuals. Reports containing anonymous information may also be shared with the public and other organisations.
Automated decision-making
We do not carry out any automated decision-making in Healthy Child Service.
Collecting information automatically
Please see our cookies page for further information about the information we collect automatically when you use our website.
Children’s information
Where we provide services directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.
Lawful basis for processing your personal data
Any personal data including special category data and criminal offence data that we process about individuals is done so in accordance with Article 6, Article 9 and Article 10 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (DPA 2018).
The legal basis for processing your personal data is in accordance with the following:
- Article 6(1) (a) Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
- Article 6(1) (c) Legal obligation: the processing is necessary for us to comply with the law.
- Article 6(1) (e) Public task: the processing is necessary for us to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
The legal basis for processing your special category data is in accordance with the following:
- Article 9(2) (a) Explicit consent
- Article 9(2) (g) Reasons of substantial public interest (with a basis in law)
- Article 9(2) (h) Health or social care (with a basis in law)
This is supported by Schedule 1, Part 2 (6) of the Data Protection Act 2018 and the following legal framework and government guidelines on our statutory duties:
- the Childcare Act 2016
- Review of local government statutory duties: summary of responses
- Statutory duties placed on local government
Where we process personal data relating to criminal convictions and offences, this is also under Article 10 UK GDPR that covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences, or proceedings for an offence committed or alleged to have been committed, including sentencing.
Some of the Schedule 1 conditions for processing special category and criminal offence data require an Appropriate Policy Document (APD) to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice.
Our Appropriate Policy Document provides further information about this processing.
How long we keep your personal data
We will keep your information in accordance with our retention schedule requirements and when we no longer have a need to keep it, we will delete or destroy it securely.
Your personal data will be held by the Healthy Child Service in “SystmOne”. You can download eDSM: Patient Leaflet (Implied consent) online using the TPP resources page.
Data sharing
We will only share your information with other teams at City of York Council, or external partners and agencies involved in delivering or evaluating the Healthy Child Service, for example:
- Early Years Providers, such as nurseries
- York NHS Foundation Trust
- Primary Care
In some circumstances, such as under a court order or safeguarding, we are legally obliged to share information. We may also share information about you with third parties including our data processors, government agencies and external auditors.
We will always satisfy ourselves that we have a lawful basis on which to share the information and document our decision-making.
Additionally, we are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives (TNA) for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.
Data processors and/or third parties
Where we have third parties providing parts or all of our services for us, we have contracts in place with them. These are listed below:
- We work in partnership with Nesta to conduct analysis and create datasets their privacy notice can be viewed here
- When we use MS Teams to speak to you securely online, we may record and or transcribe these and you can find out more about this at Microsoft Office 365 (MS365) Teams Meeting recording and transcription privacy notice.
- When we use Survey Monkey for our surveys or consultation, you can find out how Survey Monkey uses your information via their privacy policy. If you complete a paper survey, once you complete and return it to us, we will transfer the information you have given us onto the council’s secure network and then destroy confidentially the paper copy.
- When we use Zoom Video Communications Inc Pro or Business version (“Zoom”) (version 5), to speak to you or hold meetings, any recordings will be kept locally on our server and will not be retained by Zoom. You can find out how Zoom uses your information at their Privacy Statement.
Transfers of personal data
We don’t routinely transfer personal data outside of the UK but when this is necessary we ensure that we have appropriate safeguards in place and that is done in accordance with the UK data protection and privacy legislation.
How we protect your information
We're committed to keeping your information safe and secure. There are several ways we do this, such as:
- IT security safeguards such as firewalls, encryption, and anti-virus software
- on-site security safeguards to protect physical files and electronic equipment
- training for all staff and elected councillors
- policies and procedures
Your rights in relation to this processing
To find out about your rights under data protection law, you can go to the Information Commissioner's Office website.
You can also find information about your rights in our Privacy Notice.
If you have any questions about this privacy notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us on email: information.governance@york.gov.uk, or on telephone: 01904 554145, or write to:
Data Protection OfficerCity of York Council
West Offices
Station Rise
York YO1 6GA