Public Health Privacy Notice

City of York Council (CYC) current data protection notification is registered with the Information Commissioner’s Office (ICO) – reference Z5809563. We regularly review this privacy notice, and it was last updated in February 2025.

CYC is committed to ensuring that personal data is handled in accordance with the principles set out in data protection legislation and guidance from the Information Commissioner’s Office (ICO).

This privacy notice tells you what to expect when we process your personal information.

CYC is the controller for this information unless we specifically state otherwise in this privacy notice.

You can contact the council’s Data Protection Officer at email: information.governance@york.gov.uk or telephone: 01904 554145, or write to:

This privacy notice should be read in conjunction with other CYC privacy notices that are available in our Privacy Notice and/or policies and procedures.

When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this privacy notice.

• How we collect your information
• What personal data we process and why
• Automated decision-making
• Collecting information automatically
• Children's information
• Lawful basis for processing your personal data
• How long we keep your personal data
• Data sharing
• Data processors and/or third parties
• Transfers of personal data
• How we protect your information
• Your rights in relation to this processing

How we collect your information

We get information about you from the following sources:

• directly from you
• from third parties acting on your behalf such as family member(s) and advocates
• from our commissioned partners or contractors who undertake work on our behalf
• from external agencies and government departments such as other councils; the NHS; Department of Health and Social Care (DHSC)
• from local pharmacies and hybrid providers
• from Primary Care Mortality Database (PCMD
• from birth files
• from death data

Top of page

What personal data we process and why

To deliver CYC’s public health services, we need to process your personal data and ‘special category’ data such as:

• name
• address
• age
• sex
• sexual orientation
• race
• religion or belief
• disability

Where it is appropriate to, we may also process:

• information relating to criminal convictions and offences, this includes details of any past criminal convictions or offences
• disease
• use of hospital services
• NHS Number
• mortality data as provided at the time of registration of the death for example, age, sex, area; cause of death; GP details; geographical indexing
• coroner details where applicable
• birth data as provided at the time of registration for example, date of birth; sex; birth weight; address; postcode; place of birth; stillbirth indicators; age of mother

We process your information because since April 2013 the Health and Social Care Act 2012 has given local authorities the power to perform public health functions. This means that we have "a duty to improve the health of the people and responsibility for commissioning appropriate public health services" for:

• residents of York
• people receiving health and care services in York
• people who work or attend schools in York
• people who attend our public health training eg frontline workers and volunteers

We will use information to create reports and statistics that are anonymous and cannot be linked back to you or to individuals, such as:

• statistical analysis
• statutory returns
• ensuring service quality

We may ask you to take part in surveys, consultation, or other events to get your feedback and opinions on our services. When we do this, we will ask for your consent. You can withdraw your consent at any time by:

• telephone: 01904 553866
• email: enquiries.publichealth@york.gov.uk

Top of page

Automated decision-making

We do not carry out any automated decision-making without any human intervention in Public Health.

Top of page

Collecting information automatically

Please see our Cookies Policy for further information about the information we collect automatically when you use our website.

Top of page

Children’s information

Where we provide services directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.

Top of page

Lawful basis for processing your personal data

Any personal data including special category data and criminal offence data that we process about individuals is done so in accordance with Article 6, 9 and 10 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (DPA 2018).

The legal basis for processing your personal data and special categories of personal data is in accordance with one or more of the following:

• Article 6(1)
  • (a) Consent: the individual has given clear consent for the council to process their personal data for a specific purpose.
  • (b) Contract: the processing is necessary for a contract the council has with the individual, or because they have asked the council to take specific steps before entering a contract.
  • (c) Legal obligation: the processing is necessary for the council to comply with the law (not including contractual obligations).
  • (d) Vital interests: the processing is necessary to protect someone’s life.
  • (e) Public task: the processing is necessary for the council to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
  • (f) Legitimate interests: the processing is necessary for the council’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
• Article 9(2)
  • (a) Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
  • (b) carrying out obligations under employment, social security or social protection law, or a collective agreement
  • (c) to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent
  • (g) substantial public interest (with a basis in which is proportionate to the aim pursued and which contains appropriate safeguards
  • (h) Health or social care (with a basis in law)
  • (i) Public health (with a basis in law)

This is supported by Schedule1, Part 2 (6) of the Data Protection Act 2018 and the legal framework in:

• The statutory responsibilities for public health services set out in the Health and Social Care Act 2012
• North Yorkshire Serious Violence Duty
• Where we process personal data relating to criminal convictions and offences, this is also under Article 10 UK GDPR that covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences, or proceedings for an offence committed or alleged to have been committed, including sentencing;

Some of the Schedule 1 conditions for processing special category and criminal offence data require an Appropriate Policy Document (APD) to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice

Our Appropriate Policy Document provides further information about this processing.

Top of page

How long we keep your personal data

We will only keep your information for as long as it is needed.

You can find more details about how long the council keeps records in the council retention schedule.

Top of page

Data sharing

We will only share your information where it is appropriate to, with:

• other CYC services
• other councils, government departments and agencies
• other organisations such as NHS
• third parties including our data processors, partners or contractors, who undertake work on our behalf
• internal and external auditors

In some circumstances, such as under a court order or safeguarding, we are legally obliged to share information.

We will always satisfy ourselves that we have a lawful basis on which to share the information and document our decision-making.

Additionally, we are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives (TNA) for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.

Top of page

Data processors and/or third parties

Where we have third parties providing parts or all of our services for us, we have contracts in place with them. These are listed below:

• local pharmacies and hybrid providers to supply Healthy Start vitamins to those who are eligible under the National Healthy Start Scheme. You can find out how your information is used through the Healthy Start Privacy Notice (NHSBSA)
• to enable your HENRY trained Coordinators and Facilitators to access information to support the management and review of HENRY programmes delivered by them. You can find out how your information in the HENRY Privacy Policy
• Specialist Integrated Sexual Health Services including Domestic Abuse Enquiries. Read the York and Scarborough Teaching Hospitals NHS Foundation Trust Privacy notices

Where we use:

• Survey Monkey to conduct surveys, you can find out how they use your information by viewing the Survey Monkey Privacy Notice
• Microsoft 365 (MS365) teams, you can find their privacy details at Microsoft Privacy Statement
• MS 365 Teams to provide secure online conversations and or to record and or transcribe meetings and you can find out more about this at City of York Council Microsoft Office 365 (MS365) Teams Meeting including recording and transcription privacy notice
• WhatsApp to contact you. You can find out how they use information in the WhatsApp Privacy Policy
• Eventbrite for arranging and organising events etc. You can find out how they use information in the Eventbrite Privacy Policy
• Zimma Ltd trading as Ticket Tailor for arranging and organising events etc you can find out how they use your information in the Ticket Tailor Privacy Policy
• Granicus/Gov Delivery to send you updates, newsletters etc. You can find out how they use information in the Granicus Privacy Policy

Top of page

Transfers of personal data

We do not routinely transfer personal data, special categories of personal data or criminal offence data, outside of the UK but when this is necessary, we ensure that we have appropriate safeguards in place and that it is done in accordance with the UK data protection and privacy legislation.

Top of page

How we protect your information

We're committed to keeping your information safe and secure. There are several ways we do this, such as:

• IT security safeguards such as firewalls, encryption, and anti-virus software
• on-site security safeguards to protect physical files and electronic equipment
• training for all staff and elected councillors
• policies and procedures

Top of page

Your rights in relation to this processing

To find out about your rights under data protection law, you can go to the Information Commissioner's Office website.

You can also find information about your rights in our Privacy Notice.

If you have any questions about this privacy notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us on email: information.governance@york.gov.uk, or on telephone: 01904 554145, or write to:

Top of page

Also see

• Website terms and disclaimer
• Data Protection Policy Statement
• Accessibility statement
• Cookies policy
• Copyright statement