City of York Council (CYC) complies with the UK General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018, and is registered with the Information Commissioner’s Office (ICO), reference: Z5809563.
We regularly review this privacy notice, and it was last updated in July 2024.
CYC is committed to ensuring that information is handled in accordance with the principles set out in data protection legislation and guidance from the Information Commissioner’s Office (ICO).
This Privacy Notice explains how and why we process your information, under Part 3 of the Data Protection Act 2018 for law enforcement purposes and the steps we take to keep your information safe.
CYC is the controller for the personal data we process, unless otherwise stated. You can contact the council’s Data Protection Officer at:
West OfficesStation Rise
York
YO1 6GA
Telephone: 01904 554145.
Email: information.governance@york.gov.uk.
You can find more information about the role of the Data Protection Officer in our Data Protection Policy Statement.
This privacy notice should be read in conjunction with other relevant specific privacy notices that are available in our Privacy Notice.
When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this privacy notice.
- How we collect your information
- What personal data we process and why
- Automated decision-making
- Collecting information automatically
- Children's information
- Lawful basis for processing your personal data
- How long we keep your personal data
- Data sharing
- Data processors and/or third parties
- Transfers of personal data
- How we protect your information
- Your rights in relation to this processing
How we collect your information
We get information about you from the following sources:
- directly from you
- application forms,
- CVs or resumes (if applicable)
- your passport or other identity documents such as driving licences.
- collected through interviews or other forms of assessment, including online tests
- surveys or feedback requests about our services
We also collect information about you from third parties, such as:
- references supplied by former employers
- information from online criminal records checks providers
We'll seek information from third parties only once a conditional job offer to you has been made.
In certain circumstances we may need to approach referees prior to the assessment process, however, you will be notified if this is the case.
We also collect information from our recruitment website which we are the sole owner of.
What personal data we process and why
We process the following personal data, special category data and possibly criminal offence data:
- your full name
- your address
- contact details, including email address and telephone number
- details of your qualifications, professional memberships, skills, experience, and employment history
- information about your current level of remuneration, including allowances and benefit entitlements.
- whether or not you have a disability for which we need to make reasonable adjustments during the recruitment process
- information about your entitlement to work in the UK
- criminal declaration of convictions (for specific roles)
- whether you're a member of the armed forces community
- whether you're a care leaver, or a carer of dependents
- equal opportunities monitoring information, including information about your marital status, nationality, gender, ethnic origin, sexual orientation, health, and religion or belief
- your opinions, comments, and feedback on our services if you choose to take part in our surveys
You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.
If you're successful on being appointed our Employee Privacy Notice details what information is collected and how it's used during your employment.
We will use your information to:
- manage the recruitment and selection process
- progress your application
- assess your suitability for a role you have applied for
- decide to whom to offer a job
- help us to develop and improve our recruitment and selection process
- help us to fulfil legal or regulatory requirements if necessary
We may also need to use information from job applicants to respond to and defend against legal claims.
We offer apprenticeships across all our service areas and you can find out more at our Apprenticeships page.
We may use information to create reports and statistics that are anonymous and cannot be linked back to you or individuals such as:
- statistical analysis
- statutory returns
- audit framework
Automated decision-making
We do not carry out any automated decision-making without any human intervention in providing this service.
Collecting information automatically
Our recruitment website doesn't store or capture information of users with public access but does log the IP address of a visitor. This enables us to determine which pages are being viewed and helps us to improve our services.
Our recruitment website doesn't use cookies. However, where our website links to external resources or websites, these may add their own cookies. These are outside our control.
Cookies can be disabled by changing the settings on your computer browser, but you may need to re-enter information at times.
Please see our cookies page for further information about the information we collect automatically when you use our website.
Children’s information
Where we provide services directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.
Lawful basis for processing your personal data
Any personal data including special category data and criminal offence data that we process about individuals is done so in accordance with Article 6, Article 9 and Article 10 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (DPA 2018).
The legal basis for processing your personal data is in accordance with one or more of the following:
Article 6(1)
- (a) Consent: the individual has given clear consent for the council to process their personal data for a specific purpose.
- (b) Contract: the processing is necessary for a contract the council has with the individual, or because they have asked the council to take specific steps before entering into a contract.
- (c) Legal obligation: the processing is necessary for the council to comply with the law (not including contractual obligations).
- (e) Public task: the processing is necessary for the council to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
- (f) Legitimate interests: the processing is necessary for the council’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if to any of the council’s performance of official tasks.)
The legal basis for processing your special category data is in accordance with the following:
Article 9(2)
- (a) Explicit consent
- (b) Employment, social security, and social protection (if authorised by law)
- (g) Reasons of substantial public interest (with a basis in law)
This is supported by Schedule1, Part 2 (6) of the Data Protection Act 2018 and the following legal framework:
- Employment Relations Act 1999
- Trade Union and Labour Relations (Consolidation) Act 1992
- The Health and Safety at Work Act 1974
- The Rehabilitation of Offenders Act (1974)
- Access to Medical Reports Act 1998
- The Equalities Act 2010
Where we process personal data relating to criminal convictions and offences, this is also under Article 10 UK GDPR that covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences, or proceedings for an offence committed or alleged to have been committed, including sentencing.
Some of the Schedule 1 conditions for processing special category and criminal offence data require an Appropriate Policy Document (APD) to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice.
Our Appropriate Policy Document provides further information about this processing.
How long we keep your personal data
We'll only keep unsuccessful applicant’s information for a period of 6 months from the date the recruitment campaign closes, with anonymised equal opportunities information being held outside of the system for a maximum of 12 months and then deleted or destroyed securely.
If your application for employment is successful, information gathered during the recruitment process will be transferred to your personnel file and retained during your employment and for a period of time after your employment ceases in line with our retention schedule. When we no longer have a need to keep it, we'll delete or destroy it securely.
Data sharing
Your information will be shared with other council services for the purposes of the recruitment and selection process. This includes:
- the recruitment and HR team
- shortlisting and interview panel members
- anyone else involved in the recruitment and selection or decision-making process
We will not share your information with third parties unless your application for employment is successful and we make you an offer of employment. We will then need to share your information with former employers to obtain references for you, and with the Disclosure and Barring Service to obtain necessary criminal records checks.
The exception to this is in the case of applications where you will be undertaking some training a part of your employment - for instance, an apprenticeship, where, prior to an offer being made, we may share your name and details of your qualifications with the training provider to enable them to confirm your eligibility for the training.
In some circumstances, such as under a court order or safeguarding, we are legally obliged to share information. We may also share information about you with third parties including our data processors, government agencies and external auditors.
We will always satisfy ourselves that we have a lawful basis on which to share the information and document our decision-making.
Additionally, we are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives (TNA) for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.
Data processors and/or third parties
Where we have third parties providing parts or all of our services for us, we have contracts in place with them. These are listed below:
- First Advantage Europe Limited – for the processing of DBS checks
- Medigold Health – for occupational health services including pre-employment health surveillance
- Provider of the online job vacancies portal – MidlandHR (iTrent)
If we use Microsoft Teams, to contact you, to gather information from you, or if we are recording or transcribing our discussion or meeting with you, we will let you know. You can find more details about this in the City of York Council Microsoft Office 365 (MS365) Teams Meeting recording and transcription privacy notice.
When we use SurveyMonkey for our surveys or consultation etc you can find out how they use your information at their Privacy Notice.
When we use Eventbrite for arranging and organising events etc you can find out how they use your information at their Privacy Policy.
Where we use Granicus/Gov Delivery to send you updates, newsletters etc you can find out how they use your information at their Privacy Policy.
Where we use WhatsApp, you can find out how they use your information at their Privacy Policy.
Transfers of personal data
We don’t routinely transfer personal data outside of the UK but when this is necessary we ensure that we have appropriate safeguards in place and that is done in accordance with the UK data protection and privacy legislation.
How we protect your information
We're committed to keeping your information safe and secure. There are several ways we do this, such as:
- IT security safeguards such as firewalls, encryption, and anti-virus software
- on-site security safeguards to protect physical files and electronic equipment
- training for all staff and elected councillors
- policies and procedures
Your rights in relation to this processing
To find out about your rights under data protection law, you can go to the Information Commissioner's Office website.
You can also find information about your rights in our Privacy Notice.
If you have any questions about this privacy notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us on email: information.governance@york.gov.uk, or on telephone: 01904 554145, or write to:
Data Protection OfficerCity of York Council
West Offices
Station Rise
York YO1 6GA