City of York Council (CYC) current data protection notification is registered with the Information Commissioner’s Office (ICO) – reference Z5809563. We created this privacy notice in August 2023 and will keep it under regular review.
CYC is committed to ensuring that personal data is handled in accordance with the principles set out in data protection legislation and guidance from the Information Commissioner’s Office (ICO).
This privacy notice tells you what to expect when we collect personal information about you and applies to the administration and management of the Fund, or those participating in UK SPF funded services and activities.
CYC is the controller for the personal data we process unless we specifically state otherwise in this privacy notice.
If you have any questions about this Privacy Notice contact the council’s Data Protection Officer.
This privacy notice should be read in conjunction with other relevant specific privacy notices that are available at our privacy notice such as;
When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this privacy notice.
- How we collect your information
- What personal data we process and why
- Automated decision-making
- Collecting information automatically
- Childrens information
- Lawful basis for processing your personal data
- How long we keep your personal data
- Data sharing
- Data processors and third parties
- Transfers of personal data
- How we protect your personal data
- Your rights in relation to this processing
How we collect your information
CYC will be the lead authority for the City in the administration of £5.1m of Government funding for the local area. Elements of the Programme are administered and managed by both CYC and third parties.
To allot this funding, CYC has already received expressions of interest pitching project ideas in a bid to win a share of this money available through open competition.
Both CYC and the third parties may ask questions about your business, as well as personal information about you as an individual.
Where we use Eventbrite, you can find out how they use your information at Eventbrite Privacy Policy.
Where we use Survey Monkey, you can find out how they use your information, at Survey Monkey Privacy Policy.
What personal data we process and why
The information we will collect is to ensure you are eligible to take part in the UK SPF funded services or activity for which you have applied. It will include both personal and certain “special category” data such as:
- demographic and company information about your business
- contact names, addresses and email details
- extended (open-ended) responses that provide context to your answers, especially around the type of project suggested and how that fits with programme interventions
- key information on the deliverability of the project, strategic fit, impact, and value for money (not required at expression of interest stage)
- specific outputs and outcomes against set interventions (more detail needed than at expression of interest stage to satisfy government criteria)
- personal equality profiling information - this will tell us how well we have been able to reach and offer support to as many groups of people as possible
Automated decision-making
We do not carry out any automated decision-making without any human intervention in this Programme.
Collecting information automatically
Please see our cookies page for further information about the information we collect automatically when you use our website.
Childrens information
Where we provide services directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.
Lawful basis for processing your personal data
We collect and use your personal information as you have applied to participate in a service or activity provided by the UK SPF fund, and we need this information to ensure you meet eligibility criteria.
If you want to withdraw your participation at any time, please contact us at economicgrowth@york.gov.uk
This means we will use your information with your consent. This is our lawful basis and means it is done in accordance with
- Schedule 1 of the Data Protection Act 2018 (DPA 2018)
- UK GDPR Article 6(1)(a) – consent of the data subject
- UK GDPR - Article 9(2)(a) - Explicit consent of the data subject
Some of the Schedule 1 conditions for processing special category require an Appropriate Policy Document to be in place that sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice. You can find this at Our Appropriate Policy Document.
How long we keep your personal data
We will keep the information you give us for up to three years or until the end of the UK SPF Programme. It will then be securely and confidentially destroyed.
Data sharing
Your data will be seen by either the third party responsible for delivering UK SPF projects in which you are participating, or a team or individual from within the Council with the same responsibility.
Any personal information about individuals held by a third party will be held separately and will be shared with the Council via secure connections.
Information may be included in presentations, statistics, and reports. Any presentations, statistics and reports for publication or use outside of the authorised council staff, will be anonymised, and cannot be linked back to you or individuals. Reports containing anonymous information may also be shared with the public and other organisations.
We may use some information about your organisation and project in case studies, or as part of our reporting processes but we will ask for your consent for this.
In some circumstances, such as under a court order or safeguarding, we are legally obliged to share information. We may also share information about you with third parties including, government agencies and external auditors. For example, we may share information about you with HMRC for the purpose of collecting tax and national insurance contributions.
We will always satisfy ourselves that we have a lawful basis on which to share the information and document our decision-making and satisfy ourselves we have a legal basis on which to share the information.
Additionally, we are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives (TNA) for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.
The Council does not pass or sell personal data to third parties for marketing, sales, or any other commercial purposes
Data processors and third parties
Where we use data processors or third parties to provide elements of this Programme, we have contracts or agreements in place with them.
Transfers of personal data
CYC does not routinely transfer personal data outside of the UK but when this is necessary, we ensure that we have appropriate safeguards in place and that is done in accordance with the UK data protection and privacy legislation.
How we protect your personal data
CYC is committed to keeping your information safe and secure. There are several ways we do this, such as:
- IT security safeguards such as firewalls, encryption, and anti-virus software
- on-site security safeguards to protect physical files and electronic equipment
- training for all staff and elected councillors
- policies and procedures
Your rights relating to personal data
To find out about your rights under data protection law, you can go to the Information Commissioners Office (ICO) website.
See further details of your rights relating to personal data.
If you have any questions about this Privacy Notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact the Data Protection Officer.
Also see
- Website terms and disclaimer
- Data Protection Policy Statement
- Accessibility statement
- Cookies policy
- Copyright statement