We regularly update our Privacy Notice; it was last updated in October 2023.
When we use your personal data, Speak Up complies with the Data Protection Act 2018, and is the registered ‘controller’. Our data protection notification is registered with the Information Commissioner’s Office (ICO), reference: Z5809563.
To make it clear how we collect and use your personal data, and to help you understand your rights, we've divided our Privacy Notice into the following areas:
If you have questions about this privacy notice, want to exercise any of your legal rights, or you have a complaint about how your personal data has been used, email: [email protected] or telephone: 01904 552550.
'Personal data' is any information that relates to an identifiable living person; whether they are identified directly or indirectly by reference to a name, identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
For the purposes of data protection legislation the term 'personal data' also includes:
The information we collect about you will include, but is not limited to:
Personal data doesn't include information relating to deceased people, groups or communities of people, organisations or businesses, nor to data relating to criminal convictions and offences.
However, similar safeguards apply to data processing in those fields.
Find out about the non-personal data we hold and process. *** DELETE IF APPLICABLE***
When we collect your personal data we will:
We ask that you give us accurate information, notify us of any mistakes, and tells us as soon as possible of any changes.
We'll use your information to:
We use your personal information to ensure that we meet all of our legal and statutory duties including, but not limited to, those which apply under the following legislation and/or contractual agreements:
We will only keep your personal information for as long as is necessary and then we will delete or destroy it securely.
At the end of any defined data retention period, we may pass any relevant information to the City Archives where it is required or appropriate to do so.
We may process your personal data using services hosted outside the European Economic Area, but only where a data processing agreement is in place that complies with obligations equivalent to the principles of the Data Protection Act 2018.
OR (DELETE AS APPROPRIATE)
As a rule, we do not transfer your personal data to third party processors outside the European Economic Area (EEA).
*** Delete if galaxy not using Zoom ***
We may use Zoom Pro or Business version of Zoom (version 5) to host some public facing meetings, training sessions etc across different services in the council. Where these meetings are recorded, recordings will be kept locally on our server and will not be retained by Zoom.
Some personal data will be stored securely on Zoom’s system in the USA (that is, outside the EEA) in compliance with the EU, USA Privacy Shield Framework. This data may include a user's:
Zoom does not sell personal data to third parties; collects only the personal data required to provide Zoom services; and retains that data only for so long as is necessary for the provision of those services.
If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we'll provide you with a new notice.
The new notice will:
Where and whenever necessary, we'll seek your consent to the new processing, if we start to use your personal data for a purpose not mentioned in this Privacy Notice.
When we collect your personal data we'll tell you how we are going to use it. Where we process your personal data, you have a number of rights under data protection law.
You have the right to be told how your personal data will be processed. This right applies whether or not you supply your personal data to us, or whether we obtain your data from a third party. We'll inform you how we're processing your data using privacy notices, to explain what we are doing with your personal data and why.
You have the right to request access to personal data held about you; this is also known as making a 'Subject Access Request' (SAR).
If your personal data is inaccurate or incomplete, you have the right to ask for this to be rectified. We'll always comply with a request for rectification, unless there is a legal reason why we can’t (for example, if the information held is for evidential purposes and was accurate at the time of collection). Where we can’t rectify your information we'll provide an explanation.
You have the right to ask for any information held about you to be erased - sometimes referred to as the “right to be forgotten". We must legally erase any information where there is no compelling reason for us to be processing it. Where we cannot comply with a request to erase your information we'll provide an explanation.
You have the right to ask for the processing of your personal data to be blocked or suppressed. This right is similar to asking for your data to be erased, but in this instance, it means that we can only store/hold your information and can’t process it in any other way. For example,
Where we cannot comply with a request for restriction of processing because there is a legal reason not to, we'll provide an explanation.
You have the right to object to certain types of processing of your personal data. If you object to the processing of your information and there is a legal reason why we cannot comply we'll provide an explanation.
There are some limited circumstances where you have the right to ask us to transfer your personal data to another organisation. However, to exercise this right the following criteria must apply:
We do not believe that any type of processing that we carry out would fall within these criteria. However, we'll always comply with requests to provide your data where possible, and if we cannot we'll provide an explanation.
Automated decision making is purely carried out by a computer system with no human intervention. For example when you apply for credit, a computer system may decide that you're not eligible. We very rarely carry out automated decision makings without any human intervention. However, where we have made an automated decision about you, you have the right to object to this. We'll tell you where we are making automated decisions about you.
If you have a concern about the way we handle your personal data, contact the Information Commissioner's Office (ICO). If the ICO thinks we have not complied with legal obligations they can give us advice and ask us to solve the problem. The ICO cannot award you compensation, their main aim is to improve the information rights practices of organisations. The ICO will not usually investigate concerns where there has been an undue delay in bringing it to their attention and so you should raise your concerns with them within 3 months of your last contact with us about your concern.
There are some circumstances where other laws prevent us from complying with some of your rights and where this is the case, we'll provide an explanation.
Find out more about your legal rights from the Information Commissioners Office (ICO).
If you want to exercise any of your legal rights, or if you have a complaint about how your personal data has been used, email: XXX, telephone: XXX or write to:
*** DELETE IF GALAXY NOT USING GOOGLE ANALYTICS *** Anonymous information about page visits is collected using Google Analytics.
Our website privacy notice does not cover external websites; we encourage you to read the privacy notices on any other websites you visit.
Our website also lists email addresses for external organisations (those addresses that don't contain 'york.gov.uk'); we cannot guarantee what will happen to your personal data if you email an external organisation.
By using our website you are consenting to certain types of cookie being placed on your device. See our Cookies Policy.
Where our website links to external resources or websites, these may add their own cookies. These are outside our control. Cookies can be disabled by changing the settings in your browser, but you may need to re-enter information at times.
The personal data you give to us when using our online payment system will only be used for the recording of your payment. We'll ensure that it is used for no other purpose and is not disclosed to a third party specifically other companies or individuals unless required to do so by law for the prevention of crime and the detection of fraud. We will hold it securely and only for as long as is needed. It will then be deleted in line with our retention and disposal policy and procedures.
Emails that we send to you or you send to us, may be retained as a record of contact and your email address stored for future use in accordance with our record retention schedules. If we need to email sensitive or confidential information to you, we may perform checks to verify the correct email address and may take additional security measures.
You will not receive unsolicited paper or electronic mail as a result of sending us any personal data while using our website, unless you have given us permission to do this.
We do not pass personal data to third parties for marketing, sales or any other commercial purposes without your prior explicit consent.
If we have to share your personal data externally, we require any third party to comply with the principles of data protection legislation, and our procedures and instructions, when they use your information on our behalf.
See details of our Caldicott Guardians, responsible for protecting the confidentiality of people’s health and care information, and making sure such data is used properly.