Personal Privacy Notice > Mayoral Combined Authority

The York and North Yorkshire Combined Authority (YNYCA) is a data controller as defined by Article 4(7) of the UK General Data Protection Regulation (UK GDPR). We have a duty of care to ensure that we use personal information fairly, correctly, and safely in line with the UK’s data protection laws. This privacy notice is designed to help you understand how and why we process your personal data.

North Yorkshire Fire and Rescue Service (NYFRS) and the York and North Yorkshire Office for Policing Fire and Crime Commissioner (OPFCC) are now part of the York and North Yorkshire Combined Authority, and the Combined Authority is the Data Controller for both.

York and North Yorkshire Growth Hub is a brand of the Combined Authority which remains the data controller and the responsible statutory body in relation to this brand.

This notice should be read with our other service/function supplementary privacy notices including privacy notices for NYFRS Privacy Policies and for the OPFCC – Privacy Policies

Employees of the YNYCA can also access employment related privacy notices here

Further information is also available here for NYFRS and here for the OPFCC.

Data Protection Officer

YNYCA has appointed Veritau to be its Data Protection Officer. Their contact details are:
Information Governance Office
Veritau
West Offices
Station Rise
York
North Yorkshire
YO1 6GA

Email: information.governance@veritau.co.uk
Tel: 01904 552848

Why do we collect your personal information?

We collect, process, and store a wide range of information, including personal information and sometimes your special category data to enable us to deliver our services and statutory functions efficiently. This means we collect and process various categories of personal information directly provided by you or from your use of services provided by us. This may include using paper, online forms, by telephone, email or in person.

This includes, but is not limited to information provided via:
• consultation responses
• complaints and feedback
• survey responses
• job applications and employee information
• applications for employment and skills related programmes.

We will limit the collection and processing of information to what is necessary to achieve one or more legitimate purposes as identified in this notice.

We will use your personal information for the purposes as described below and always in line with our responsibilities, and where reasonable your wishes, where there is a legal basis to use your personal information and in relation to your rights. We process personal information:
• For the purpose for which you provided the information;
• Support and manage our employees.
• To enable us to communicate with you, process requests and deliver services to you;
• To monitor our performance in providing services to you, to gather statistical information to allow us to plan future provision of services to and to obtain your opinion about our services;
• Support internal financial and corporate functions.
• To process financial transactions including grants, payments and benefits directly involving us or where we are acting on behalf of other government bodies such as Department for Work and Pensions;
• For general processing where you have given your consent for us to do so;
• Where we are under a duty in order to comply with legal obligations, or for us to seek legal advice or undertake legal proceedings;
• For the prevention and/or detection of crime and fraud prevention;
• Protect you or others from harm or injury.
• For marketing purposes to keep you updated on the latest news and services but only where you have consented to this;
• Performing our statutory functions in relation to transport planning, service improvement and economic regeneration of the region.
• Investigate complaints.
• Undertake research, carrying out surveys.
• To process applications for Combined Authority funded programmes including contacting applicants, assessing project applications, and sharing information with selected partners
involved in the delivery of programmes.

We may not be able to provide you with a service if we do not have enough information and, in some instances, your consent to use that information.

We aim to keep your information accurate and up to date. You can help us to do this by letting us know if any of the information you have given us, such as your address changes. Our contact details can be found later in this document.

What will we do with your information?

When deciding what personal information to collect, use and hold, we will:
• Only collect, hold, and use personal information where it is necessary and fair to do so;
• Keep your personal information safe and secure;
• Securely delete or destroy any personal information when we no longer need it;
• Consider your privacy when planning to use or hold your personal information in new ways, such as using new systems or improving the way we work.
• Be open with you about how we use your information and who we share it with; and make it easy for you to access and correct your personal information.

We may disclose personal information to a third party, but only where it is required by law, where that third party needs that information to provide you with a service on our behalf or where it is otherwise allowed under the Data Protection Act. We will strive to make sure that the third party has sufficiently robust system and procedures in place to protect your personal information.

Who do we obtain your information from?

We collect your personal information directly from you or from your use of YNYCA services. However, to facilitate service provision and to enact our statutory functions, we may obtain your
personal data from third parties external to YNYCA this includes but is not limited to:
• Police
• charities
• other local authorities
• third party organisations who we have commissioned to provide services.
• government agencies/departments for example, HMRC/DWP/DfE
• judicial agencies for example, courts
• members of the public

The service specific privacy notices, provide further details of third parties which the service area
may obtain your information from.

How long will we hold your information?

There is legislation which tells us how long we must keep some of your information. This can vary from 1 year up to 100 years depending on what the information relates to. We will only keep your personal data for as long as it is needed for the purpose it was collected for, or for as long as is required by legislation. There are different retention periods for different types of
information, based on the type of record, the nature of the activity, product, or service. Please be aware that sometimes retention periods may need to be extended due to public inquires, or other external legal requirements. The YNYCA retention schedule sets out the retention periods. We will always dispose of personal data in a secure manner.

Who do we share your information with?

We will not share your information with anyone outside of the York and North Yorkshire Combined Authority except:
• Where we have your permission
• Where the sharing is required for the service we are providing you
• Where we are required by law, court order and by law enforcement agencies, juridical bodies, government, tax authorities or other regulatory bodies. We may not have to tell you if we do share with other organisations in this way.
• With third parties, external partners, and agencies assisting us in delivering our service to you.
• For our statutory functions – Our internal auditors, counter fraud service, data protection officer, and external auditors may also have access to your personal data in order to complete their work.
• With external partners to improve, and advance, the service we provide to you.

Information will only be shared where it is necessary and permitted under the Data Protection Act. Any information shared will be proportionate and limited only to what is necessary.

YNYCA will ensure that the third party, external partners, or agencies have sufficient systems and procedures in place to prevent the loss or misuse of personal information. Sharing will only take place under strict contractual agreements and/or data sharing agreements to ensure that the other organisation keeps your data secure.

We will only share personal data with another organisation if we have a lawful basis to do so, and we will always keep records of when your data has been disclosed to another organisation.

We may also share information with credit reference agencies, service providers or contractors and partner organisations, where the sharing of information is necessary, proportionate, and lawful.

We also collect and use your data for the national fraud initiative to assist in the prevention and detection of fraud National Fraud Initiative – GOV.UK (www.gov.uk)

Your data protection rights

Under the UK GDPR and Data Protection Act (2018), you as the Data Subject, have the following rights. However, you should be aware that, due to the reasons that YNYCA may be processing your information we may not be able to comply with some requests due to legal obligations.

You have the right to:

1. Access – You have a right to get access to the personal information we hold about you.
2. Rectification – You have a right to ask us to rectify inaccurate personal information and to update incomplete personal information.
3. Erasure – You have a right to request that we erase your personal information. You may request that we delete your personal information if you believe that we no longer need to process your information for the purposes for which it was provided; you wish to withdraw your consent to the processing ; or we are not using your information in a lawful manner.
4. Restriction – You have a right to request us to restrict the processing of your personal information, if you believe that the data we hold about you is inaccurate, we no longer need
to process your information for the purposes for which it was provided, but you require the information to establish, exercise or defend legal claims; or we are not using your information in a lawful manner.
5. Portability – You have a right to data portability i.e., to receive the data in a portable format, where we have requested your consent to process your personal information or you have
provided us with information for the purposes of entering into a contract with us.
6. Objection – You have a right to object to the processing of your personal information and to request us to restrict processing, unless we can demonstrate compelling and legitimate
grounds for the processing, which may override your own interests, or where we need to process your information to investigate and protect us or others from legal claims.

Please note: that if you request us to restrict processing or erase your information, we may have to withdraw the services we provide to you.

Other rights

Automated decision making and profiling – you have the right not to be subject to solely automated decisions, including profiling, which have a legal or similarly significant effect on you.

Withdraw consent – You have a right to withdraw your consent at anytime where we rely on your consent to process your personal information.

If you wish to exercise any of these rights, please contact the Data Protection Officer whose contact details are provided below.

For more information on the GDPR and your rights go to the Information Commissioners website. Individuals Rights ICO

Our Lawful Basis for Processing personal data

In order to process personal data, we must have a valid lawful basis to do so. We will only process your information where it is necessary for us to carry out our lawful activities. We have described the lawful basis on which we rely to use your information below:

a) Contractual necessity -We may process your information where it is necessary to enter into a contract with you for the provision of a service or to perform our obligations under that
contract.
b) Legal obligation – When the processing is necessary for us to comply with the law.
c) Legitimate interests – We may process your information where it is in our legitimate interests do so as an organisation, and without prejudicing your interests or fundamental rights and freedoms.
d) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in York and North Yorkshire Combined Authority;
We may process your information where:
• we are exercising an official authority set out in law.
• to perform a specific task in the public interest that is set out in law.
e) Consent – You have given clear consent for us to process your personal data for a specific purpose.

More sensitive information or ‘special categories’ of information have stricter rules for processing according to Article 9 of the UK GDPR. These categories include:

• Race
• Ethnic origin
• Politics
• Religion
• Trade union membership
• Genetics
• Biometrics (where used for ID purposes)
• Health
• Sex life
• Sexual orientation.

Information on criminal offences is also considered a special category and must be processed according to Article 10 of the UK GDPR.

Detect and prevent fraud or crime

By law we have to protect the public funds we are responsible for. This means we may use the information you provide to prevent and detect fraud. This may involve sharing your information with organisations responsible for auditing or administering public funds including the Audit Commission, the Department for Work and Pensions, other public bodies, HM Revenue and Customs, and the Police.

Data matching may also be used to identify errors and potential frauds. This means that we take information from different places and put it together to give a better picture of what is happening. We may also take part in national data matching exercises undertaken by the Audit Commission.

Information may be shared with organisations such as the Police to prevent or detect crime, apprehend or prosecute offenders or prevent harm to an individual.

Transferring information overseas

Generally, the information that YNYCA holds is held in the UK. However, in some instances information may be stored on computer servers that are outside of the UK.

The YNYCA will take all reasonable steps to ensure that your data is not processed in a country that the UK government does not consider ‘Safe’.

If your personal information does require to be transferred outside the UK for processing or storage purposes YNYCA will ensure that additional safeguards are in place to protect it to the same standard we apply. These safeguards include:
• transferring to a country/organisation the UK has decided will protect your information adequately.
• the relevant data protection authority has authorised the transfer and/or
• an appropriate contract is in place with the organisation with which we are sharing (on terms approved by the UK Information Commissioner), to ensure your information is adequately protected).

Using personal information for marketing

We will only send you information about the services we provide where you have asked us to do so or, based on the information we hold, and those services are considered of benefit to you.

Your information may also be shared with other service providers who may contact you if they provide services to help you. You can opt out of this at any time by letting us know.

On our websites, you have the option to submit your email details to join our Newsletter/Marketing Database. We may ask you for additional details to help tailor your experience. These details are submitted and controlled by you at all times.

Details held for Marketing and Information Updates will be used for sending you relevant information. You have the ability to update your details at any time or unsubscribe from receiving
our emails by clicking the preference centre or unsubscribe link placed at the bottom of our emails.

Alternatively, you may contact us at enquiries@yorknorthyorks-ca.gov.uk to request we remove your details.

We will keep your details on our Marketing Database until you unsubscribe from our Database, or where you do not open emails for longer than 6 – 12 months in which case your details will be automatically removed.

We will not share any details given for marketing purposes with third parties.

We may from time to time send you information from our partners if we feel it is relevant to you.

How we protect your personal data

YNYCA are committed to keeping the personal data that we hold safe from loss, corruption, or theft. There are several ways we do this, including:
• training for all staff on how to handle personal data and cyber security;
• policies and procedures detailing what YNYCA officers can and cannot do with personal data including what happens if data security is breached.
• IT security safeguards such as firewalls, encryption, and anti-virus software
• ensuring staff only have access to the information they need to do their job. This means if they are not the right person in the right team, they will not be able to see your information.
• on-site security safeguards to protect physical files and electronic equipment.

Communications about our service

We may contact you with information relevant to the service we are providing you, a variety of means including via email, text message, post and/or telephone.

In some cases, we may monitor or record calls, emails, text messages, or other communications in accordance with applicable laws.

How to contact us

For more information about requesting access to or to stop processing of your personal information, or to raise a concern please contact the Data Protection Officer at:
• Email: information.governance@veritau.co.uk
• Telephone: Tel: 01904 552848
• Address: Data Protection Officer Information Governance Office, Veritau, West Offices, Station Rise, York, North Yorkshire, YO1 6GA

Your right to Complain

If you wish to raise a complaint on how we have handled your personal information, please contact our Data Protection Officer on the contact details provided above. If after we have tried to address your concerns, you remain unhappy you can contact the Information Commissioner’s Office (ICO).via the ICO’s website: https://ico.org.uk/make-a-complaint/

YNYCA is registered with the Information Commissioner’s Office – Registration reference: ZB656555

You can view our details on the ICO register of data protection fee payers here.

Equalities Information

We may use information such as your ethnic background, first language, gender, sexual orientation, and age gap to gather statistics about the population of the area and the take up of our services.

This is to help comply with our legal obligations and to plan the provision of services in the future.

Such analysis will not identify individuals or have impact on entitlement to services and facilities.

Changes to the way we use information

If we change the way we use your information, and we believe you may not reasonably expect such a change we will notify you and will allow a period of time to raise any objections before the change is made. However, please note that in some cases, if you do not agree to such changes it may not be possible for us to continue to operate your account and/or provide our service to you.

Changes to this Privacy Notice

We keep our privacy notice under regular review. This privacy notice was last updated November
2024.

Online

• Cookies – Cookies are small text files that are placed on your computer by some websites that you visit. They are widely used in order to make websites work, or to make them work more
efficiently, as well as to provide information to the owners of the site. Details about how we use Cookies can be found in our Cookies Notice here.
• Other websites – On our website you may find links to other external websites which we have provided for your information and convenience. This privacy notice applies solely to the York
and North Yorkshire Combined Authority. We are not responsible for the content of those sites. When you visit other websites, we recommend that you take time to read their own privacy notices.

Date: November 2024

Glossary of terms

Personal data – Any information related to a living person, that could be used to directly or indirectly identify that person.

Special category data – Special category data is personal data which is more sensitive, and so needs more protection. This could be:
• race and ethnicity;
• sex life or sexual orientation;
• medical information (both physical and mental health);
• religious or philosophical beliefs;
• biometric data (thumb prints etc.);
• genetics (DNA etc.);
• trade union membership; or
• political beliefs.

Data controller – An organisation or individual that determines why personal data is been collected and is responsible for the security of that data.

Data processor – A contractor, organisation or individual (not an employee) who uses personal data on behalf of the data controller.

Data processing – Any action taken with personal data. This includes the collection, use, disclosure, destruction and holding of data.

Data subject – A living person who the personal data is about.

Data protection officer – The role of the data protection officer is to make sure that the organisation processes personal data in compliance with data protection law.

Consent – A freely given choice about how personal data is used in an organisation (for example, opting into marketing emails).