City of York Council (CYC) current data protection notification is registered with the Information Commissioner’s Office (ICO) – reference Z5809563. We created this privacy notice in June 2026 and will review it regularly.
CYC is committed to ensuring that your information is handled in accordance with the principles set out in data protection legislation and guidance from the Information Commissioner’s Office (ICO).
This privacy notice tells you what to expect when we process your information and it applies to Cultural Passport for Young People.
CYC is the controller for this information unless we specifically state otherwise in this privacy notice.
You can contact the council’s Data Protection Officer at:
West Offices
Station Rise
York
YO1 6GA
Telephone: 01904 555719
Email: [email protected].
This privacy notice should be read in conjunction with other CYC privacy notices and CYC policies and procedures.
When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this privacy notice.
We get information about you from the following sources:
We will only process the information that is necessary such as:
We use your information to deliver the Cultural Passport for Young People programme. This includes the administration of our grant programme, which provides funding for young people in York and North Yorkshire Combined Authority area to access creative and cultural activities.
We will ask for your consent:
Find out how we use your information if you choose to subscribe to our newsletters or email updates, and how to unsubscribe.
Find detail of the Privacy Notice which covers attending an event at a council venue where our public space CCTV is used.
We may use Artificial Intelligence (AI) technologies to support or enhance council services. Where AI is involved in a process that directly affects your interaction with us, we will inform you before your user journey begins. This ensures transparency and helps maintain trust in how we use AI.
Our use of AI complies with the UK General Data Protection Regulation (UK GDPR), including the principles of lawfulness, fairness, transparency, accountability, and accuracy. We conduct Data Protection Impact Assessments (DPIAs) where AI systems are likely to result in high risks to individuals’ rights and freedoms, such as automated decision-making or profiling.
If generative AI tools are used, we do not use personal or end-user data to train AI models. This helps ensure compliance with the purpose limitation and data minimisation principles under UK GDPR.
Where AI tools are used solely by staff to assist with drafting, research, or accessibility - for example, to improve writing efficiency or summarise information - these uses do not form part of a business process that affects service delivery or decision-making. As such, no specific notification will be provided for these internal productivity uses.
These uses are considered low-risk and do not involve automated decision-making that produces legal or similarly significant effects. They are also subject to internal governance and safeguards to ensure responsible use.
Examples include:
We may use your information to create reports and statistics that are anonymous and cannot be linked back to you or individuals such as:
We do not carry out any automated decision making in our Cultural Passport for Young People programme.
Please see our cookies page for further information about the information we collect automatically when you use our website.
Where we provide services directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.
Any personal data and special category data that we process about individuals is done so in accordance with one or more of the following Articles 6 and 9 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (DPA 2018).
Article 6(1)
(a) Consent: the individual has given clear consent for the council to process their personal data for a specific purpose.
(e) Public task: the processing is necessary for the council to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for the council’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Article 9(2), Explicit consent
(g) Reasons of substantial public interest (with a basis in law)
This is supported by Schedule1, Part 2 (6) of the Data Protection Act 2018 and the following legal framework:
Some of the Schedule 1 conditions for processing special category and criminal offence data require an Appropriate Policy Document (APD) to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice.
Our Appropriate Policy Document provides further information about this processing.
We will only keep your information for as long as it is needed then it will be securely and confidentially deleted or disposed of.
You can find details on how long the council keeps records in our retention schedule.
We will only share your information where it is appropriate to, with:
In some circumstances, such as under a court order or safeguarding, we are legally obliged to share your information.
We will always satisfy ourselves that we have a lawful basis on which to share the information and document our decision making.
Additionally, we are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives (TNA) for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.
When we have third parties providing parts or all of our services, systems, software, platforms, applications (apps) etc for us, we have contracts or agreements in place with them.
These include:
We do not routinely transfer personal data, special categories of personal data or criminal offence data, outside of the UK but when this is necessary, we ensure that we have appropriate safeguards in place and that it is done in accordance with the UK data protection and privacy legislation.
We are committed to keeping your information safe and secure. There are several ways we do this, such as:
To find out about your rights under Data Protection law, via the Information Commissioners Office (ICO); you can also find information about your rights via Our Privacy Notice.
If you have any questions about this Privacy Notice, want to exercise your rights, or if you have a complaint about how your information has been used, email: [email protected], or telephone: 01904 555719. Alternatively, you can or write:
Data Protection Officer
City of York Council
West Offices
Station Rise
York
YO1 6GA
By using our website you are consenting to certain types of cookie being placed on your device; see our Cookies Notice.
Where our website links to external resources or websites, these may add their own cookies. These are outside our control. Cookies can be disabled by changing the settings in your browser, but you may need to re-enter information at times.
Emails that we send to you or you send to us, may be retained as a record of contact and your email address stored for future use in accordance with our record retention schedules. If we need to email sensitive or confidential information to you, we may perform checks to verify the correct email address and may take additional security measures.
You will not receive unsolicited paper or electronic mail as a result of sending us any personal data while using our website, unless you have given us permission to do this.
We do not pass personal data to third parties for marketing, sales or any other commercial purposes without your prior explicit consent.
If we have to share your personal data externally, we require any third party to comply with the principles of data protection legislation, and our procedures and instructions, when they use your information on our behalf.