About us

Jo Coles - York and North Yorkshire Deputy Mayor for Policing, Fire and Crime

Jo Coles - North Yorkshire Deputy Mayor for Policing, Fire and Crime

Home - Your information rights - Your information – Data protection - How we use your information - Privacy notice

Privacy notice

Published: 25 February 2025
Review date: 25 February 2026
Policy owner: Data Protection Officer

The York and North Yorkshire Office for Policing, Fire, Crime and Commissioning (OPFCC), part of the York and North Yorkshire Combined Authority (YNYCA), is committed to protecting your personal information.  

 This privacy notice has been written to inform individuals about how and why the OPFCC processes personal data. It includes when we process information relating to general queries and complaints.   

 This privacy notice supplements the organisation’s other notices. 

 

Who are we?

The Mayor of York and North Yorkshire is a data controller as defined by the UK GDPR.  This means that we determine the purposes for which your personal data is processed and the manner of the processing.  We will only collect and use your personal data in ways that are compliant with data protection legislation.  

The role of the DPO is to monitor our compliance with the UK GDPR and the Data Protection Act 2018 and advise on data protection issues.  If you would like to discuss this privacy notice or our use of your data, please contact: 

Data Protection Officer
York and North Yorkshire Office for Policing, Fire, Crime and Commissioning
Harrogate Police Station
Beckwith Head Road
Harrogate
North Yorkshire
HG3 1FR
[email protected] // 01423 569562

What personal information do we collect?

The personal data we collect about you will be dependent on the nature of your contact and relationship with us, but could include:

• Personal details, including name, address and contact information
• Company details and contact information, if appropriate
• Details of the reasons for contact, and any communication preferences
• Visitor information, such as the purpose of your visit and time you enter and leave the building, car registration number and any health conditions or disability access needs you tell us about
• Records of communications and interactions we have with you
• Any details provided by yourself or third parties relating to a complaint investigation, including witness statements and interview notes
• Information required for recruitment

Why do we collect your personal information?

We process your information for the purposes outlined below:

• To fulfil the organisation’s service
• To effectively respond to your query or request
• To comply with a legal or regulatory obligation such as safeguarding and health and safety requirements
• To process feedback and improve our services
• To promote the organisation, including in newsletters, on the website and social media platforms
• To effectively administer the complaints process
• For recruitment purposes
• To monitor and inform our policies on equality and diversity
• Veritau who provide information governance services to the organisation

Who do we obtain your information from?

We normally receive this information directly from you. However, we may also receive some information from third parties including:

• North Yorkshire Police or another UK Police force
• North Yorkshire Fire and Rescue or another UK Fire and Rescue Service
• Local Authorities
• A referring organisation

Who do we share your personal data with?

Third party processors

In order to deliver the best possible service, we often use third party organisations. These organisations will sometimes need access to your personal data in order to complete their work. If we do use a third party organisation, we will always have an agreement in place to ensure that the other organisation keeps your data secure.

Other organisations

Sometimes we have to pass your data to other organisations. This could be because of a legal requirement or because a court orders us to do so. For example, we may need to share information with the police to help prevent or detect a crime. We may not have to tell you if we do share with other organisations in this way.

Statutory functions

Our auditors and similar service have access to your personal data in order to complete their work. We will only share personal data with another organisation if we have a lawful basis to do so, and we will always keep records of when your data has been disclosed to another organisation.

How long do we keep your personal data for?

We will retain your information in accordance with our Records Management Policy and Retention Schedule.The retention period for most of the information we process about you is determined by statutory obligations. Any personal information which we are not required by law to retain will only be kept for as long as is reasonably necessary to fulfil its purpose.

We may also retain some information for historical and archiving purposes in accordance with our Records Management policy.

International transfers of data

Although we are based in the UK, some of the digital information we hold may be stored on computer servers located outside the UK. Some of the IT applications we use may also transfer data outside the UK.

Normally your information will not be transferred outside the European Economic Area, which is deemed to have adequate data protection standards by the UK government. In the event that your information is transferred outside the EEA, we will take reasonable steps to ensure your data is protected and appropriate safeguards are in place.

What rights do you have over your data?

Under the UK GDPR, individuals have the following rights in relation to the processing of their personal data:

• to be informed about how we process your personal data. This notice fulfils this obligation.
• to request a copy of the personal data we hold about you (known as a Subject Access Request).
• to request that your personal data is amended if inaccurate or incomplete (known as a Right to Rectification Request).
• to request that your personal data is erased where there is no compelling reason for its continued processing (known as an Erasure Request).
• to request that the processing of your personal data is restricted.
• to obtain and reuse personal data you have provided to the organisation for your own purposes.
• to object to your personal data being processed.

If you have any concerns about the way we have handled your personal data or would like any further information, then please contact our DPO using the details provided above.

If we cannot resolve your concerns then you may also complain to the Information Commissioner’s Office, which is the UK’s data protection regulator. Their contact details are below:

Phone: 0303 123 1113 or via their live chat. Opening hours are Monday to Friday between 9am and 5pm (excluding bank holidays). You can also report, enquire, register and raise complaints with the ICO using their web form on Contact us | ICO.

What is our lawful basis for processing your information?

Under the UK GDPR, it is essential to have a lawful basis when processing personal information. We normally rely on the following lawful bases:

• Article 6(1)(a) – consent
• Article 6(1)(b) – performance of a contract
• Article 6(1)(c) – legal obligation
• Article 6(1)(e) – public task
• Article 6(1)(f) – legitimate interests

We only rely on legitimate interests when we are using your data in ways you would reasonably expect.

Where we are processing your personal data with your consent you have the right to withdraw that consent. If you change your mind or are unhappy with our use of your personal data, please let us know by contacting the Data Protection Officer.

Where we are processing your personal under Public Task or Legitimate Interests you have the right to object to the processing. Please submit any objections to the Data Protection Officer.

Some of the information we collect about you is classed as special category data under the UK GDPR. Additional conditions are required to allow for processing this data. We normally rely on the following lawful basis:

• Article 9(2)(a) – explicit consent
• Article 9(2)(g) – reasons of substantial public interest

The specific privacy notices will tell you which lawful basis we are relying on for that specific process.

Changes to this notice

We reserve the right to change this privacy notice at any time.  This privacy notice was last reviewed 25 February 2025. 

Other Processing Activity

OPFCC will process personal data in a number of other situations. Separate privacy notices have therefore been prepared for:

Photos and Images
Employees
Volunteer
Recruitment
Website Forms and Social Media
Complaints