Our Privacy Notice

This privacy notice has been written to inform the customers of Selby District Council about what the Council does with their personal data.

You should read this notice in conjunction with service specific privacy notices which can be found at the bottom of this page. Following Britain’s departure from the EU, all references to GDPR now refer to UK GDPR

Who are we?

Selby District Council is a ‘Data Controller’ as defined by Article 4(7) of the General Data Protection Regulation (GDPR). This means the Council has a duty of care towards the personal data that it collects and uses.

The Council has appointed Veritau Ltd to be its Data Protection Officer. Their contact details are: Information Governance Office, Veritau Ltd, County Hall, Racecourse Lane, Northallerton, DL7 8AL / DPO@selby.gov.uk / 01904 552848.

What data do you collect which is about me?

In order to deliver our services the Council needs to collect and use your personal data and sometimes your special category personal data.

We will only collect the data we need and if we don’t need your personal data we will keep it anonymous.

There will be instances where we will anonymise your data. For example, in a survey we may not need your contact details. In which case, we'll only collect your survey responses.

Why do you need my personal data?

We may need to use and collect your personal data, and sometimes your special category personal data, so that we can:

  • Deliver, manage, and check the quality of services that we provide to you
  • Investigate complaints or concerns raised by you or other individuals
  • To assist with the research and planning of new services

Who has access to my personal data within the Council?

Your name, contact details, and address may be held on the Council’s databases that enable online service, within our customer contact system and departmental back office systems so that we can deliver services to you and easily identify you should you contact us.

Council officers may only access your personal data if they require it to perform a task. There are procedures and checks in place to ensure that officers can not use your data for their own personal benefit.

Who do you share my personal data with?

In order to deliver the best possible service the Council often uses third party organisations. These organisations may have access to your personal data in order to complete their work. If the Council does use a third party organisation it will always have an agreement in place to ensure that the third party keeps your data secure.

Occasionally the Council is required to pass your data to other organisations. This could be because of a legal requirement or because a court orders the Council to do so. For example the Council may need to share information with the police to help prevent or detect a crime. The Council may not have to tell you if we do share with other organisations.

The Council’s internal auditors, counter fraud service, data protection officer, and external auditors may also have access to your personal data in order to complete their work. 

The Council will only share personal data with another organsiation if it has a legal duty to do so and will always keep records of when your data has been disclosed to another organisation.

National Fraud Initiative

The Council also collects and uses your data for the National Fraud Initiative (NFI).

How do you protect my personal data?

The Council is committed to keeping the personal data that it holds safe from loss, corruption or theft. It has a number of measures in place to do this including:

  • Training for all officers and elected councillors on how to handle personal data
  • Policies and procedures detailing what officers can and can not do with personal data
  • A number of IT security safeguards such a firewalls, encryption, and virus protection software
  • On site security safeguards to protect physical files and electronic equipment

What are your legal powers?

Unless the Council is using your data based on consent or to carry out obligations under contract then it will be relying on a legal power.


There are a number of legal reasons for the Council to collect and use your personal data. The service specific privacy notices, which can be found at the end of this notice, will tell you which legal power the Council is relying on for that specific process.

Conditions for criminal offence data, enforcement investigations and prosecutions

Where we are undertaking an investigation we are processing personal information under Part III of the Data Protection Act 2018 (DPA) for law enforcement purposes. The six law enforcement principles are similar to UK GDPR’s, however the transparency requirements are different, due to the potential to prejudice an ongoing investigation in certain circumstances.

When processing sensitive data, we must be able to demonstrate that the processing is strictly necessary and satisfies one of the conditions in Schedule 8 of the DPA or is based on consent.

How long do you keep my personal data for?

The Council will only keep your personal data for as long as it is required to fulfil the purpose it was collected for or for as long as is required by legislation.

There are different retention periods for different types of information. The service specific privacy notices, which can be found at the end of this notice, will tell you how long that service area may keep your information for.

Do you transfer my data outside of the UK?

Generally, the information that the Council holds is all held within the UK. However, some information may be held on computer servers that are held outside of the UK.  The Council will take all reasonable steps to ensure your data is not processed in a country that is not seen as ‘safe’ by the UK.

If the Council does need to send your data out of the UK it will ensure it has extra protection from loss or unauthorised access.

What are my Data Protection rights?

Data Protection legislation gives you, the data subject, a number of rights in regards to your personal information. We have a dedicated webpage that explains what these rights are and how you can exercise them.

How do I complain about the way in which you have handled my personal data?

If you have concerns about the way in which Selby District Council has handled your personal data then please contact our Data Protection Officer by contacting: Information Governance Office, Veritau Ltd, County Hall, Racecourse Lane, Northallerton, DL7 8AL / DPO@selby.gov.uk / 01904 552848.

You may also want to complain to the Information Commissioner’s Office (the Data Protection regulator) about the way in which the Council has handled your personal data. You can do so by contacting: First Contact Team, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow Cheshire, SK9 5AF / icocasework@ico.org.uk / 0303 123 1113 / www.ico.org.uk

Click here to view our fair processing notice.

Other Privacy Notices

This privacy notice is Selby District Council’s main privacy notice, but you may also want to view privacy notices specific to different teams.