The Chief Fire Officer of North Yorkshire Fire and Rescue Service is committed to protecting your personal information.

This Privacy Policy contains important information about what personal details we collect; what we do with that information; who we may share it with and why; and your choices and rights when it comes to the personal information you have given to us.

We may need to make changes to our Privacy Policy, so please check our website for updates from time to time. If there are important changes such as changes to where your personal data will be processed, we may need to contact you to let you know.

Who we are:

This Privacy Policy is provided to you by the Chief Fire Officer of North Yorkshire Fire and Rescue Service who is the data controller of this data.

Your personal data – what is it?

Personal data” is any information about a living individual which allows them to be identified.  Identification can be directly using the data itself, or by combining it with other information which helps to identify a living individual. The processing of personal data is governed by legislation relating to personal data which applies in the United Kingdom including the General Data Protection Regulation (the “GDPR”) and the Data Protection Act 2018, and other legislation relating to personal data and rights, such as the Human Rights Act.

The data we may collect about you:

Personal Data that we may collect includes, but is not limited to:

  • Personal details such as name, date of birth, address, gender, ID numbers and photo, proof of identity, contact details including emergency contacts details;
  • Property and occupancy details;
  • Next of Kin;
  • NYFRS user details such as brigade number and employee number;
  • Bank account details, payroll records, and insurance number;
  • Salary and grade details;
  • Salary information including entitlement to benefits or deductions and statutory pay e.g., sickness, requests for overtime, expenses, subsistence, mileage;
  • Marital status, dependents and family circumstance;
  • DBS checks and security vetting details;
  • CCTV and thermal imaging footage and ID card records;
  • Recruitment information such as contract and terms and conditions of employment, education and employment history, references, sickness and absence records/reports, maternity/paternity leave, emergency leave, reasons for leave and time off work, criminal record, training and qualifications, PDPRs, PDPs and CPD applications (with previous employers and the service);
  • Disciplinary and Grievance records including correspondence, documentation and any warnings issued;
  • Health and safety records including details of any incidents, injuries, driving history, witness statements, disability information for which the Service needs to make reasonable adjustments, referrals, health surveillance records, Physical Activity Readiness Questionnaire (PARQ), Individual risk assessments, Accident records including witness statements, Personal emergency evacuation details, Violence to staff form, Information to respond and defend against legal claims;
  • Information about your use of NYFRS systems;
  • Food allergies or intolerances or any other dietary requirements;
  • Uniform measurements.

Special category personal data may include personal data revealing:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade Union membership;
  • Physical or mental health;
  • Sex life or orientation;
  • Genetic or biometric data.

North Yorkshire Fire and Rescue will use the minimum amount of personal information necessary to carry out a particular activity.

Why do we use your information?

We may process your data to enable us to carry out functions relating to:

  • Professional Standards (HR/Training and Development) -Information is collected to help us manage your employment and make sure both parties uphold their roles as stated in that contract and associated Schemes of Conditions of Service and negotiated terms;
  • Security and emails – For network and information security purposes (ITSS have the ability to audit employee’s activity and transactions through some of the ICT infrastructure);
  • Payroll and Finance – This allows us to pay you in accordance with your Terms and Conditions within the contract;
  • Pension’s information – This allows us to administer and manage your pensions;
  • Occupational Health and Fitness information – There are circumstances where we will collect medical and health information to confirm that our employees are fit and have the ability to undertake their role and meet contractual requirements; this could include a referral to the Service Medical Advisor;
  • Health and Safety – We undertake risk assessments and collect information from certain incidents to make sure the correct procedures are in place to safeguard our employees and the public we serve;
  • Technical Services information – We process data to ensure networking, building and information security and to resolve IT faults. We collect data to allow us to provide you with the correct uniform, catering for courses and to administer insurance claims and investigate accidents;
  • Control, Stations, Response and Resilience, and Prevention and Protection information – we have a legal requirement to obtain information to enable us to respond and manage incidents. We also have a power to follow up incidents, which requires information such as witness statements for fire investigation purposes.

What is the legal basis for processing your personal data?

Some of the purposes for using your data will overlap and there can be several lawful conditions for processing your personal data.

The Chief Fire Officer of North Yorkshire Fire and Rescue Service may process personal data for the following reasons:

  • The performance of a contract with you, the data subject, to enable you to carry out work responsibilities as part of your employment with North Yorkshire Fire and Rescue Service;
  • To comply with employment related legislation and ensure we provide a Fire service during times of Business Continuity;
  • It is necessary for carrying out employment obligations;
  • It is necessary for performance of a public task.

Where we process special categories of personal data, we will do so for one or more of the following reasons;

  • It is necessary in the context of employment law, or laws relating to social security and social protection;
  • It is necessary to protect individuals’ vital interests;
  • The processing relates to personal data which have been manifestly made public by the data subject;
  • It is necessary for the establishment, exercise or defence of legal claims, or for courts acting in their judicial capacity;
  • It is necessary for reasons of substantial public interest and occurs on the basis of a law that is proportionate to the aim pursued and protects the rights of data subjects;
  • The processing is required for the purpose of medical treatment undertaken by health professionals, including assessing the working capacity of employees and the management of health or social care systems and services;
  • The processing is necessary for reasons of public interest around public health; and
  • The processing is necessary for archiving purposes in the public interest, for historical, scientific, research or statistical purposes, subject to appropriate safeguards.


The Data Controller will comply with data protection law. This says that the personal data we hold about you must be:

  • Used lawfully, fairly and in a transparent way, as appropriate.
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
  • Relevant to the purposes we have told you about and limited only to those purposes;
  • Accurate and kept up to date;
  • Kept only as long as is necessary for the purposes we have told you about;
  • Kept and destroyed securely, including ensuring that appropriate technical and security measures are in place to protect your personal data and to protect personal data from loss, misuse, unauthorised access and disclosure.


Sharing your personal data:

We may share your personal data internally with relevant departments for the purpose of fulfilling one or more of the above stated legal bases. We may also engage the services of other agencies to meet legal requirements or fulfil another lawful basis.

Where we have arrangements to share your personal data, there is a contract, memorandum of understanding or information sharing agreement in place to ensure that the requirements of the Data Protection legislation on handling personal information are met. Where we are required to disclose information by law, for example for safeguarding purposes, we may do so without these arrangements.

We engage with third party processors who handle some, or all, of the above-mentioned information on our instruction.

NYFRS will take steps to ensure any disclosures of personal data are necessary and proportionate, as required by law. Whenever we share your personal information, sharing options will be evaluated to ensure that your data is shared in the most secure manner.

How do we keep your personal information secure?

We are committed to ensuring that your personal data is safe and processed securely. In order to prevent your personal data from being accidentally lost, used or accessed in an unauthorised manner, altered or disclosed, we have put in place suitable physical, electronic and managerial measures. These include information security awareness training for our staff. We have also compiled procedures to safeguard and secure the information that we hold about you which our staff adhere to.

We limit the access to your personal information to those employees who have a business need to know, for instance through secure work areas and access controls on all our systems. Employees, contractors and other third parties who handle personal data will only process your personal information in line with our direct instructions.

How long do we keep your personal information?

North Yorkshire Fire and Rescue keeps your personal information as long as is necessary for the particular purpose, or purposes, for which it is held.

Records that contain your personal information processed for “general data” purposes will be managed in accordance with the Service’s Retention Schedule.

Your rights and personal data:

A key area of change in the new Data Protection Act relates to individuals’ rights. The law refreshes existing rights by clarifying and extending them and introduces new rights.

However, your information rights will be dependent on the reason why the data was collected, how the data was collected and why it is being used.

Further information about your rights can be found on the “Your Information Rights” page.

Further processing:

If we wish to use your personal data for a new purpose, not covered by this Privacy Policy, we may provide you with a new policy explaining this new use and setting out the relevant purposes and processing conditions, prior to commencing the processing.  We will seek your prior consent to the new processing if this is appropriate.

Contact Details:

Details as to how we can be contacted as well as how you can submit a complaint is available on our website: Your Information Rights – North Yorkshire Fire & Rescue Service (


This version of our Privacy Policy was last updated November 2022.