This privacy notice relates to Vetting and DBS checks (Disclosure and Barring Service).

The vetting requirement only applies to EnableNY colleagues and those working from North Yorkshire Police premises. DBS checks apply to all NYFRS colleagues.

The Chief Fire Officer of North Yorkshire Fire and Rescue Service is committed to protecting your personal information.

This Privacy Notice contains important information about what personal details we collect; what we do with that information; who we may share it with and why; and your choices and rights when it comes to the personal information you have given to us.

We may need to make changes to our Privacy Policy, so please check our website for updates from time to time. If there are important changes such as changes to where your personal data will be processed, we may need to contact you to let you know.

Who are we?

This Privacy Notice is provided to you by the Chief Fire Officer of North Yorkshire Fire and Rescue Service who is the data controller of this data.

Your personal data – what is it?

“Personal data” is any information about a living individual which allows them to be identified (for example a name, photographs, videos, email address, or address). Identification can be directly using the data itself, or by combining it with other information which helps to identify a living individual.

The processing of personal data is governed by legislation relating to personal data which applies in the United Kingdom including the General Data Protection Regulation (the “GDPR”) and the Data Protection Act 2018, and other legislation relating to personal data and rights, such as the Human Rights Act.

The data we may collect about you includes, but is not limited to:

  • Name, address and any other contact details such as email address and telephone numbers;
  • Previous employment history, references and educational history;
  • Gender, ethnicity, religion and nationality;
  • Passport/Visa details;
  • Health and Disability;
  • Open-source information, for instance data from Facebook and Twitter (once extracted, data is stored and retained);
  • Financial records including credit checks (once extracted, data is stored and retained);
  • Criminal record including unspent convictions; and
  • Depending on the vetting level, we may ask for details of family members.

This data may be refreshed as required to conduct the periodic vetting and integrity checks.

What is the legal basis for processing your personal data?

The Chief Fire Officer of North Yorkshire Fire and Rescue Service may process personal data for the following reasons:

  • The performance of a contract with those who wish to work with North Yorkshire Fire and Rescue Service or the Police, Fire and Crime Commissioner, and any employee of contractors procured by North Yorkshire Fire and Rescue Service;
  • To meet a legal obligation – every Fire and Rescue Service are obligated to secure the maintenance of an efficient and effective Fire and Rescue Service.
  • To allow us to perform our public task of providing a Fire and Rescue Service in the interest of the public.

The Data Controller will comply with data protection law. This says that the personal data we hold about you must be:

  • Used lawfully, fairly and in a transparent way;
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
  • Relevant to the purposes we have told you about and limited only to those purposes;
  • Accurate and kept up to date;
  • Kept only as long as is necessary for the purposes we have told you about;
  • Kept and destroyed securely, including ensuring that appropriate technical and security measures are in place to protect your personal data and to protect personal data from loss, misuse, unauthorised access and disclosure.

Sharing your personal data:

We may share your personal data internally with relevant departments for the purpose of fulfilling one or more of the above stated legal bases. We may also engage the services of other agencies to meet legal requirements or fulfil another lawful basis.

Where we have arrangements to share your personal data, there is a contract, memorandum of understanding or information sharing agreement in place to ensure that the requirements of the Data Protection legislation on handling personal information are met. Where we are required to disclose information by law, for example for safeguarding purposes, we may do so without these arrangements. We engage with a third-party processor who supports the database holding the vetting information.

NYFRS will take steps to ensure any disclosures of personal data are necessary and proportionate, as required by law. Whenever we share your personal information, sharing options will be evaluated to ensure that your data is shared in the most secure manner.

How do we keep your information secure?

We are committed to ensuring that your personal data is safe and processed securely. To prevent your personal data from being accidentally lost, used or accessed in an unauthorised manner, altered or disclosed, we have put in place suitable physical, electronic and managerial measures. These include information security awareness training for our staff. We have also compiled procedures to safeguard and secure the information that we hold about you which our staff adhere to.

We limit the access to your personal information to those employees who have a business need to know, for instance through secure work areas and access controls on all our systems. Employees, contractors and other third parties who handle personal data will only process your personal information in line with our direct instructions.

How long do we keep your personal data?

North Yorkshire Fire and Rescue Service keeps your personal information as long as is necessary for the particular purpose, or purposes, for which it is held.

Records that contain your personal information processed for “general data” purposes will be managed in accordance with the Service’s retention schedule.

Your rights and personal data:

A key area of change in the new Data Protection Act relates to individuals’ rights. The law refreshes existing rights by clarifying and extending them and introduces new rights. However, your information rights will be dependent on the reason why the data was collected, how the data was collected and why it is being used.

Further information about your rights can be found on our Your Information Rights and Data Protection page.

Further processing:

If we wish to use your personal data for a new purpose, not covered by this Privacy Policy, we may provide you with a new notice explaining this new use and setting out the relevant purposes and processing conditions, prior to commencing the processing.  We will seek your prior consent to the new processing if this is appropriate.

Contact details:

Details as to how we can be contacted, as well as how you can submit a complaint is available on our website. Please see our privacy policies.

This version of our Privacy Notice was last updated on 22 November 2023.