Skip to content
Line break

You are here: Home > Organisational Statements > Data Protection Statement

Data Protection Statement

 About Us

Audit Yorkshire provides a range of internal audit, anti-crime, assurance and advisory services to members and clients across North and West Yorkshire.

We have privileged and wide-ranging access to personal data and information to support our work.  We recognise our duty to respect this privileged access and to ensure that the personal data entrusted to us is safeguarded properly.

Statement on management of personal data

We work within the policy framework of our host organisation, York and Scarborough Teaching Hospitals NHS Foundation Trust, to meet our obligations under Data Protection legislation. In addition to the Trust’s appointed data protection officer, we have our own in-house Information Governance specialist and local data protection policies, guidelines and procedures to support compliance. In summary:

  • We will only request personal data for use in discharging our statutory and other audit functions and for lawful purposes.
  • We request the minimum amount of information necessary to carry out our work.
  • We have protocols which specify the measures we use for protecting personal data during transfer for the purposes of our work.
  • We take appropriate measures to safeguard the confidentiality, integrity and availability of data we hold, according to its volume and sensitivity, as laid out in our data protection policies.
  • Where appropriate, we conduct data protection impact assessments, which may result in additional controls being applied.
  • We keep a record of our data-processing activities, as required by law.
  • The Head of Audit is our designated Information Asset Owner. Audit Managers will act as Information Asset Administrators, being personally responsible for authorising requests for personal data and for ensuring that personal data is transferred, processed, stored and destroyed in accordance with our policies and procedures.
  • All staff receive annual data security and protection training and work to our local Data Security and Protection Protocol.
  • We ensure compliance with records management policies by reviewing storage and retention of personal data on completion of audit assignments.
  • If we become aware of a potential breach of the personal data provided to us by our clients, we will notify the client without undue delay.
  • We audit our compliance with our data protection policies. The Audit Managers responsible for the security of data self-assess at the end of each piece of work and are required to report compliance regularly. The data protection officer monitors compliance and our suite of policies and procedures that make up our data protection framework is audited by an independent third‑party company.
  • We will comply with the rights of data subjects in line with the requirements of data protection legislation.
  • Where information identifying individuals must be given up by law, we will release it only to those legally entitled to receive it.

Purpose and Lawful Basis for Processing

We collect personal data of member/client employees, patients and service users as necessary for the discharge of our internal audit and anti-crime functions.  The lawful basis for this processing is found in GDPR Article 6(1)(e) “where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.  Where an assignment involves processing of sensitive (special category) data, the lawful basis is in Article 9(2)(b) employment and social protection or 9(2)(h) health and social care.

For routine administration purposes, we hold the name, job role and contact details of nominated contacts within each member and client organisation.  We send periodic newsletters, technical briefings and news of learning events to Directors of Finance, Audit Committee Chairs and other officers as appropriate to the content.  These are primarily service messages but may have a promotional element in support of our public function. As such we will respect any individual opt-out requests.

 Member and Client Obligations

Audit Yorkshire Members and Clients have their part to play in ensuring that assignments are carried out in accordance with the Data Protection Principles. In particular, this means:

  • Ensuring that use of personal data for Audit is declared in your Privacy Notices and included in your statutory documentation of processing activities
  • Applying effective information governance policies, procedures and training when preparing personal data for audit
  • Providing only those data fields that have been identified as necessary for the purpose of the audit
  • Including only the bare minimum of identifiers which will still satisfy the purpose
  • Using only secure means for transferring the data.


For further information about this statement, or to exercise your rights in respect of personal data we hold about you, please contact: