Access to Information - Privacy Notice
This privacy statement explains how we collect and use personal information about you for the process/purpose of responding to a request made by you under access to information legislation.
Who we are
The National Assembly for Wales Commission is the data controller of the information you provide, and will ensure it is protected and used in line with data protection legislation.
Any queries regarding our use of your information should be sent to the Data Protection Officer at:
National Assembly for Wales
0300 200 6565
What we need and why we need it
Our purpose for processing your personal data is so we can respond to your information request.
When we receive your request, we will create an electronic file containing the details of your request. This will include any contact details that you have shared with us and any other information contained in your original request. We will also store on this file a copy of the information that falls within the scope of your request. If your submission is in hard copy, it will be scanned and stored electronically. The hard copy will be destroyed.
Categories of information processed
Normal personal data is defined by the General Data Protection Regulation (GDPR) and includes names and contact details, as well as previous interaction with the Assembly Commission.
Depending on the request, we may process special category data, as defined by the GDPR such as race; ethnic origin; political views; religion; trade union membership; health or sexual orientation.
What we will do with your information
Your information will be used by Commission staff for the purposes of answering your request for information. Your personal information will not be shared further than those directly involved in responding to your request. We will not share your personal information with anyone outside of the organisation unless obliged by law.
Information will be stored on the Assembly ICT network (which includes third party cloud services provided by Microsoft). Any transfer of data by Microsoft outside of the EEA is covered by contractual clauses under which Microsoft ensure that personal data is treated in line with European legislation.
If the request is about information we have received from another organisation – regarding a complaint, for example – we'll routinely consult the organisation/s concerned to seek their view on disclosure of the material.
How long we will keep it
We will keep your contact details, the request and our response to your request for 5 years after the response is released. This is in line with our retention policy. After this time, all information will be disposed of securely.
Legal basis for processing
The Commission must have a lawful basis for processing your information, and which basis is engaged will depend on the activity or circumstance in which we are collecting and using information.
In order to respond to requests made under access to information legislation, we will rely on the following legal bases:
- The processing is necessary to comply with a legal obligation to which we are subject (Art. 6(1)(c ) GDPR);
- The processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law (Art. 6(1)(e) GDPR).
Where we process special category data, the legal basis is that it is necessary for reasons of substantial public interest in accordance with Article 9(2)(g) GDPR and section 10(3) of, and paragraph 6 of Schedule 1 to, the Data Protection Act 2018; fulfilling our statutory obligations is in the substantial public interest.
You have certain rights over the information we hold. In summary the rights are:
- The right to be informed about how your personal information is used;
- The right of access to copies of your personal information;
- The right to rectification if your information is inaccurate;
- The right to erasure of your personal information;
- The right to restrict our use of your personal information;
- The right to data portability;
- The right to object to the use of your personal information;
- Rights in relation to automated decision making and profiling.
If you would like to engage any of these rights, please email Informationfirstname.lastname@example.org.
You can make a complaint about how your information has been used by contacting the Assembly Commission's Data Protection Officer on 0300 200 6565 or via email@example.com.
You can also make a complaint to the Information Commissioner's Office (ICO) if you believe we have not used your information in line with the law. The ICO's contact details can be found on their website.