Rights under Data Protection Legislation –
This privacy statement explains how we collect and use personal information about you for the purpose of responding to requests under the General Data Protection Regulation ("GDPR") and the Data Protection Act 2018.
Who we are
The National Assembly for Wales Commission is the data controller of the information you provide, and will ensure it is protected and used in line with data protection legislation.
Any queries regarding our use of your information should be sent to Data Protection Officer for the Assembly Commission who can be contacted at:
National Assembly for Wales
0300 200 6565
What we need and why we need it
Our purpose for processing your personal data is so we can locate the information you are looking for and respond to your request.
This enables us to comply with our legal obligations. Under the legislation we are subject to the:
- General Data Protection Regulation;
- Data Protection Act 2018.
When we receive your request, we will create an electronic file containing the details of your request. This will include any contact details that you have shared with us and any other information contained in your original request. We will also store on this file a copy of the information that falls within the scope of your request. If your submission is in hard copy, it will be scanned and stored electronically. The hard copy will be destroyed.
Depending on your request, we may seek further information from you in order to pinpoint where the information may be held.
Categories of information processed
Normal personal data is defined by the GDPR and includes names and contact details, as well as previous interaction with the Assembly Commission.
Depending on the request, we may process special category data, as defined by the GDPR such as race; ethnic origin; political views; religion; trade union membership; health or sexual orientation.
Our purpose for processing personal data is so we can respond to requests e.g. subject access requests and deal with any associated follow up questions, reviews or appeals, such as to the Information Commissioner. This is in line with our statutory obligations.
What we will do with your information
Information will be stored on the Assembly ICT network (which includes third party cloud services provided by Microsoft). Any transfer of data by Microsoft outside of the EEA is covered by contractual clauses under which Microsoft ensure that personal data is treated in line with European legislation.
When dealing with a request, it may be necessary to make your identity known to a specific group of people. We will not share your information with anyone outside of the organisation unless obliged by law.
How long we will keep it
We will keep your contact details, the request and our response to your request for 5 years after the response is released. This is in line with our retention policy. After this time, all information will be disposed of securely.
Legal basis for processing
The Commission must have a lawful basis for processing your information, and which basis is engaged will depend on the activity or circumstance in which we are collecting and using information.
In order to respond to requests made under access to information legislation, we will rely on the following legal bases:
- The processing is necessary to comply with a legal obligation to which we are subject (Art. 6(1)(c ) GDPR);
- The processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law (Art. 6(1)(e) GDPR).
Where we process special category data, the legal basis is that it is necessary for reasons of substantial public interest in accordance with Article 9(2)(g) GDPR and section 10(3) of, and paragraph 6 of Schedule 1 to, the Data Protection Act 2018; fulfilling our statutory obligations is in the substantial public interest.
You have a number of rights in relation to the information that we hold about you. The rights which apply depend on the legal bases we are relying on to use your personal data. Those rights will not apply in all instances, and we will confirm whether or not that is the case when you make a request.
In summary the rights are:
- The right to be informed about how your personal information is used;
- The right of access to copies of your personal information;
- The right to rectification if your information is inaccurate;
- The right to erasure of your personal information;
- The right to restrict our use of your personal information;
- The right to data portability;
- The right to object to the use of your personal information;
- Rights in relation to automated decision making and profiling.
If you would like to engage any of these rights, please email Informationfirstname.lastname@example.org.
Further details about your rights are available on the ICOs website https://ico.org.uk/for-the-public/.
You can make a complaint about how your information has been used by contacting the Assembly Commission's Data Protection Officer on 0300 200 6494 or via Data.email@example.com.
You can also make a complaint to the Information Commissioner's Office (ICO) if you believe we have not used your information in line with the law. The ICO's contact details can be found on their website.