Updates to this policy
Given recent changes in data protection law, we will update this page over coming months. Please check back for updates. We will not however use any personal data in a way that is inconsistent with the original purposes for which it was obtained, without informing you first.
The National Assembly for Wales Commission ('the Assembly') is the data controller for all personal data that it holds. Personal data will be used in accordance with data protection legislation. This includes the UK Data Protection Act 2018 ('DPA 18') and the General Data Protection Regulation ('GDPR').
Please note this policy relates only to the use of personal data by the Assembly as a data controller. Assembly Members are data controllers in their own right, and are responsible for the personal data held and used by their offices.
Data Protection Officer
The Data Protection Officer for the Assembly can be contacted at firstname.lastname@example.org
What personal data does the Assembly use?
The Assembly uses personal data to fulfil Assembly functions and activities, these include: representing and engaging with the people of Wales, making laws for Wales, education and outreach, information and record keeping, Assembly administration, providing support to Assembly Members and their staff, employing staff, and crime prevention.
Full privacy notices for a number of our different activities will be provided in separate, dedicated privacy notices, but in summary, the main types of personal data the Assembly uses are:
Evidence submissions of those who choose to submit to an Assembly Committee and other Assembly inquiries and consultations. This will include your contact details, sometimes your occupation and place of employment, and any opinions you express. Evidence submissions are usually published on our website. Witnesses sometimes also provide evidence in person;
Contact details of stakeholders and members of the public who choose to engage with the Assembly or to receive updates about different activities, and information they provide in order to take part in engagement activities;
Images and film images are taken at the Assembly or at Assembly events for engagement purposes. Engaging with the people of Wales is really important to us and images will often be used on our social media channels;
CCTV is in operation across the Assembly estates. It is vitally important that the Assembly and those engaging with us are kept safe;
Personal data of Assembly Members, Assembly Members Support Staff, and Assembly staff (and prospective staff) are used for the purposes of employment and Assembly administration;
Senedd TV is the online broadcast channel for the National Assembly for Wales. This website holds live and archived coverage of all Assembly proceedings taking place in public, including Plenary debates and Committee meetings;
What legal bases do we rely on for using your personal data?
The Assembly must have a lawful basis for processing your information, and which basis is engaged will depend on the activity or circumstance in which we are collecting and using information. A number of these activities are described below and further separate privacy notices will communicate the appropriate legal basis we are relying on, but, in summary:
Many of our activities relate to the official function as the National Assembly for Wales. The legal basis we rely on to use personal data in these instances is often the bases known as 'public task' This basis is engaged where "the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law".
You have a number of rights in relation to the information that we hold about you. The rights which apply depend on the legal bases we are relying on to use your personal data. Those rights will not apply in all instances, and we will confirm whether or not that is the case when you make a request.
In summary the rights are:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
If you would like to engage any of these rights, please email Informationemail@example.com.
Further details about your rights are available on the Information Commissioners Office (ICO) website https://ico.org.uk/for-the-public/
How your personal data will be stored
Information will normally be retained on our secure ICT infrastructure which includes third party cloud services provided by Microsoft. Any transfer of data by Microsoft outside of the EEA is covered by contractual clauses under which Microsoft ensure that personal data is treated in line with European legislation.
Sometimes we use third party applications such as Survey Monkey, Mail Chimp, Dialogue, EventBrite. Where this is the case, the relevant privacy notice will inform you of: any transfers of data outside of Europe; the safeguards which are in place to protect your data; and, direct you to information provided by that third party about how they will use your information.
We will ensure administrative, technical and physical security controls are in place to protect information and reduce the potential risks of loss or unauthorised use or disclosure. A summary of the technical controls in place include:
Boundary firewalls implemented and continually updated
Network support post established with specific responsibility for cyber security
Automatic alerting and reporting of attempted Cyber-attacks
Malware protection with regular update cycle in place for all systems
Multi-factor authentication enabled for cloud services
Advanced threat analytics enabled
Intrusion detection processes
Regular vulnerability scanning and penetration testing
Security patching process in place for all systems
Redundant and resilient services engineered to protect against failures
The way in which your data will be processed may depend on the consultation and you will be provided with a privacy notice which attaches to the particular consultation.
The way in which your data will be processed may depend on the event and the way in which it is being administered and you will be provided with a privacy notice which attaches to the particular event.
We often take photos and film footage ("images") at Assembly events (on and off the estate). Images are used for the purposes of promoting the work of the Assembly and to engage with the people of Wales. We consider this task to be vital to fulfil the strategic goals of the organisation, as set out in the Assembly Commission Strategy 2016 – 2021.
Images recorded at events may be published on our social media platforms, our website or in printed and digital material. Images may be retained by the Assembly indefinitely. Any images which we publish into the public domain will remain there. Images and footage we retain could potentially be used, without context to the event photographed or filmed, to promote the work of the National Assembly for Wales and engage with the people of Wales.
If you do not want to appear in such media, please contact a member of staff – firstname.lastname@example.org
We operate CCTV across the Assembly Estates in order to: facilitate the safety and security of employees, contractors, visitors and members of the public; to protect and secure Assembly buildings, to prevent, detect and identify criminal activity or malpractice; for the apprehension and prosecution of offenders; and for investigations. CCTV is in operation within the Assembly sites, car parks and public areas (which may include areas outside of the National Assembly Estate). Images are routinely retained for a maximum of 31 days. Access to our SMS (security management system), including our CCTV, is robustly controlled with only appropriately trained, vetted and authorised staff granted access. Use of the CCTV system is governed by CCTV policy and user guidance.
Queries and any unsolicited correspondence made to the Assembly will be shared with Assembly staff in relevant service areas to take forward. Your contact details will not be used for any purpose other than to deal with your query, and will be retained for those purposes.
If you contact us asking for information, we may need to contact others to find that information. If your query does not fall under the remit of the National Assembly for Wales, we will inform you and pass your query on to the relevant organisation, if you would like us to do so. Once we have replied to you, we may keep a record of the correspondence message for audit purposes.
A full privacy notice will be available via recruitment forms and on our website over coming weeks.
Staff and Assembly Member Support Staff
Internal notices describing how your data is used will be available over coming months.
If you contact us via the website for the purposes of registration, email subscriptions, and other engagement activities, your information will only be used for those purposes.
Cookies are pieces of data that are often created when you visit a website and are stored in the cookie directory of your own computer. Cookies policy
Log files allow us to record visitors' use of the site. Log files do not contain any personal information or information about which other sites you have visited.
What happens when I link to another site?
The National Assembly for Wales app
The Assembly app allows you to find out about Assembly Members and the work of the Assembly; what's going to be debated this week in Plenary; visiting the Senedd in Cardiff Bay and attending a Plenary session; and how you can keep up to date with the latest developments via our social media channels.
The English and Welsh versions of the Assembly app are now live and available to download on Windows and Android devices.
Android: English | Welsh
Windows phone: English | Welsh
This app is provided by AppMachine. AppMachine gathers and processes anonymous information about users for analytical purposes and to ensure the app functions correctly. This includes user phone type, operating system, screen resolution, country, language, IP, and last location (however it is not necessary for you to provide location), and how they use the app. You can find more information about how AppMachine use information on their website.
Sharing of personal data
The Assembly may need to share your personal details with other people for legal reasons, such as courts and law enforcement agencies. The Assembly may also share it with its own professional advisers, auditors, insurers and other service providers. Privacy notices will also describe any further instances of sharing of data.
Requests for information made to the Commission
In the event of a request for information being made under access to information legislation, it may be necessary to disclose all or part of the information that you provide. This may include information which has previously been removed by the Assembly for publication purposes. We will only do this if we are required to do so by law.