Updates to this policy
Given recent changes in data protection law, we will update this page over coming months. Please check back for updates.
We will not however use any personal data in a way that is inconsistent with the original purposes for which it was obtained, without informing you first.
The Welsh Parliament is the data controller for all personal data that it holds. Personal data will be used in accordance with data protection legislation. This includes the UK Data Protection Act 2018 ('DPA 18') and the General Data Protection Regulation ('GDPR').
Please note this policy relates only to the use of personal data by the Welsh Parliament as a data controller. Member of the Senedd (MS) are data controllers in their own right, and are responsible for the personal data held and used by their offices.
Data Protection Officer
The Data Protection Officer for the Welsh Parliament can be contacted at firstname.lastname@example.org
What personal data does the Senedd use?
The Senedd uses personal data to fulfil Senedd functions and activities, these include: representing and engaging with the people of Wales, making laws for Wales, education and outreach, information and record keeping, Senedd administration, providing support to Members of the Senedd and their staff, employing staff, and crime prevention.
Full privacy notices for a number of our different activities will be provided in separate, dedicated privacy notices, but in summary, the main types of personal data the Senedd uses are:
- Evidence submissions of those who choose to submit to an Senedd Committee and other Senedd inquiries and consultations. This will include your contact details, sometimes your occupation and place of employment, and any opinions you express. Evidence submissions are usually published on our website. Witnesses sometimes also provide evidence in person;
- Contact details of stakeholders and members of the public who choose to engage with the Senedd or to receive updates about different activities, and information they provide in order to take part in engagement activities;
- Images and film images are taken at the Senedd or at Senedd events for engagement purposes. Engaging with the people of Wales is really important to us and images will often be used on our social media channels;
- CCTV is in operation across the Senedd estates. It is vitally important that the Senedd and those engaging with us are kept safe;
- Personal data of Members of the Senedd, Members of the Senedd Support Staff, and Senedd staff (and prospective staff) are used for the purposes of employment and Senedd administration;
- Senedd TV is the online broadcast channel for the Welsh Parliament. This website holds live and archived coverage of all Senedd proceedings taking place in public, including Plenary debates and Committee meetings;
What legal bases do we rely on for using your personal data?
The Senedd must have a lawful basis for processing your information, and which basis is engaged will depend on the activity or circumstance in which we are collecting and using information. A number of these activities are described below and further separate privacy notices will communicate the appropriate legal basis we are relying on, but, in summary:
Many of our activities relate to the official function as the Welsh Parliament. The legal basis we rely on to use personal data in these instances is often the bases known as 'public task' This basis is engaged where "the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law".
You have a number of rights in relation to the information that we hold about you. The rights which apply depend on the legal bases we are relying on to use your personal data. Those rights will not apply in all instances, and we will confirm whether or not that is the case when you make a request.
In summary the rights are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
If you would like to engage any of these rights, please email Informationemail@example.com.
Further details about your rights are available on the Information Commissioners Office (ICO) website https://ico.org.uk/for-the-public/
How your personal data will be stored
Information will normally be retained on our secure ICT infrastructure which includes third party cloud services provided by Microsoft. Any transfer of data by Microsoft outside of the EEA is covered by contractual clauses under which Microsoft ensure that personal data is treated in line with European legislation.
Sometimes we use third party applications such as Survey Monkey, Mail Chimp, Dialogue, EventBrite. Where this is the case, the relevant privacy notice will inform you of: any transfers of data outside of Europe; the safeguards which are in place to protect your data; and, direct you to information provided by that third party about how they will use your information.
We will ensure administrative, technical and physical security controls are in place to protect information and reduce the potential risks of loss or unauthorised use or disclosure. A summary of the technical controls in place include:
- Boundary firewalls implemented and continually updated
- Network support post established with specific responsibility for cyber security
- Automatic alerting and reporting of attempted Cyber-attacks
- Malware protection with regular update cycle in place for all systems
- Multi-factor authentication enabled for cloud services
- Advanced threat analytics enabled
- Intrusion detection processes
- Regular vulnerability scanning and penetration testing
- Security patching process in place for all systems
- Regular backups
- Redundant and resilient services engineered to protect against failures
The way in which your data will be processed may depend on the consultation and you will be provided with a privacy notice which attaches to the particular consultation.
The way in which your data will be processed may depend on the event and the way in which it is being administered and you will be provided with a privacy notice which attaches to the particular event.
We often take photos and film footage ("images") at Senedd events (on and off the estate). Images are used for the purposes of promoting the work of the Senedd and to engage with the people of Wales. We consider this task to be vital to fulfil the strategic goals of the organisation, as set out in the Senedd Commission Strategy 2016 – 2021.
Images recorded at events may be published on our social media platforms, our website or in printed and digital material. Images may be retained by the Senedd indefinitely. Any images which we publish into the public domain will remain there. Images and footage we retain could potentially be used, without context to the event photographed or filmed, to promote the work of the Welsh Parliament and engage with the people of Wales.
If you do not want to appear in such media, please contact a member of staff – contact@Senedd.wales
We operate CCTV across the Senedd Estates in order to: facilitate the safety and security of employees, contractors, visitors and members of the public; to protect and secure Senedd buildings, to prevent, detect and identify criminal activity or malpractice; for the apprehension and prosecution of offenders; and for investigations. CCTV is in operation within the Senedd sites, car parks and public areas (which may include areas outside of the Welsh Parliament Estate). Images are routinely retained for a maximum of 31 days. Access to our SMS (security management system), including our CCTV, is robustly controlled with only appropriately trained, vetted and authorised staff granted access. Use of the CCTV system is governed by CCTV policy and user guidance.
Queries and any unsolicited correspondence made to the Senedd will be shared with Senedd staff in relevant service areas to take forward. Your contact details will not be used for any purpose other than to deal with your query, and will be retained for those purposes.
If you contact us asking for information, we may need to contact others to find that information. If your query does not fall under the remit of the Welsh Parliament, we will inform you and pass your query on to the relevant organisation, if you would like us to do so. Once we have replied to you, we may keep a record of the correspondence message for audit purposes.
A full privacy notice will be available via recruitment forms and on our website over coming weeks.
Staff and Members of the Senedd Support Staff
Internal notices describing how your data is used will be available over coming months.
If you contact us via the website for the purposes of registration, email subscriptions, and other engagement activities, your information will only be used for those purposes.
Cookies are pieces of data that are often created when you visit a website and are stored in the cookie directory of your own computer. Cookies policy
Log files allow us to record visitors' use of the site. Log files do not contain any personal information or information about which other sites you have visited.
What happens when I link to another site?
The Welsh Parliament for Wales app
The Senedd app allows you to find out about Members of the Senedd and the work of the Senedd; what's going to be debated this week in Plenary; visiting the Senedd in Cardiff Bay and attending a Plenary session; and how you can keep up to date with the latest developments via our social media channels.
The English and Welsh versions of the Senedd app are now live and available to download on Windows and Android devices.
Android: English | Welsh
Windows phone: English | Welsh
This app is provided by AppMachine. AppMachine gathers and processes anonymous information about users for analytical purposes and to ensure the app functions correctly. This includes user phone type, operating system, screen resolution, country, language, IP, and last location (however it is not necessary for you to provide location), and how they use the app. You can find more information about how AppMachine use information on their website.
Sharing of personal data
The Senedd may need to share your personal details with other people for legal reasons, such as courts and law enforcement agencies. The Senedd may also share it with its own professional advisers, auditors, insurers and other service providers. Privacy notices will also describe any further instances of sharing of data.
Requests for information made to the Commission
In the event of a request for information being made under access to information legislation, it may be necessary to disclose all or part of the information that you provide. This may include information which has previously been removed by the Senedd for publication purposes. We will only do this if we are required to do so by law.