The Senedd Commission (“the Commission”) is the data controller of the information you provide, and will ensure it is protected and used in line with data protection legislation.
Our Contact Details
Any queries regarding our use of your information should be sent to the Data Protection Officer at:
0300 200 6565
What is the information?
To ensure the safety of all building users during the COVID-19 pandemic, personal data must be provided to the Commission by all external attendees entering the Senedd estate that are not Senedd passholders or staff members. This information includes:
- Your name
- Your contact details
Why are we collecting it?
The information collected will be used to guarantee that we are meeting our legal obligations to ensure that those who visit the Senedd estate can do so in a safe manner without the need to accept unreasonable risk.
The information also helps us to demonstrate compliance with coronavirus legislation, guidance and internal risk assessment requirements. The Commission is required by law to take “reasonable measures” to minimise the risk of exposure to coronavirus. The collection of Test, Trace, Protect information enables us to respond to any potential outbreak originating from our premises, and meet any request from the NHS Test, Trace, Protect service for information that assists in reducing the risk of transmission of coronavirus.
Who is collecting and analysing the information?
Those inviting or making arrangements for external attendees to come on to the Senedd estate will collect your name and contact details. This information will be shared with our Estates and Facilities Management Department who collate numbers on the estate and for the purpose of TTP. The information will also be shared with the Commission’s HR-Health and Safety team for the purposes of NHS Wales Test, Trace and Protect Service.
Will it be shared or publicised?
Information may be shared with the NHS Wales Test, Trace and Protect service where it is requested by them. They will only request this information where necessary, because:
- someone who has tested positive for coronavirus has listed our premises as a place they have worked at or visited recently;
- the service has identified our premises as the location of a potential cluster or outbreak of coronavirus.
We may also share the information with enforcement bodies to demonstrate compliance with health and safety law or respond to any potential breach of coronavirus regulations.
Where will it be stored?
The information will be stored securely on our ICT systems. Our ICT system includes third party cloud services provided by Microsoft. Any transfer of data by Microsoft outside of the EEA is covered by contractual clauses under which Microsoft ensure that personal data is treated in line with European legislation. To find out more about how Microsoft will use your information, you can read their privacy statement here.
How long is it stored for?
The information will be retained for 21 days. This is to ensure that we can comply with our obligations in health and safety, and coronavirus, legislation.
How is it destroyed?
The information will be securely deleted from the ICT system following the end of the retention period.
You have certain rights over the information we hold. In summary the rights are:
- The right to be informed about how your personal information is used;
- The right of access to copies of your personal information;
- The right to rectification if your information is inaccurate;
- The right to erasure of your personal information;
- The right to restrict our use of your personal information;
- The right to object to the use of your personal information.
If you would like to engage any of these rights, please email email@example.com
Our legal bases for collecting, holding and using your personal information
Data protection law sets out various legal bases which allow us to collect, hold and use your personal information. For the purpose of processing the personal data you provide, we rely on the following legal bases:
The processing is necessary for the performance of a task carried out in the public interest
The Commission has a statutory function of ensuring that the Senedd is provided with the services it requires for its purposes. This includes ensuring that appropriate measures are in place to ensure the health and safety of those who visit the Senedd estate, and mitigate any risks stemming from the COVID-19 pandemic.
It is also important that those who visit the Senedd estate have trust in the Commission to provide them with a safe, working environment. Allowing individuals to take unreasonable risk when visiting the estate would be likely to diminish that trust and could have an effect on the ability of the Senedd and elected representatives to carry out their democratic function.
The processing is necessary for compliance with a legal obligation
The Commission has a general duty of care in health and safety legislation to those who visit the Senedd estate. It must ensure that, so far as reasonably practicable, those individuals are not exposed to risks to their health and safety, and that its premises are safe.
The data processed will help to ensure that the Commission can best meet its obligations in coronavirus regulations by ensuring that the Senedd estate can be used without unreasonable risk, taking into account the unique risks created by the COVID-19 pandemic. The Commission is under a legal obligation to take “reasonable measures” to minimise the risk of exposure to coronavirus of those who visit our premises.
The collection of Test, Trace, Protect information enables us to respond to any potential outbreak originating from our premises, and meet any request from the NHS Test, Trace, Protect service for information that assists in reducing the risk of transmission of coronavirus.
Special category personal data
We may process special category personal data, although we anticipate this processing will be very limited and have taken steps to ensure that this type of data processing is kept to a minimum. Special category personal data is defined as including data concerning health. So, in practical terms, any processing of special category personal data is only likely to take place so far as it relates to health.
Special category data will be processed on the basis that it is necessary for reasons of substantial public interest, read in conjunction with paragraph 6 of Schedule 1 to the Data Protection Act 2018. This is to ensure that the Commission can continue to provide a safe environment to those who use or visit the Senedd estate. This, in turn, ensures that the Senedd, and the work carried out by elected representatives, can continue to function in an effective manner without unreasonable risk having to be taken by those who attend the estate.
It will also be processed on the basis that the processing is necessary for reasons of public interest in the area if public health, read in conjunction with paragraph 3 of Schedule 1 to the Data Protection Act 2018. This is to ensure that the Commission is able to respond to threats to public health, in this case the coronavirus pandemic.
Requests for information made to the Commission
In the event of a request for information being made under access to information legislation, it may be necessary to disclose all or part of the information that you provide. We will only do this if we are required to do so by law.
How to complain
You can complain to the Data Protection Officer if you are unhappy with how we have used your data. Contact details can be found above.
If, following a complaint, you remain dissatisfied with our response, you can also complain to the ICO.
The ICO’s address is:
Information Commissioner’s Office
Helpline number: 0303 123 1113