This privacy notice explains how the Senedd Commission uses personal information about you for the purpose of providing or obtaining legal advice.
Who we are
The Senedd Commission (“the Commission”) is the controller of the information we hold about you, and will ensure it is protected and used in line with data protection law.
If you have any questions about the way in which we process personal data, or wish to exercise your rights, please contact our Data Protection Officer at:
Tŷ Hywel,
Pierhead Street,
Cardiff Bay
CF99 1SN
0300 200 6494
The purpose of the processing
During the course of our work, information containing personal data may be passed to the Commission’s Legal Service for the purpose of obtaining legal advice in relation to functions of the Commission and the Senedd. In considering and providing advice, the Commission’s Legal Service will consult and store that personal data, and may share it with others.
The categories of information processed
This will depend upon the information provided to the Legal Service in connection with the request for legal advice. Where a request for legal advice relates to an individual, the information provided will normally contain the individual’s name and other personal data which is relevant to the request, such as elements of the individual’s personal circumstances.
In some cases, personal data which falls within the definition of “special category” personal data may also be included if it is relevant to the request. For example, this could include details about race or ethnic origin, political or religious views, sex life or sexual
orientation, trade union membership, physical or mental health, genetic data or any
criminal offences.
Source of the information
Information containing personal data processed by the Commission’s Legal Service is, in most cases, provided by staff of the Commission, or by Members of the Senedd and / or their staff. This information will have been obtained by persons from different sources, including, in many cases, from the data subject themselves. For example, where Commission staff seek advice from the Legal Service in connection with written evidence submitted by an individual to a Committee, the original source of the information will likely be the data subject themselves. The privacy notices relating to specific processing activities will provide further information on the original source of the information containing personal data.
In some instances, the Legal Service may receive information containing personal data directly from other persons or organisations, such as the Senedd Commissioner for Standards, the Remuneration Board, the Welsh Government, UK Government, or from external legal firms or barristers in connection with legal work which has been outsourced to them.
The lawful basis for processing
The lawful basis for the processing of personal data for the purpose of obtaining legal advice is that it is necessary for a task carried out in the public interest. Where legal advice is sought, this is necessary for the exercise of the functions of the Senedd and / or the Commission. The lawful basis for processing personal data is therefore Article 6 (1)(e) UK GDPR and section 8(d) of the Data Protection Act 2018.
For any queries which involve the processing of special category data or data relating to criminal convictions or offences, the conditions for the processing will, depending on the circumstances, be:
- that is necessary to carry out or exercise obligations or rights in the sphere of employment law - Article 9(2)(b) / Article 10 UK GDPR and Part 1 of Schedule 1, paragraph 1 of the Data Protection Act 2018;
- that it is necessary in connection with any legal proceedings, including prospective legal proceedings; to obtain legal advice; or for the establishment, exercise or defence of legal claims - Article 9(2)(f) or Article 10 UK GDPR and Part 3 of Schedule 1, paragraph 33 of the Data Protection Act 2018;
- that it is necessary for reasons of substantial public interest. The substantial public interest lies in the importance of the Senedd and the Commission exercising their functions lawfully - Article 9(2)(g) / Article 10 UK GDPR and Part 2 of Schedule 1, paragraph 6 of the Data Protection Act 2018.
Data sharing
Personal data may be shared with the Legal Service’s ‘client’ ie the person or organisation requesting legal advice. It may also be passed to external legal firms or barristers by our Legal Service, or by other Commission staff directly, for the purpose of obtaining confidential legal advice in connection with the Commission’s functions, or the functions of the Senedd. Any such information is shared on a confidential basis for the purpose of providing, or obtaining, legal advice.
Security and retention of data
A record of the request for legal advice and the advice provided (both of which may
contain personal data) will be retained in accordance with the periods set out in the Legal Service’s retention schedule (see annex). Access to electronic files is restricted to
relevant members of the Legal Service. Any hard copy information is stored securely in lockable filing cabinets.
Electronic files are stored on the Commission’s ICT network, which includes third party cloud services provided by Microsoft. Any transfer of data by Microsoft outside of the UK and the EEA is covered by contractual clauses under which Microsoft ensure that personal data is treated in line with applicable data protection legislation.
Your rights
The GDPR sets out the rights which individuals have in relation to personal
information held about them by controllers. These rights are listed below,
although whether you will be able to exercise each of these rights in a particular case
may depend on the purpose for which the data is processed and the legal basis upon which the processing takes place.
In the context of obtaining legal advice, for example, the following rights do not apply
in cases where it is necessary to disclose the personal data for the purpose of:
- legal proceedings (including prospective legal proceedings),
- obtaining legal advice, or
- establishing, exercising or defending legal rights,
but only to the extent that the application of the following rights would prevent us
from disclosing the personal data for these purposes.
Access to your information – you have the right to request a copy of the personal information about you that we hold.
Correcting your information – we want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.
Deletion of your information – you have the right to ask us to delete personal information about you where:
- you consider that we no longer require the information for the purposes for which it was obtained;
- you have validly objected to our use of your personal information – see ‘objecting to how we may use your information’ below; or
- our use of your personal information is contrary to law or our other legal obligations.
Objecting to how we may use your information – where we use your personal
information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds for us to continue.
Restricting how we may use your information – in some cases, you may ask
us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where this is no longer a basis for using your personal information but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
If you would like to: engage any of the rights that you have under data protection legislation; ask a question; or make a complaint about how your information is used; please contact the Data Protection Officer using one of the methods set out below.
If you are dissatisfied with how we are using your personal information, please contact our Data Protection Officer and we will try to resolve any issues you may have.
You can also make a complaint to the Information Commissioner’s Office (ICO) if you believe we have not used your information in line with the law. The ICO’s contact details are:
Wycliffe House,
Water Lane,
Wilmslow
SK9 5AF
0303 123 1113
Requests for information made to the Commission
The Senedd is subject to access to information legislation. In the event of a request for information being made under access to information legislation, it may be necessary to disclose all or part of the information that you provide. However, we will only do this if we are required to do so by law.
Changes to our privacy statement
We keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained using the contact information below. This privacy statement was last updated on 10 August 2021.
ANNEX – LEGAL SERVICES RETENTION SCHEDULE (EXTRACT RE: TYPES OF ADVICE)
| Legal advice in relation to data subject requests made under the UK GDPR | Advice on what constitutes personal data; applicability of exemptions; bundles for disclosure and / or redaction | 6 years | Statutory limitation |
| Legal advice in relation to requests made under freedom of information legislation | Advice on the scope and handling of request; the applicability of exemptions etc | 6 years and following review | Business need |
| Supreme Court proceedings | Correspondence; court documents | Indefinitely | Business need |
| Litigation | Judicial review; procurement challenges | Indefinitely – for court documentation; and the remainder of the relevant term plus two Senedd terms for everything else |
Business need |
| Licences and leases | With external parties; in relation to Tŷ Hywel | 12 years from the end of the lease / licence agreement | Statutory limitation |
| Legal advice not captured under any other heading which contains personal data | Advice in relation to the Commissioner for Standards; Senedd Members; MS’ staff; the Remuneration Board; and Commission colleagues | The remainder of the relevant term plus two further Senedd terms | Business need |