Public Appointments Privacy Notice

Published 18/08/2021   |   Last Updated 19/01/2024   |   Reading Time minutes

The information in this privacy notice explains how the Commission uses your personal information when appointments are made to certain statutory public offices and non-statutory offices which are made by:

His Majesty on the nomination of the Senedd

These appointments include the:

  • Auditor General for Wales
  • Public Services Ombudsman for Wales

The Senedd

These appointments include the:

  • Commissioner for Standards
  • Chair and Non-Executive Members of the Wales Audit Office

Senedd Commission

These appointments include the:

  • Independent Remuneration Board of the Senedd
  • Independent Advisers to the Commission.

This notice relates to information processed during the phase of recruitment of Public Appointees and Independent Advisers only. A separate notice will be provided to successful appointees to describe how their information will be used throughout the term of their appointment.

Why we are collecting your information

The Commission collects personal data to facilitate the administration of all the above appointment processes. The information is used to enable us to consider your suitability for the above appointments. You do not have to provide what we ask for, but it may affect our ability to process your application and assess your suitability for the relevant position if you do not with the exception of diversity information.

What information we will collect

Personal data processed includes personal details such as your title, name, home address, email address and telephone number; details of your education and profession; references; and information you have given via application forms, CVs, and personal statements. It also includes information gathered for the purpose of due diligence checks and any diversity monitoring information.

Special categories of data may also be processed including your ethnicity, nationality, political opinions, sexual orientation, disability, and religion/belief. 

The completion of the diversity information form is voluntary, but we do encourage applicants to provide this information to assist us with our monitoring responsibilities. Your diversity information will be treated as confidential and will be held separately; it will not be seen by the appointment panel. 

We utilise any declaration of disability to enable us to assess and make reasonable adjustments to the recruitment process should they be required by the applicant.

If invited to interview please be aware that we have on-site CCTV.  Images are monitored and recorded for the purpose of crime prevention and public safety. 

Further information processed at pre-appointment stage

If you are successful at interview, we will also ask you to provide:

  • Contact details of referees.
  • Bank details (except for Non-Executive Members of Wales Audit Office).
  • Valid Driving Licence / Passport.
  • Completed Criminal Record Declaration (CRD) form.

The CRD form contains its own Privacy Notice setting out how our Vetting Office uses the information you provide. This may include obtaining information about criminal convictions, cautions or other offences committed, whether past, current, or pending.

What we will do with the personal information you provide

During the appointment process the Commission, and any other parties involved in the appointment process, will use your personal information to:

  • Evaluate your application and assess your suitability for the role in question;
  • Make a decision about whether you should be selected for interview and appointment;
  • Conduct relevant pre-appointment screening (e.g.  National Security Vetting checks, obtain references);
  • Review and audit the process and its outcomes;
  • Carry out diversity monitoring activities.

Your information will be stored on the Commission’s ICT network, which includes third party cloud services provided by Microsoft. Any transfer of data by Microsoft outside of the UK and the EEA is covered by contractual clauses under which Microsoft ensure that personal data is treated in line with relevant data protection legislation. To find out more about how Microsoft will use your information, you can read their privacy statement here.

Sharing personal information

We sometimes need to make personal data available to others.  Where we need to do so, we ensure that this data sharing complies with data protection legislation.


Information relating to the successful Auditor General Wales appointee will be shared with the:

  • Crown Office
  • Audit Wales
  • The public via a public notice

Information relating to the successful Public Service Ombudsman for Wales appointee will be shared with the:

  • Crown Office
  • The public via a public notice and the Senedd Website

Information relating to the successful Commissioner for Standards  appointee will be shared with:

  • The public via a press release and the Senedd website

Information relating to the successful Chair and Non-Executive Members of the Wales Audit Office will be shared with:

  • Audit Wales

Information relating to the successful Remuneration Board appointments  will be shared with the:

  • Senedd
  • the public via a press release and the Commission website.


Details about successful applicants may also be published in Committee reports which will remain permanently online. Where appointments are discussed in a Senedd Committee or Plenary, this will be form part of the official record and be broadcast on Senedd TV and will remain permanently online.

Some of your personal information will also be exchanged with third parties where it is necessary to carry out pre-appointment screening e.g. UK National Security Vetting and/or obtaining references.

Other than as set out above, your information will only be accessed and processed by authorised staff of the Commission who are directly involved in the management and administration of the process and have a business need to do so. 

The Commission may also disclose applicant information to other third parties, for example in order to establish or defend the legal rights of the Commission, or in an emergency where the health or personal security of an applicant is at risk.

Executive Search Agencies

We may use an Executive Search Agency to assist in securing the appointment. Information will be used and kept by them in line with their own policies. The appointed agency will provide details about their use if your information in their respective privacy notice.

How long your information will be retained

Personal details of unsuccessful applicants will be retained for 12 months before being securely deleted or destroyed.  

Save where information is made public, the personal data of successful candidates will be kept for the duration of their appointment. Once this relationship ends, your data will be securely deleted or destroyed.

Information provided in the diversity monitoring forms will be anonymised following receipt

Our lawful bases for collecting, holding and using your personal information

Data protection law sets out various lawful bases which allow us to collect, hold and use your personal information. These are:

  • Where we use your personal information to carry out our public functions. It is part of the Commission’s official functions to facilitate these appointments. 
  • Where the processing is necessary in order to take steps to enter into a contract with you such as your terms and conditions of appointment
  • Where we are under a legal obligation which requires us to process your personal information. An example of this is where we need to make
  • reasonable adjustments to enable an applicant to take part in the recruitment process;
  • Where we process your information in order to protect your vital interests. An example of this would be if we shared information about your health if a medical emergency occurred whilst you were on site;
  • Data protection law recognises certain “special categories” of information. These are defined as information revealing a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic information, biometric information used to uniquely identify a person, information concerning heath, and information concerning a person’s sex life or sexual orientation.

These special categories are considered particularly sensitive and are afforded special protection. This is also the case for information relating to criminal offences or convictions. An example of this is the due diligence checks we undertake to ensure that all office holders have the necessary trustworthiness, integrity, and reliability. We will only collect and use these categories of information where we:

  • consider it necessary and in the substantial public interest to do so, usually to meet our statutory and public functions;


  • where you have given us your explicit consent to do so.

Your rights

As a data subject, you have a number of rights. The rights which apply depend on the legal bases we are relying on to use your personal information. Those rights will not apply in all instances, and the Commission will confirm whether or not that is the case when you make a request.

The rights include the right to request access to your own personal information, sometimes called a ‘subject access request’.

Additionally, you have the right to request from us:

  • that any inaccurate information we hold about you is corrected (please note that you are required to keep us up to date with any changes to your personal information);
  • that information about you is deleted (in certain circumstances);
  • that we stop using your personal information for certain purposes or in certain circumstances;
  • that we consider any objection you make regarding processing that we carry out and which is based on our ‘public task’; and
  • that your information is provided to you or a third party in a portable format (again, in certain circumstances).

If you would like to engage any of the rights that you have under data protection legislation or ask a question, please contact the Data Protection Officer using the contact details above.

Requests for information made to the Commission

The Commission is subject to access to information legislation. In the event of a request for information being made under access to information legislation, it may be necessary to disclose all or part of the information that you provide. This may include information which has previously been removed by us for publication purposes. We will only do this if we are required to do so by law.

How to complain 

You can complain to the Data Protection Officer if you are unhappy with how we have used your data. Contact details can be found above. 

 If, following a complaint, you remain dissatisfied with our response, you can also complain to the ICO. The ICO’s address is:       

Information Commissioner’s Office  

Wycliffe House, Water Lane , Wilmslow, Cheshire, SK9 5AF  

Helpline number: 0303 123 1113 

Changes to our privacy notice

We keep this privacy statement under regular review and will place any updates on this website. This privacy notice was last updated on 11 August 2021.

How to contact us

The Senedd is the data controller of the information you provide, and will ensure it is protected and used in line with data protection legislation.

If you have any further questions about the way in which we process personal data, or how to exercise your rights, please contact our Data Protection Officer at: 
Tŷ Hywel, Pierhead Street, Cardiff Bay CF99 1SN
0300 200 6494