Our contact details
Any queries regarding our use of your information should be sent to the Data Protection Officer at:
0300 200 6565
How will your information be used?
The Senedd Commission is the data controller of the information you provide and will ensure it is protected and used in line with the UK’s data protection legislation.
The Senedd Online Security Intelligence (‘SOSI’) project operated by the Members Security team (‘MST’) involves the deployment of targeted searches utilising the Pulsar platform. These searches use specific keywords combined with the names and any known or common nicknames or monikers (both affectionate and derogatory) for Members of the Senedd, to identify whether the communication about or against the Member is criminal in nature.
When an alert is received, the Member Security Team (MST) assesses its content to determine if it meets the criminal threshold, using relevant legislation such as the Malicious Communications Acts and the Online Safety Act as reference points. If the alert is considered potentially criminal, the MST collects and securely stores the necessary evidence, works in partnership with the Senedd Police Unit, and submits a report to the Police, ensuring all required documentation is included. Once evidence of criminal behaviour has been provided to the Police, any screenshots or other captured personal information are deleted from MST records.
In cases involving Ministers, relevant details are also shared with Welsh Government Security if legislations are breached, and evidence is retained in accordance with established retention schedules. If the alert does not meet the criminal threshold, all images or personal data are promptly deleted, with only statistical data kept for reporting and analysis.
What information are we processing?
Pulsar returns publicly available information found on media and social media platforms on the internet. Due to the open nature of social media platforms, the MST cannot control the information that is returned by the search. However, the MST are committed to only processing information for as long as required to meet the purposes of the trial, with any unneeded, unnecessary or misidentified information being deleted at the earliest opportunity, in line with MST’s retention criteria.
When an alert is triggered relevant to the Malicious Communications search, examples of the communication(s) will be sent via email to the Member Security mailbox where certain elements of the message will be partially visible, including the first few words and the username of the individual making the post
The information that Pulsar returns is already within the public domain. The MST has no control over what individuals post online so can only provide an overview of the types of personal information it may potentially process if one of it searches returns a result.
The following breakdown comprises a broad overview of the types of personal information the MST might process when a search result is returned:
- Personal data: The search return will always include the author (of the highlighted communication’s) username. Other personal data may include the individuals name, date of birth or email address, depending on the content of the communication.
- Special category data: There is a likelihood of searches returning information that may be considered special categories of personal data. It is not the intention, nor desire of the MST, to record or process this information in anyway further past its initial appearance in a search, unless the communication is identified as in breach of the criminal threshold. Special category data includes data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health information, and sexual life or orientation.
If the MST believes that a communication breaches the criminal threshold and requires reporting to the Police, a screenshot of the communication on the source platform (i.e. on X or Facebook) will be captured.
Why are we processing it?
In recent years the level of abuse and threats directed towards Members of the Senedd from individuals online has increased.
The MSTs main objective with this project is to proactively monitor online platforms for potential threats or abusive content that could constitute criminal activity directed at Members of the Senedd.
When such material is identified, the details will be passed to the Police for reporting on the Member’s behalf.
Who will have access to the information?
Information collected during the SOSI trial will be accessible only to the MST and the data analyst. The Members Security Team will use this information to carry out their official duties, while the data analyst will have access the search results to support the setup and management of new or ongoing searches within the Pulsar platform.
Will the information be shared with any third parties, or publicised?
Information collected during the SOSI trial will not be publicised or shared with third parties except in circumstances where a breach of criminality is identified. In such cases, relevant details will be shared with the Police, Senedd Police, Welsh Government, Senedd Members, and the UK Parliament as required. This sharing is strictly governed by legal and policy requirements, ensuring that only necessary information is disclosed to support investigations and safeguard individuals.
The Pulsar platform display publicly available information that has been uploaded to the internet via various media and social media platforms. For further information on how Vuelio and Pulsar process your personal data, please visit their respective privacy notices via the following links:
Pulsar: Privacy Policy (pulsarplatform.com)
- Pulsar hosts its data in Ireland.
- The Pulsar Group (who manages the Pulsar brands) complies with the standard contractual clauses as the data transfer mechanism of transferring UK/EU data to countries subject to data transfer requirements. To find out more please visit: Privacy Policy | Pulsar | How we approach transferring and processing your Personal Data internationally
Storage, retention and deletion
The information will be stored securely on our ICT systems which includes third party cloud services provided by Microsoft.
We may also use of Microsoft’s artificial intelligence tools to process your information. Any transfer of data by Microsoft outside of the EEA is covered by contractual clauses under which Microsoft ensure that personal data is treated in line with domestic legislation. To find out more about how Microsoft will use your information, you can read their privacy statement.
Communications identified as criminal are retained in line with existing retention periods:
- Tier 1: Immediate threat of death, violence or damage to property leading to possible injury or death. Retention period defined as 10 years from the initial report date. Based on two full Senedd terms.
- Tier 2: Confirmed Malicious communications Attacking an individual based on primary or protected characteristics Retention period defined as 5 years from the initial report date. Based on one full Senedd term.
- Tier 4: Suspected Malicious communications
If a communication has been highlighted and is awaiting confirmation from Police colleagues as to whether they believe it to be reportable, retention period of 12 weeks. If it is confirmed to be reportable, the data is to be moved to Tier 2 with a retention period of 5 years.
Any information that is not believed to be criminal, and does not fit with the retention criteria above, is deleted by the MST.
Legal basis for processing Personal Data
Data protection law sets out various legal bases which allow us to collect, hold and use your personal information. For the purpose of processing the personal data you provide, we rely on the following legal bases:
Article 6(1)(e) UK GDPR: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller:
The Senedd Commission has a statutory function under section 27(5) of the Government of Wales Act 2006 (“GOWA”) to provide to the Senedd, or ensure that it is provided with, the staff and services required for the Senedd’s purposes. This function encompasses a wide range of services that are necessary to meet the Senedd’s purposes. In accordance with paragraph 4 of Schedule 2 to GOWA, the Commission may do anything which appears to it necessary or appropriate for the purpose of, or in connection with, the discharge of its functions.
This includes, so far as is possible, ensuring that Members of the Senedd are able to undertake their functions as elected representatives without fear for their safety or being subject to communications designed to, amongst other things, cause distress or anxiety.
Article 6(1)(f) UK GDPR: processing is necessary for the purposes of a legitimate interest:
There may be circumstances where it is necessary to process personal data in a way that falls outside of the Senedd Commission’s public functions but are necessary for the purposes of meeting a legitimate interest.
For example, during the course of communications monitoring, it may become apparent that a specific threat has been made to an individual other than a Member of the Senedd. In these circumstances, it may be necessary to report that communication to the police in order to seek to protect that individual or enable the investigation of a potential criminal offence.
Article 6(1)(c) UK GDPR: processing is necessary for compliance with a legal obligation to which the controller is subject:
In many scenarios, there is no positive duty for information to be proactively provided to the police or other external body and any data sharing would be undertaken under an alternative Article 6 lawful basis. However, there are exceptions to this. For example, under the Terrorism Act 2000, there is a duty to provide information to the police where it is believed that it might be of material assistance in preventing the commission of an act of terrorism or apprehending, prosecuting or convicting a person for an offence involving the commission, preparation or instigation of an act of terrorism.
In situations where there is a legal obligation to process information in a certain way, including data sharing, this will be undertaken on the basis that it is necessary for compliance with a legal obligation.
Legal basis for processing Special Category Data
Article 9(1) GDPR defines special category personal data as including personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Article 9(2)(e) UK GDPR: processing relates to personal data which are manifestly made public by the data subject.
Due to the public nature of social media platforms and the method behind communications monitoring, personal data will be processed as a result of the searches deployed by the Member Security team against information that has been made publicly available by data subjects, such as on social media.
This may include special category personal data that has manifestly been made public by the data subject.
Article 9(2)(g) UK GDPR: processing is necessary for reasons of substantial public interest
For the reasons set out above (in particular, see information provided in relation to processing under Article 6(1)(e) UK GDPR), it will be necessary to process personal data for reasons of substantial public interest. Given the nature of online communications, this may encompass special category personal data which would need to be processed in order to meet the purpose of communications monitoring.
Where we process personal data because it is necessary for reasons of substantial public interest, we are also required to meet an additional condition in Schedule 1 to the Data Protection Act 2018 (“DPA”). The additional conditions we may rely on are as follows:
- Paragraph 6 of Schedule 1: Statutory and government purposes;
- Paragraph 10 of Schedule 1: Preventing or detecting unlawful acts.
Criminal offence data:
Data protection legislation gives extra protection to “personal data relating to criminal convictions and offences or related security measures”. This is referred to as criminal offence data.
The nature of information posted on social media and other publicly accessible information means that, as part of communications monitoring, it may be necessary for the Commission to process personal data constituting criminal offence data.
In accordance with section 10 of the DPA, when we process criminal offence data, we are required to meet an additional condition under Schedule 1 of the DPA, in addition to our legal basis under Article 6 UK GDPR (and Article 9 UK GDPR when processing special category data). In particular, where we process special category data for reasons of substantial public interest, that condition(s) must fall within Part 2 of Schedule 1 to the DPA. The conditions relied upon are:
- Paragraph 6 of Schedule 1: Statutory and government purposes;
- Paragraph 10 of Schedule 1: Preventing or detecting unlawful acts.
Sharing data
In the event of a request for information being made under access to information legislation, it may be necessary to disclose all or part of the information that you provide. We will only do this if we are required to do so by law.
Your rights
As a data subject, you have a number of rights. The rights which apply depend on the legal bases we are relying on to use your personal information. Those rights will not apply in all instances, and the Commission will confirm whether or not that is the case when you make a request.
The rights include the right to request access to your own personal information, sometimes called a ‘subject access request’. Additionally, you have the right to request from us:
- that any inaccurate information we hold about you is corrected (please note that you are required to keep us up to date with any changes to your personal information);
- that information about you is deleted (in certain circumstances);
- that we stop using your personal information for certain purposes or in certain circumstances; and that your information is provided to you or a third party in a portable format (again, in certain circumstances).
If you would like to engage any of the rights that you have under data protection legislation ask a question or make a complaint about how your information is used.
Making a complaint
You can complain to the Data Protection Officer if you are unhappy with how we have used your data. Contact details can be found above.
If, following a complaint, you remain dissatisfied with our response, you can also complain to the ICO.
The ICO’s address:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Helpline number: 0303 123 1113