Summary Privacy notice for Members of the Senedd

Published 20/07/2021   |   Last Updated 20/07/2021   |   Reading Time minutes

Who we are

The Senedd Commission (‘Commission’) is the data controller of the information you provide, and will ensure it is protected and used in line with data protection legislation. This Privacy Notice outlines the personal data that we collect from you and how we use it.

Everything that we do to your data – for example storing it, working with it or deleting it – is referred to as ‘processing’.

Data Protection Officer 

If you have any questions about the way in which we process your personal data, or how to exercise your rights, please contact our Data Protection Officer at: 

Tŷ Hywel, Pierhead Street, Cardiff Bay CF99 1SN 

0300 200 6494 

Purpose of use of Members’ information

Throughout the course of and beyond your term as a Member of the Senedd (‘Member’), the Commission will process your personal data. This is in order to:

  • enable the provision of staff, services and facilities to Members;
  • support the functioning of the Senedd and enable Members’ participation;
  • explain and promote the work of the Senedd, to include promoting public awareness of elections;
  • enable the Commission to fulfil its legal obligations;

What information are we collecting

General, administration, HR, and financial information which includes:

  • general correspondence with Commission staff
  • contact information such as name, address, email address, phone number, car registration, and a photograph
  • biographical  information
  • date of birth, marital status, nationality, emergency contact and next of kin details
  • information generated through the electoral process
  • information which will allow us to pay you, such as bank account details, payroll records, National Insurance number and tax status information
  • pension records
  • data concerning a Member’s health or personal circumstance
  • expense claims and associated correspondence
  • personal data relevant to complaints and investigations
  • surveys and consultation responses
  • information relating to the provision of advice to Members and any issues Members ask to be addressed
  • complaints you have made or are the subject of
  • personal data about attendance at training courses and events
  • referrals to the Standards Commissioner
  • accident records and investigations
  • covid related records such as risk assessments
  • information relevant to the work of Cross-Party Groups

Information generated through the work of official Senedd Business

  • biographical details and photographs
  • your contributions and mentions in the official record
  • report recommendations, opinions, quotes, drafting comments, email and paper correspondence
  • information relevant to registration of interests (including recording the employment of family members with Senedd Commission funds)
  • information relevant to the tabling of business (including, questions, motions, amendments and statements of opinion)
  • requests and information provided to, and correspondence with, the Research Service
  • information provided to or subject to translation services
  • passport and travel details used for travel arrangements, such as Committee overseas travel

Broadcast and Senedd TV

  • Public committee meetings and plenary are filmed and broadcast via Senedd TV, and made available via social media channels. Members must be aware of the very public nature of business proceedings.

Legal advice

  • Information relating to requests for, or provision of legal advice

Library services

  • Information relating to circulation of library materials and access to subscription services

Communications and engagement

  • photographs, videos and biographical information used for explaining and promoting the work of the Senedd and Members’ participation in the work of the Senedd 
  • press releases
  • your participation in events such as focus groups and panel discussions
  • event registration and booking information
  • information about room bookings and usage


  • personal data required to provide security measures
  • information required for, and captured by the use of your security pass
  • your images captured on CCTV


  • personal data required to provide you with equipment and accommodation
  • information relating to post room and copy unit activities
  • Information relating to management of car parking
  • Information relating to personal emergency evacuation plans and  fire evacuation


  • Usage of ICT systems
  • Service and equipment requests
  • It is a condition of access to the Senedd ICT System that the Senedd Commission may, without notice, check and make and keep copies of all information, (which includes, but is not limited to, telephone calls and any electronic communications, stored information and data sent, received, created or contained within the Senedd ICT System) for the purposes of ensuring the security and appropriate use of the system. Further details may be found in the ICT Use and Security Conditions


  • information captured by requests made under access to information legislation(such as Freedom of Information and Subject Access requests),
  • information which forms part of internal audits and reviews
  • information relating to insurance claims
  • information relating to whistleblowing disclosures
  • business continuity records 
  • Information about whether you have read and understood certain commission policies, and any survey responses relating to policies

Who will have access to your information?

Commission staff who have a business need to access you information will have access to it. Where necessary, the Commission may share Members’ personal data with third parties, these include: 

  • The general public (for example, via the Senedd website, social media, or press releases)
  • Pension trustees and the Members pension scheme
  • Government Actuary’s Department
  • HMRC
  • External Payroll provider
  • Occupational Health provider
  • Providers and training and development activities
  • Auditors and Audit Wales
  • Remuneration Board (the Remuneration Boards privacy notice is available: Privacy policy - Remuneration Board)
  • Commissioner for Standards
  • The Electoral Commission
  • External legal advisors
  • Third parties for the independent investigation of complaints, such as the police and local authorities Third parties for the independent investigation of complaints
  • Security related bodies
  • Cycle Solutions (Cycle to Work Scheme)
  • Cardiff Bus (Annual Season Ticket Scheme)
  • Q-Park (Car Parking)
  • Other providers of goods and services contracted by the Senedd Commissions

The Commission may also disclose your information to other third parties for example, in order to establish or defend the legal rights of the Commission, or in an emergency where your health or personal security is at risk.

Storage of your information

Your information will be stored in a range of information systems, some of which are provided are by third parties. These include: 

  • third party cloud services provided by Microsoft;
  • our online HR system ‘MyView’ which is provided by Zellis;
  • finance system ‘Nav’ which is provided by Microsoft;
  • any information captured in Committee papers will be retained in the Senedd’s business management system provided by Mod.Gov
  • Legislative Workbench
  • Library Management System
  • ArcGIS and Instant Atlas (mapping software provided by ESRI)
  • Event administration applications
  • Surveying applications such as Survey Monkey and Smart Survey
  • Other third party systems and applications which support the provision and security of Senedd ICT infrastructure

Your information will predominantly be held in data centres within the UK and the European Economic Area (EEA), for the purposes of hosting and maintenance. Regulations under section 17A of the DPA 2018 specify that all countries within the EEA are regarded as providing an adequate level of protection. 

If personal data is transferred to a country outside of the UK or the EEA, the Commission is taking steps to assess the adequacy of that country, organisation(s), and/or systems processing the data and ensure that appropriate safeguards are in place. For example, any transfer of data by Microsoft outside of the UK and the EEA is covered by contractual clauses under which Microsoft ensure that personal data is treated in line with applicable data protection legislation.

How long your information will be retained

Information will be retained as long as it is of business value  for the purposes for which it was collected. If you would like to ask questions about retention of any of your information, please contact the Commissions DPO at the contact details above.

Please be aware that any published information will be retained for permanent preservation, and will remain in the public domain.

Images and broadcast of Senedd proceedings

Your image will be used on the Senedd website, social media, and may also be used in hard and electronic copies of reports and press releases.

Public committee meetings and plenary are filmed and broadcast via Senedd TV. Recordings are also made available via social media channels. Once information is published into the public domain, it will remain there.

Our legal basis for collecting, holding and using your personal information

Data protection law sets out various lawful legal bases (or ‘conditions’) which allow us process your personal data.  Those relevant to the Commission’s processing of Members’ personal data are:

  • where we use your personal information to fulfil our public functions ( pursuant to Article 6(1)(e) UK GDPR). The Commission's varied role in supporting the Senedd and its Members means that the majority of the processing that we undertake in relation to you will be covered by this basis.
  • where the Commission is under a legal obligation which requires us to process your personal data (Article 6(1)(c));
  • where processing is necessary for the purposes of the Commission’s legitimate interests (Article 6(1)(f)). The operation of this basis involves carrying out a balancing exercise; for example, where ensuring that a Member had access to professional advice or support and where the legitimate interests of the Commission and/or Member were not overridden by the rights and freedoms of any individual;
  • occasionally, we may also ask you to provide your consent to processing under the Article 6(1)(e);
  • should it be necessary, the Commission would also process your data in order to protect your vital interests or those of another person (Article 6(1)(d)).

Data protection law recognises certain "special categories" of personal data.  These are defined in the UK GDPR and include information revealing an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, and information concerning an individual's health, sex life or sexual orientation. 

These special categories are considered particularly sensitive.  We will only process these categories of information where one of the following conditions applies:

  • where we consider it is necessary and in the substantial public interest to do so (pursuant to Article 9(2)(g) UK GDPR and Schedule 1 Data Protection Act 2018);
  • where the processing relates to personal information that you have manifestly made public (Article 9(2)(e));
  • where the processing is necessary for preventative or occupational medicine and medical diagnosis (Article 9(2)(h) and Schedule 1 DPA 2018);
  • where the processing is necessary for the establishment, exercise or defence of legal claims (Article 9(2)(f));
  • occasionally, we may also ask you to provide your explicit consent (Article 9(2)(a));
  • should it be necessary, the Commission would also process your data in order to protect your vital interests or those of another person where it was not possible to obtain consent (Article 6(1)(d)).

Some of the above conditions require us to have an appropriate policy document in place before special category data may be processed. That document is available upon request to the DPO.

Your rights

As a data subject, you have a number of rights. The rights which apply depend on the legal bases we are relying on to process your personal information. Those rights will not apply in all instances, and the Commission will confirm whether or not that is the case when you make a request. 

The rights include the right to request access to your own personal information, sometimes called a ‘subject access request’.

Additionally, you have the right to request from us:

  • that any inaccurate information we hold about you is corrected (please note that you are required to keep us up to date with any changes to your personal information);
  • that information about you is deleted (in certain circumstances);
  • that we stop using your personal information for certain purposes or in certain circumstances; and
  • that your information is provided to you or a third party in a portable format (again, in certain circumstances).

If you would like to engage any of the rights that you have under data protection legislation or ask a question please contact the Data Protection Officer using one of the methods set out at the above.

If you are dissatisfied with how we are using your personal information or if you wish to complain about how we have handed a request, then please contact our Data Protection Officer and we will try to resolve any issues you may have.

You can also make a complaint to the Information Commissioner’s Office (ICO) if you believe we have not used your information in line with the law. The ICO’s contact details can be found on their website. 

Requests for information made to the Commission  

The Senedd is subject to access to information legislation. In the event of a request for information being made under access to information legislation, it may be necessary to disclose all or part of the information that we hold. This may include information which has previously been removed by us for publication purposes. We will only do this if we are required to do so by law.

Changes to our privacy notice 

We keep this privacy notice under regular review and we will alert you to any updates. Paper copies of the notice may be obtained by contacting the Data Protection Officer using the contact information above. This privacy statement was last updated in May 2021.