The Senedd Commission (“the Commission”) is the data controller of the information you provide, and will ensure it is protected and used in line with data protection legislation.
Our Contact Details
Any queries regarding our use of your information should be sent to the Data Protection Officer at:
0300 200 6565
What is the information?
To ensure the safety of all attendees during the official opening as a result of the COVID-19 pandemic, personal data must be provided to the Commission by all external attendees entering the Senedd estate that are not Senedd passholders or staff members.
For Track, Trace and Protect (TTP) purposes, this information includes:
- Your name
- Telephone, email and postal address
- The dates and times you enter and leave the Senedd estate
For Lateral Flow Test (LFT) purposes, this information includes:
- Your name
- The result of your LFT
- The date you took the test
- Your birth date
Why are we collecting it?
The information collected will be used to guarantee that we are ensuring that those who visit the Senedd estate can do so in a safe manner without the need to accept unreasonable risk.
The information also helps us to demonstrate compliance with coronavirus legislation, guidance and internal risk assessment requirements. The Commission is required by law to take “reasonable measures” to minimise the risk of exposure to coronavirus.
The LFT process is part of the Senedd Commission’s robust Health and Safety control measures to reduce the risk of infection from Covid-19. LFTs will enable asymptomatic individuals to test themselves at home prior to attending the Senedd site. This will reduce the risk of unknowingly transmitting Covid-19.
The collection of LFT and Test, Trace, Protect information enables us to respond to any potential outbreak originating from our premises, and meet any request from the NHS Test, Trace, Protect service for information that assists in reducing the risk of transmission of coronavirus.
Who is collecting and analysing the information?
Information will be collected via the Official Opening email address. This will be accessible on a need-to-know basis by staff essential to the security, safeguarding and health and safety of the event. This includes a limited number of the Communication and Engagement Teams, Facilities Team, Health and Safety Team, Security Team and the Police.
Will it be shared or publicised?
Information may be shared with the NHS Wales Test, Trace and Protect service where it is requested by them. They will only request this information where necessary, because:
- someone who has tested positive for coronavirus has listed our premises as a place they have worked at or visited recently;
- the service has identified our premises as the location of a potential cluster or outbreak of coronavirus.
The test results submitted online or by telephone feed into the Welsh Government’s Test, Trace, Protect (TTP) strategy. Information on how the Welsh Government uses this data can be found here: Test, trace and protect: privacy and data protection | GOV.WALES
We may also share the information with enforcement bodies to demonstrate compliance with health and safety law or respond to any potential breach of coronavirus regulations.
Where will it be stored?
The information will be stored securely on our ICT systems. Our ICT system includes third party cloud services provided by Microsoft. Any transfer of data by Microsoft outside of the United Kingdom is covered by contractual clauses under which Microsoft ensure that personal data is treated in line with domestic legislation. To find out more about how Microsoft will use your information, you can read their privacy statement here.
How long is it stored for?
The information will be retained for 10 days (unless any Covid-19 cases are subsequently linked to the Official Opening event, and require further investigation. In this event, the information would be stored for the duration of the investigation). This is to ensure that we can comply with our obligations set out in legislation governing health and safety, and coronavirus.
How is it destroyed?
The information will be securely deleted from the ICT system following the end of the retention period of 10 days.
Your rights
You have certain rights over the information we hold. In summary the rights are:
- The right to be informed about how your personal information is used;
- The right of access to copies of your personal information;
- The right to rectification if your information is inaccurate;
- The right to erasure of your personal information;
- The right to restrict our use of your personal information;
- The right to object to the use of your personal information.
If you would like to engage any of these rights, please email information-request@senedd.wales
Our legal bases for collecting, holding and using your personal information
Data protection law sets out various legal bases which allow us to collect, hold and use your personal information. For the purpose of processing the personal data you provide, we rely on the following legal bases:
The processing is necessary for the performance of a task carried out in the public interest
The Commission has a statutory function of ensuring that the Senedd is provided with the services it requires for its purposes. This includes ensuring that appropriate measures are in place to ensure the health and safety of those who visit the Senedd estate, and mitigate any risks stemming from the COVID-19 pandemic.
It is also important that those who visit the Senedd estate have trust in the Commission to provide them with a safe, working environment. Allowing individuals to take unreasonable risk when visiting the estate would be likely to diminish that trust and could have an effect on the ability of the Senedd and elected representatives to carry out their democratic function.
The processing is necessary for compliance with a legal obligation
The Commission has a general duty of care in health and safety legislation to those who visit the Senedd estate. It must ensure that, so far as reasonably practicable, those individuals are not exposed to risks to their health and safety, and that its premises are safe.
The data processed will help to ensure that the Commission can best meet its obligations in coronavirus legislation by ensuring that the Senedd estate can be used without unreasonable risk, taking into account the unique risks created by the COVID-19 pandemic. The Commission is under a legal obligation to take “reasonable measures” to minimise the risk of exposure to coronavirus of those who visit our premises.
The collection of Test, Trace, Protect information and LFT information enables us to respond to any potential outbreak originating from our premises, and meet any request from the NHS Test, Trace, Protect service for information that assists in reducing the risk of transmission of coronavirus.
Special category personal data
We will process special category personal data, although we anticipate this processing will be very limited and have taken steps to ensure that this type of data processing is kept to a minimum. Special category personal data is defined as including data concerning health. So, in practical terms, any processing of special category personal data is only likely to take place so far as it relates to health.
Special category data will be processed on the basis that it is necessary for reasons of substantial public interest, read in conjunction with paragraph 6 of Schedule 1 to the Data Protection Act 2018. This is to ensure that the Commission can continue to provide a safe environment to those who use or visit the Senedd estate. This, in turn, ensures that the Senedd, and the work carried out by elected representatives, can continue to function in an effective manner without unreasonable risk having to be taken by those who attend the estate.
It will also be processed on the basis that the processing is necessary for reasons of public interest in the area if public health, read in conjunction with paragraph 3 of Schedule 1 to the Data Protection Act 2018. This is to ensure that the Commission is able to respond to threats to public health, in this case the coronavirus pandemic.
Requests for information made to the Commission
In the event of a request for information being made under access to information legislation, it may be necessary to disclose all or part of the information that you provide. We will only do this if we are required to do so by law.
How to complain
You can complain to the Commission’s Data Protection Officer if you are unhappy with how we have used your data. Contact details are-
0300 200 6565
If, following a complaint, you remain dissatisfied with our response, you can also complain to the ICO.
The ICO’s address is:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113