This privacy statement explains how we collect and use personal information about you for the process/purpose of investigating and reporting on complaints about Assembly Members.
Who we are
The National Assembly for Wales’ Commissioner for Standards is the data controller of the information you provide, and will ensure it is protected and used in line with data protection legislation.
Any queries regarding our use of your information should be sent to the Data Protection Officer at:
Commissioner for Standards
National Assembly for Wales
0300 200 6542
What we need and why we need it
Our purpose for processing your personal data is so we can respond and look into your complaint about an Assembly Member.
When we receive your complaint, we will create an electronic file containing the details of your request. This will include any contact details that you have shared with us and any other information contained in your original complaint. We will also store on this file a copy of the information that falls within the scope of your complaint. If your complaint is in hard copy, it will be scanned and stored electronically. The hard copy will be destroyed.
Categories of information processed
Normal personal data is defined by the General Data Protection Regulation (GDPR) and includes names and contact details, as well as previous interaction with the Commissioner for Standards’ office.
Depending on the request, we may process special category data, as defined by the GDPR such as race; ethnic origin; political views; religion; trade union membership; health or sexual orientation.
What we will do with your information
Your information will be used by Commissioner for Standards and staff for the purposes of looking into your complaint. Your personal information will not be shared further than those directly involved in dealing with your complaint. We will not share your personal information with anyone outside of the organisation unless obliged by law.
If there comes a time when we need to share your personal data with another party for the purposes of progressing the complaint, we will, in the first instance, notify you and seek your consent. As an example, if you make an allegation about an AM, there may come a time when, to take the complaint forward, it is reasonable to notify the AM who is making the allegation. At this point we will contact you to seek your views as to you how you wish to proceed.
Information will be stored on the Assembly ICT network (which includes third party cloud services provided by Microsoft). Any transfer of data by Microsoft outside of the EEA is covered by contractual clauses under which Microsoft ensure that personal data is treated in line with European legislation.
How long we will keep it
We will keep your contact details, your complaint and the associated correspondence for 6 years after the complaint has been completed. After this time, all information will be disposed of securely.
Legal basis for processing
The Commissioner for Standards must have a lawful basis for processing your information, and which basis is engaged will depend on the activity or circumstance in which we are collecting and using information.
In order to respond to requests made under access to information legislation, we will rely on the following legal bases:
- The processing is necessary to comply with a legal obligation to which we are subject (Art. 6(1)(c ) GDPR);
- The processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law (Art. 6(1)€ GDPR).
Where we process special category data, the legal basis is that it is necessary for reasons of substantial public interest in accordance with Article 9(2)(g) GDPR and section 10(3) of, and paragraph 6 of Schedule 1 to, the Data Protection Act 2018; fulfilling our statutory obligations is in the substantial public interest.
You have certain rights over the information we hold. In summary the rights are:
- The right to be informed about how your personal information is used;
- The right of access to copies of your personal information;
- The right to rectification if your information is inaccurate;
- The right to erasure of your personal information;
- The right to restrict our use of your personal information;
- The right to data portability;
- The right to object to the use of your personal information;
- Rights in relation to automated decision making and profiling.
If you would like to engage any of these rights, please email firstname.lastname@example.org
You can make a complaint about how your information has been used by contacting the Commissioner for Standards’ office on 0300 200 6542 or via email@example.com.
You can also make a complaint to the Information Commissioner’s Office (ICO) if you believe we have not used your information in line with the law. The ICO’s contact details can be found on their website.