Introduction

The Centre for Digital Public Services (CDPS) is committed to protecting your personal data and being transparent about how we use it. This privacy policy explains:

Who we are

CDPS is a limited company (09341679), wholly owned by the Welsh Government. We act as a Data Controller when processing personal data for our operations.

Data Protection Officer: 
Jon Morris, Business Manager

personal.data@digitalpublicservices.gov.wales 

What information we collect 

We may collect the following categories of personal data:

  • Identity data: name, date of birth, gender, etc.
  • Contact data: email, phone number, address
  • Financial data: bank details (for suppliers)
  • Recruitment data: ethnicity, nationality, health, criminal convictions (where relevant)
  • Engagement data: event attendance, stakeholder interactions
  • Technical data: IP address, browser type, device identifiers 

How we use your information

We use your data to:

  • Deliver our services and projects
  • Communicate with stakeholders
  • Manage recruitment, including Equality, Diversity, and Inclusion (EDI) monitoring, and procurement
  • Improve our digital services
  • Ensure compliance with legal obligations 

EDI Monitoring in Recruitment

What is EDI Monitoring?

Equality, Diversity, and Inclusion (EDI) monitoring is a process through which organisations collect, analyse, and report data related to the characteristics of their candidates and employees—such as ethnicity, nationality, gender, disability, and other protected attributes. This information is gathered during recruitment to ensure fair treatment and to help identify and address any barriers to equal opportunity within the organisation.

How is EDI Monitoring Used in Recruitment? 

  • Assessing the reach and effectiveness of recruitment practices, ensuring roles are accessible to all segments of society.
  • Identifying patterns or trends in applications and appointments, such as underrepresentation of certain groups.
  • Supporting compliance with legal requirements, such as the Equality Act 2010, by demonstrating commitment to non-discrimination. 
  • Enabling the organisation to develop targeted actions—like inclusive job adverts or outreach programmes—to promote diversity and improve workplace culture.
  • Monitoring progress against internal EDI goals, helping shape future recruitment strategies and policies. 

All EDI data collected during recruitment is handled confidentially and in accordance with data protection law. It is typically used in aggregate form, meaning individuals are not identifiable, and participation in EDI monitoring is voluntary.

Legal Basis for Processing

We rely on the following lawful bases under UK GDPR:

  • Consent (e.g. for marketing)
  • Contractual necessity
  • Legal obligation
  • Legitimate interests (e.g. stakeholder engagement) 

Data Sharing

We are committed to protecting your personal data and ensuring transparency about how we use it. We may share your personal data with the following entities: 

  • Welsh Government departments: For compliance with legal obligations and to support public sector initiatives.
  • Public Sector Partners: To facilitate collaborative projects and services that benefit the community.
  • Service Providers Under Contract: To deliver services on our behalf, such as IT support, marketing, and customer service.  
  • Regulators or Law Enforcement: Where legally required, to comply with legal processes or to protect our rights and the rights of others.

We ensure that any third parties with whom we share your data adhere to strict data protection standards and only use your data for the specified purposes.

We do not sell or rent your personal data. 

Where We Store and Process Personal Data

CDPS uses secure third-party providers and platforms to store and process personal data. These are grouped by the type of user or activity: 

For CDPS Staff and Contractors

  • Microsoft 365 – email, documents, collaboration
  • SafeHR – HR and employment records
  • Trello – task and project management
  • Miro – collaborative whiteboarding
  • ProBackup – backup and recovery
  • Zoom – meetings and webinars
  • WorkInConfidence – anonymous feedback and reporting
  • Xero – staff expenses
  • Yolk Recruitment – outsourced recruitment partner and supplier of contingent labour
  • Azets – outsourced accounting support, payroll, and pension & benefits administration 

For Stakeholders and Partners

  • HubSpot – stakeholder engagement and communications
  • Google Drive – shared documents and collaboration
  • Xero – financial processing and invoicing 
  • ApprovalMax – Purchase Order and Billing workflow management
  • Basecamp – Community of Practice collaboration and communication 

For Research Participants and Service Users

  • Consent Kit – informed consent for research
  • Hotjar – user experience analytics (anonymised)
  • Google Analytics – website usage statistics

We regularly review the security of these platforms and conduct risk assessments under Article 35 of the UK GDPR and Chapter 2 of the Data Protection Act 2018. These platforms are not owned or developed by CDPS and are subject to their own privacy policies.

For more information about how your data is processed by any of these platforms, please contact our Data Protection Officer. 

Data Security and Retention

We implement appropriate technical and organisational measures to protect your data. Data is retained only as long as necessary for the purposes outlined. 

Use of Artificial Intelligence (AI)

CDPS uses AI tools, including Microsoft Copilot, to support internal productivity, content generation, and service design. These tools are used in accordance with UK GDPR and the Data Protection Act 2018. CDPS abides by an internally developed set of Principles for the use of AI, detailed below.

How AI is Used

  • Drafting documents, reports, and communications
  • Summarising meeting notes or stakeholder feedback
  • Supporting analysis of anonymised datasets 

Data Protection and AI

  • AI tools do not access or process special category data unless explicitly authorised.
  • Prompts and outputs from Copilot are not used to train Microsoft’s foundation models.
  • All AI interactions are subject to access controls, audit logging, and data minimisation.
  • AI-generated content is reviewed by humans before use in decision-making. 

Principles of AI Use at CDPS

The Centre for Digital Public Services (CDPS) is committed to the ethical, transparent, and responsible use of artificial intelligence (AI) across public services in Wales. Our principles are designed to support safe adoption, foster innovation, and ensure alignment with public sector values:

Know What AI Is—and Isn’t

CDPS promotes a clear understanding of AI’s capabilities and limitations. We encourage teams to ask: Do we need to use this (now or at all)? 

Use AI Lawfully, Ethically and Responsibly

All AI use must comply with legal standards (e.g. GDPR, Welsh Language Standards), respect human rights, and avoid harm. We follow the Well-being of Future Generations (Wales) Act to assess environmental, cultural, and social impacts. 

Ensure Security and Data Protection

AI tools must be used securely. Free tools are permitted only for public or general knowledge tasks; paid tools like Copilot are required for anything involving personal or confidential data.

Maintain Human Oversight

Meaningful human control must be present at critical stages of AI deployment. Decisions must never be fully automated without accountability.

Manage the AI Lifecycle

CDPS maintains an internal register of AI tools and reviews new proposals through the AI Steering Group. This ensures alignment with strategic priorities and mitigates risks. 

Use the Right Tool for the Job

AI should be chosen based on need, not novelty. Alternatives—especially simpler or more sustainable ones—should be considered first.

Be Open and Collaborative

CDPS encourages transparency in AI use. We publish guidance, engage with critical friends like the Turing Institute, and share learnings across the public sector. 

Engage Commercial and Legal Colleagues Early

Procurement and legal teams must be involved from the outset to assess contracts, liabilities, and insurance implications.

Invest in Skills and Training

AI literacy is essential. CDPS offers training and recommends AI basics be part of mandatory staff development, alongside GDPR and DSE.

Align with Organisational Policies and Assurance

AI principles must complement existing CDPS policies. We use the Algorithmic Transparency Reporting Standard (ATRS) and Workforce Partnership Council (WPC) guidelines to ensure robust governance. 

Automated Decision-Making

CDPS does not use AI to make decisions that have legal or similarly significant effects on individuals without meaningful human involvement, in line with the Data (Use and Access) Act 2025.

Other AI Tools 

In addition to Microsoft Copilot, CDPS may use other AI-powered tools to support internal operations, such as content generation, summarisation, or data analysis. These tools are used in a secure and controlled environment.

  • We do not share identifiable personal data with these tools unless it is essential and lawful to do so.
  • Where AI tools are used, we apply data minimisation, pseudonymisation, and access controls to protect your privacy.
  • All outputs are reviewed by CDPS staff before being used in any official capacity. 

Your Rights

You have the right to:

  • Access your data
  • Correct inaccurate data
  • Request erasure
  • Object to processing
  • Withdraw consent
  • Lodge a complaint with the ICO

Cookies and Analytics 

We use cookies to improve website functionality and gather usage statistics. You can manage your preferences via our cookie settings page: https://digitalpublicservices.gov.wales/use-cookies-and-other-technologies

Policy Updates

This policy is reviewed regularly and was last updated in July 2025 to reflect the use of AI tools and changes in UK data protection law.

Contact Us

For questions or concerns, contact:

personal.data@digitalpublicservices.gov.wales