PRIVACY POLICY

INTRODUCTION 

The Centre for Digital Public Services (CDPS) is strongly committed to protecting personal data. This Privacy Notice explains the following: 

We recommend you read this privacy notice thoroughly. Please contact us with any questions or concerns regarding our privacy practices. Our contact details are on our website and contained within this Privacy Notice. 

WHO WE ARE 

CDPS is a Limited Company (09341679) which is wholly owned by the Welsh Government. We act as both a Data Controller in the following circumstances: 

Our Data Protection Officer is Simon Renault, the Business Director, who may be contacted via email on personal.data@digitalpublicservices.gov.wales.   
  
WHAT INFORMATION DO WE COLLECT? 

When we talk about personal data or personal information, we are only referring to information from which an individual person can be identified. It does not include data where the identity has been removed. 

Our engagement activities across Wales, the UK and internationally, are fundamental to our success. We collect and process information with key strategic partners across the public sector, academia, professional services and other funded initiatives and projects. This includes the following categories of information: 

  1. Racial or Ethnic origin supplied voluntarily during the recruitment process 
  1. Declaration of offences during the recruitment process under the Rehabilitation of Offenders Act as part of our duty to follow HM Government’s Baseline Personnel Security Standards (BPSS) 

To put this into context, it includes personal information collected because of: 

HOW WE COLLECT YOUR INFORMATION, WHY WE NEED IT, AND HOW WE USE IT 

When you contact us regarding the work we do, we will handle your data with the utmost care and are sensitive to the need to handle all data lawfully, fairly and transparently. 

The methodology of collection varies but includes and is not exclusive to: 

You should also be aware of our responsibilities under Freedom of Information legislation, our remit to provide information to meet internal and external audit requirements and our legal obligations (e.g., fraud prevention). 

WHAT LEGAL BASIS WE HAVE FOR PROCESSING YOUR PERSONAL DATA 

We always have a legal basis for processing personal data, the legal basis we use are as follows: 

To put the use of the six legal basis’ we use for processing personal data into context we will use the personal data and information we collect for the following purposes: 

We must have a lawful reason for processing your personal information. Most commonly, we will use your personal information in the following circumstances: 

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. Information is only held for as long as there is a legitimate reason to do so, information that is no longer required is destroyed in such a way that it cannot be reconstructed. If you wish to obtain an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.   

WHEN DO WE SHARE PERSONAL DATA? 

Disclosure of Information for legal or regulatory purposes 

We may need to disclose your information to a third party as part of ongoing programme management and audit requirements.   

Additionally, as part of our remit to conduct due diligence we may also need to release information to progress governance checks for specific requirements, programmes, other parties (or projects. We will carry out this process lawfully, proportionately, and securely). 

Third parties include: 

We will ensure that if information is required to be shared, then it will be shared securely, and you will be informed that we have shared it, who we have shared it with and how we shared it. 

WHERE DO WE STORE AND PROCESS PERSONAL DATA? 

CDPS data is stored within Microsoft 365, Mailjet, Zoom, Xero financial support tool, Trello, and Mural project management and collaboration software. We undertake regular security reviews of all our third-party platforms and conduct risk assessments as required under Article 35 of the UK GDPR and Chapter 2 of the Data Protection Act 2018 (UK GDPR) to comply with our duty as a Data Controller. The systems identified are third party systems which have not been created by or owned us and are outside our control with their own privacy policies.  Please contact our Data Protection Officer for further information should you wish to understand how your data is processed by the relevant platform. 

CDPS outsources its Accounting activity to a third-party.  The current contractor is Azets. Azets do not transfer data outside the EEA. The Privacy Policy for Azets can be found here

HOW DO WE SECURE PERSONAL DATA? 

We have in place appropriate security measures to prevent your personal information from being accidentally lost, used, or accessed in an unauthorised manner or otherwise used or disclosed.  

To achieve this, we use encrypted secure technology to protect all personal information stored by us. We operate up to date and regularly review policies for Data Protection, Password Policy, Information Security and Business Continuity (including Risk Assessments via the DPIA process and individual risk assessments) to support our business processes and to ensure that all personnel are aware of the importance of data security. 

Access to information is permitted on a need-to-know basis.   

HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR? 

We only keep and process personal data for as long as there is a contractual or business requirement to do so or we are otherwise obliged to keep the same under any contractual, regulatory, or legal requirement.  Once the requirement has expired, the information is deleted safely and securely from our systems in such a way that Information which is deleted is done so in accordance with current security regulations.  

KEEPING US UP TO DATE 

As part of our responsibility to ensure that information we hold about you is up to date, we rely on you to keep us updated.  We request that where any of your details change, that you inform us so that we may update our records accordingly. 

YOUR LEGAL RIGHTS IN RELATION TO PERSONAL DATA INCLUDING YOUR RIGHTS TO WITHDRAW CONSENT  

As a data subject, you have rights in relation to your Personal data. These are: 

You also have the right to make a Subject Access Request. As part of this process, you will be able to ascertain: 

We reserve the right to validate your identity prior to release of information.  

We will not make any charges for such requests unless the requests made repeatedly and are considered excessive. We will respond to you request within 28 days.

We provide a form for you to fill in which we use to ensure that your rights are addressed in full.   

If you have provided consent to CDPS to process any of your data, then you also have a right to withdraw that consent unless we are contractually or legally obligated to retain data. Withdrawal of consent will also result in withdrawal of support from the CDPS services or programme(s) to which you are signed up. In cases where we do not need to retain data for contractual or legal reasons, we will delete the data as soon as possible and at the very least within 28 days.   

LINKS TO OTHER WEBSITES AND THIRD-PARTY CONTACT 

CDPS does link to external sites and resources as part of our normal business activity. This includes news stories and links to other websites as part of the information being shared on our website (e.g., stories about digital services backed by supporting information from Welsh Government). Use of those links may allow third-parties to collect or share your personal information.  As we have no control over how such third parties may collect and share your information, we do not take any responsibility for their use of your information.   

HOW TO CONTACT US, INCLUDING HOW TO MAKE A COMPLAINT WITH A SUPERVISORY AUTHORITY 

You can contact the Centre for Digital Public Services via several different routes.  We will deal with your enquiry in the same way regardless of how you choose to contact us.  For further information on how CDPS processes your data, please contact us via e-mail to personal.data@digitalpublicservices.gov.wales.  

If you are unhappy with the way in which your personal data has been processed and wish to raise a complaint. Please do so by one of the methods described above.  We will handle your complaint sensitively, and confidentially and will write to you with a response within 10 working days. 

If you are dissatisfied, you have the right to communicate directly to the Information Commissioner (ICO). The Information Commissioner can be contacted at:  

Information Commissioner’s Office – Wales
2nd Floor
Churchill House
Churchill Way
Cardiff
CF10 2HH

Telephone: 029 2067 8400
Fax: 029 2067 8399
Email: wales@ico.gsi.gov.uk  

We would appreciate if you would let us try and resolve the matter first before referring it to the ICO. 

REVIEW OF THE PRIVACY NOTICE 

We regularly review all our policies and procedures, we will post updates on our documentation and webpage, this Privacy Policy was last reviewed and amended on 4 November 2021.