What’s included in this privacy notice?
I, Rhun ap Iorwerth, am the Member of the Senedd for Ynys Môn.
This document (“privacy notice”) sets out information relating to how I will use personal information relating to constituents. It also sets out information about what rights individuals have in relation to their personal information and various other matters required under data protection law.
In particular, this privacy notice provides information to constituents about how they can object to my use of their personal information, how they can withdraw any permissions they have given to enable me to process their personal information, and how they can make a complaint.
This privacy notice contains the following sections:
- Who does this privacy notice apply to?
- What’s my approach to privacy?
- How will I use your personal information?
- When will I use your personal information for Direct marketing?
- When will I share your personal information with others?
- Circumstances in which I will send your personal information outside the EEA
- What rights do you have under Data Protection Law?
- When and how can you withdraw your consent?
- How can you get in touch with me?
- How can you complain about my use of your personal information?
- How will I notify you of any changes to this privacy notice?
Who does this privacy notice apply to?
This privacy notice applies to constituents and those who contact me in my role as Member of the Senedd for Ynys Môn / a member of Welsh Parliament committees / Plaid Cymru spokesperson.
One of my key roles as a Member of the Senedd is to raise issues on behalf of constituents. As such I will often collect and use personal information relating to constituents as part of my role. From time to time I will also contact my constituents to ask them to complete surveys to gather information and opinions on matters relevant to my role as a Member of the Senedd.
In the sections below, when referring to constituents I will use the terms “you” or “your”.
What’s my approach to privacy?
I take your privacy extremely seriously and want you to feel confident that your personal information is safe in my hands.
I will only use your personal information in accordance with the data protection law applicable to England and Wales from time to time.
Under data protection law, when I use your personal information, I will be acting as a data controller. Essentially, this means that I will be making decisions about how to use your personal information and why.
Below, I summarise the main rules that apply to me as a data controller under data protection law when I use your personal information:
1. | I must be upfront about how I intend to use your personal information and must use your personal information fairly. Providing privacy information to individuals (such as in this privacy notice) is one aspect of using personal information fairly. |
2. | I must only use your personal information if I have a legal basis to do so under data protection law. These legal bases include:
|
3. | I must only use certain types of sensitive personal information, also referred to as special category personal information (such as information relating to your health, racial or ethnic origin, political opinions, or criminal convictions) if I can also satisfy one of the conditions for processing this type of information set out in data protection law. These conditions include:
|
4. | I am only permitted to share your personal information with others in certain circumstances and if I take steps to ensure that your personal information will be secure. |
5. | Generally speaking, I must only use your personal information for the specific purposes I have told you about. If I want to use your personal information for other purposes, I need to contact you again to tell you about this. |
6. | I must not hold more personal information than I need for the purposes I have told you about and must not retain your personal information for longer than is necessary for those purposes (this is known as the “retention period”). I must also dispose of any information that I no longer need securely. |
7. | I must ensure that appropriate security measures are in place to protect your personal information. |
8. | I must act in accordance with your rights under data protection law. |
9. | I must not transfer your personal information outside the European Economic Area (“EEA”) unless certain safeguards are in place. One such safeguard is that the personal data is only transferred to a country that has been approved by the European Commission as having an acceptable level of data protection law. |
How will I use your personal information?
How I will use your personal information, the legal bases I will rely upon, how long I will keep your personal information and other details are set out below.
CASEWORK
What personal information I will use |
(this list is not exhaustive as information held will depend on the individual case) |
How I will obtain the personal information |
|
What purposes I will use the personal information for |
|
The legal bases for processing I rely upon |
|
How long I retain the personal information and why |
|
SURVEYS
What personal information I will use |
|
How I will obtain the personal information |
|
What purposes I will use the personal information for |
|
The legal grounds I rely upon |
|
How long I retain the personal information and why |
|
When will I use your personal information for direct marketing?
In addition to data protection law, if I use your personal information for direct marketing purposes, I may also be subject to additional rules that regulate direct marketing. The term “direct marketing” essentially means directing marketing material or political campaign communications at a particular individual.
To ensure compliance with both data protection laws and the specific rules relating to direct marketing, I will only use your personal information to provide you with political campaign information, whether by telephone, email, text or other forms of electronic communication or by post if you have given me your specific consent to do so.
My legal basis for such processing under data protection law will therefore be that you have given your consent to process your personal data for direct marketing purposes.
I will retain your personal information unless and until you inform me that you no longer wish to receive direct marketing information from me. You can ask me to stop sending direct marketing to you at any time by contacting me using the details set out in the section below titled – “How can you get in touch with me?”
NEWSLETTERS
What personal information I will use |
|
How I will obtain the personal information |
|
What purposes I will use the personal information for |
|
The legal grounds I rely upon |
OR
|
How long I retain the personal information and why | Until you tell me that you no longer wish to receive newsletters and updates from me. You can ask me to stop sending direct marketing to you at any time by contacting me using the details set out in the section below titled – “How can you get in touch with me?” |
When will I share your personal information with others?
Sometimes, I will need to share your personal information with others. This section sets out details of who I will share your personal information with and why. It also tells you about my legal basis for doing so under data protection law and steps I will take to protect your personal information.
THE SENEDD COMMISSION
Information about our relationship with the Senedd Commission | The Senedd Commission is the independent body which, amongst other things, supports Members of the Senedd in their work. |
Why I need to share your personal information with staff of the Senedd Commission | To obtain advice and assistance in dealing with your issue or concern. |
The legal basis I rely upon when sharing your personal information | Sharing of personal data with staff at the Senedd Commission in order to assist with your case will be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in me. This is generally because the processing of your personal data by me will be in performance of casework activities which by their nature supports or promotes democratic engagement. |
What precautions do I take? | Staff at the Senedd Commission have undertaken data protection training and are aware of the importance of protecting personal data. The Senedd Commission has in place appropriate policies and security measures to protect your personal information. |
OTHER ORGANISATIONS WHO CAN ASSIST WITH YOUR CASE
Who are these Organisations? | We will share such of your personal information as is necessary with organisations who can assist with your case. Often these will be organisations such as local authorities and health boards which will, from time to time, depending on the nature of your query or concern, be able to assist with your case or will have information relevant to your case. |
Why I need to share your personal information with them | To assist with your case or to obtain information relevant to your case. |
The legal bases I rely upon when sharing your personal information | Sharing of personal data with such organisations will be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in me. This is generally because the processing of your personal data by me will be in performance of casework activities which by their nature supports or promotes democratic engagement. |
What precautions do I take? | I will only share personal data as is necessary and will take steps to determine that the organisations are aware of the importance of protecting personal data. |
PROVIDERS OF INFORMATION TECHNOLOGY SERVICES
Who will we be sharing your personal information with? | Suppliers of information technology products and services such as:
|
Why I need to share your personal information with such providers | I use suppliers of information technology products and services in connection with the supply, maintenance and/or improvement of my IT network, to manage casework effectively through appropriate software provision, and the creation, development hosting and maintenance of my website. |
The legal bases I rely upon when sharing your personal information | I rely upon my legitimate interests in ensuring that my work as a Member of the Senedd is managed efficiently and my IT system can function properly and efficiently and that my IT network is secure. |
What precautions do we take? | I enter into contracts with my IT providers which require them to put appropriate security measures in place and which restrict their use of your personal information. |
OTHER THIRD PARTIES
I may also need to share your personal information with others in the following circumstances:
Legal or regulatory requirements | On occasion, I may be required to disclose your personal information to organisations such as the courts or the police to comply with legal obligations we are subject to and/or to prevent fraud or crime. |
Safeguarding | On occasion, I may need to disclose your personal information to other organisations such as the local authority or the police for safeguarding purposes in the substantial public interest. |
Professional advice and legal action | I may need to disclose your personal information to my professional advisers (for example, lawyers and accountants) in connection with the provision by them of professional advice and/or the establishment or defence of legal claims. |
Circumstances in which I will send your personal information outside the EEA
Other than the cloud service provided by Microsoft, I do not envisage a need to send your personal data outside the EEA. As far as Microsoft is concerned Microsoft has put a written contract in place incorporating EC model clauses relating to the transfer of personal data outside the EEA which provide safeguards to protect your personal data.
If it becomes necessary in any other circumstance to transfer your personal data outside the EEA I will let you know but rest assured that if I do need to transfer your personal data outside the EEA, I will use one of these safeguards to make sure it is protected:
- I will only transfer it to a non-EEA country which the European Commission has decided has an adequate level of protection for personal data. You can find more about such countries here https://ec.europa.eu/info/law/law-topic/data-protection_en; or
- I will put a written contract in place between me and the recipient that incorporates EC model clauses relating to the transfer of personal data outside the EEA; or
- I will obtain your explicit consent to do so.
WHAT RIGHTS DO YOU HAVE UNDER DATA PROTECTION LAW?
Under data protection law, you have a number of different rights relating to the use of your personal information. The table below contains a summary of those rights and my obligations. More information about your rights and my obligations can be found on the ICO website https://ico.org.uk/.
Your rights | What this involves | What our obligations are |
A right of access
|
This is a right to obtain access to your personal data and various supplementary information. |
|
A right to have personal data rectified
|
This is a right to have your personal information rectified if it is inaccurate or incomplete.
|
|
A right to erasure
|
|
|
A right to object
|
|
|
A right to restrict processing
|
|
|
If you wish to exercise any of your rights, you can make a request by contacting me using the details set out in the section below titled – “How can you get in touch with me?”
If you request the exercise of any of your rights I am entitled to ask you to provide me with any information that may be necessary to confirm your identity.
Your right to withdraw consent
If you have given me your consent to use any of your personal information, you can withdraw your consent at any time. To do so, please contact me using the details set out in the section below titled – “How can you get in touch with me?”
How can you get in touch with me?
You can get in touch with me in the following ways:
Postal address | Tŷ Ieuan
1b Church Street Llangefni Ynys Môn LL77 7DU |
Email address | Rhun.apiorwerth@senedd.wales |
Phone number | 01248 723599 |
I am the person overseeing compliance with data protection law and this privacy notice. If you have any questions about this privacy notice, how your personal information is handled or if you wish to make a complaint, please contact me.
Right to complain to the information commissioner’s officer
If I am unable to deal with a complaint to your satisfaction or if you are unhappy with the way I am using your personal data, you also have the right to make a complaint at any time to the UK’s supervisory authority for data protection issues, the Information Commissioner’s Office.
Changes to this privacy notice
I may update this privacy notice from time to time. If I make any substantial updates, I will provide you with a new privacy notice. I may also notify you in other ways from time to time about the processing of your personal information.