PRIVACY NOTICE FOR CONSTITUENTS:
I, Jenny Rathbone, am the Member of the Senedd for Cardiff Central.
This document (“privacy notice”) sets out information relating to how I will use personal information relating to constituents. It also sets out information about what rights individuals have in relation to their personal information and various other matters required under data protection law.
In particular, this privacy notice provides information to constituents about how they can object to my use of their personal information, how they can withdraw any permissions they have given to enable me to process their personal information, and how they can make a complaint.
This privacy notice contains the following sections:
- Who does this privacy notice apply to?
- What’s my approach to privacy?
- How will I use your personal information?
- How will I use your personal information for direct marketing?
- When will I share your personal information with others?
- Circumstances in which I will send your personal information outside the EEA
- What rights do you have under Data Protection law?
- How can you get in touch with me?
- How can you complain about my use of your personal information?
- How will I notify you of any changes to this privacy notice?
WHO DOES THIS PRIVACY NOTICE APPLY TO?
This privacy notice applies to constituents.
One of my key roles as an Assembly Member is to raise issues on behalf of constituents. As such I will often collect and use personal information relating to constituents as part of my role. From time to time I will also contact my constituents to ask them to complete surveys to gather information and opinions on matters relevant to my role as an Assembly Member.
In the sections below, when referring to constituents I will use the terms “you” or “your”.
WHAT’S MY APPROACH TO PRIVACY?
I take your privacy extremely seriously and want you to feel confident that your personal information is safe in my hands.
I will only use your personal information in accordance with the data protection law applicable to England and Wales from time to time.
Under data protection law, when I use your personal information, I will be acting as a data controller. Essentially, this means that I will be making decisions about how to use your personal information and why.
Below, I summarise the main rules that apply to me as a data controller under data protection law when I use your personal information:
|1.||I must be upfront about how I intend to use your personal information and must use your personal information fairly. Providing privacy information to individuals (such as in this privacy notice) is one aspect of using personal information fairly.|
|2.||I must only use your personal information if I have a legal basis to do so under data protection law. These legal bases include:
|3.||I must only use certain types of sensitive personal information, also referred to as special category personal information (such as information relating to your health, racial or ethnic origin, political opinions, or criminal convictions) if I can also satisfy one of the conditions for processing this type of information set out in data protection law. These conditions include:
|4.||I am only permitted to share your personal information with others in certain circumstances and if I take steps to ensure that your personal information will be secure.|
|5.||Generally speaking, I must only use your personal information for the specific purposes I have told you about. If I want to use your personal information for other purposes, I need to contact you again to tell you about this.|
|6.||I must not hold more personal information than I need for the purposes I have told you about and must not retain your personal information for longer than is necessary for those purposes (this is known as the “retention period”). I must also dispose of any information that I no longer need securely.|
|7.||I must ensure that appropriate security measures are in place to protect your personal information.|
|8.||I must act in accordance with your rights under Data Protection law.|
|9.||I must not transfer your personal information outside the European Economic Area (“EEA”) unless certain safeguards are in place. One such safeguard is that the personal data is only transferred to a country that has been approved by the European Commission as having an acceptable level of data protection law.|
HOW WILL I USE YOUR PERSONAL INFORMATION?
How I will use your personal information, the legal bases I will rely upon, how long I will keep your personal information and other details are set out below.
|What personal information I will use||
concern with me. This information may include special category personal information such as your:
|How I will obtain the personal information||· Provided by you when you contact me with an enquiry or concern or by a third party where the enquiry or concern is raised on your behalf.|
|What purposes I will use the personal information for||
communicate with you about the issue or concern raised and to provide you with updates and feedback;
steps to address the matter.
|The legal bases for processing I rely upon||
processing of special category data, my use of your special category personal data will be necessary for reasons of substantial public interest. This is because the processing is carried out by me in my capacity as an elected representative, in connection with the discharge of my functions and is in response to a request by you to take action or a request on your behalf.
|How long I retain the personal information and why||· I will retain your personal information until your case is
closed and for a further 2 year period, or until the next Assembly election, whichever is sooner. This is in case there is any follow up or a case might need to be reopened. This will be with your consent. You can contact us within this time if you want your info to be deleted.
WHEN WILL I USE YOUR PERSONAL INFORMATON FOR DIRECT MARKETING?
In addition to data protection law, if I use your personal information for direct marketing purposes, I may also be subject to additional rules that regulate direct marketing. The term “direct marketing” essentially means directing marketing material or political campaign communications at a particular individual.
To ensure compliance with both data protection laws and the specific rules relating to direct marketing, I will only use your personal information to provide you with political campaign information, whether by telephone, email, text or other forms of electronic communication [or by post] if you have given me your specific consent to do so.
My legal basis for such processing under data protection law will therefore be that you have given your consent to process your personal data for direct marketing purposes.
I will retain your personal information unless and until you inform me that you no longer wish to receive direct marketing information from me. You can ask me to stop sending direct marketing to you at any time by contacting me using the details set out in the section below titled – “How can you get in touch with me?”
|What personal information I will use||
How I will obtain the personal information provided by you?
|What purposes I will use the personal information for||· To provide you with newsletters about the work I undertake in your area and in the National Assembly for Wales.|
|The legal grounds I rely upon||
|How long I retain the personal information and why||Until you tell me that you no longer wish to receive newsletters and updates from me. You can ask me to stop sending direct marketing to you at any time by contacting me using the details set out in the section below titled – “How can you get in touch with me?”|
WHEN WILL I SHARE YOUR PERSONAL INFORMATION WITH OTHERS?
Sometimes, I will need to share your personal information with others. This section sets out details of who I will share your personal information with and why. It also tells you about my legal basis for doing so under data protection law and steps I will take to protect your personal information.
THE ASSEMBLY COMMISSION
|Information about our relationship with the Assembly Commission||· The Assembly Commission is the independent body which,
amongst other things, supports Assembly Members in their work.
|Why I need to share your personal information with staff of the Assembly Commission||· To obtain advice and assistance in dealing with your issue or
|The legal basis I rely upon when sharing your personal information||· Sharing of personal data with staff at the Assembly
Commission in order to assist with your case will be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in me. This is generally because the processing of your personal data by me will be in performance of casework activities which by their nature supports or promotes democratic engagement.
|What precautions do I take?||· Staff at the Assembly Commission have undertaken data protection training and are aware of the importance of protecting personal data. The Assembly Commission has in place appropriate policies and security measures to protect your personal information.|
OTHER ORGANISATIONS WHO CAN ASSIST WITH YOUR CASE
|Who are these Organisations?||· We will share such of your personal information as is
necessary with organisations who can assist with your case. Often these will be organisations such as local authorities and
|health boards which will, from time to time, depending on the nature of your query or concern, be able to assist with your case or will have information relevant to your case.|
|Why I need to share your personal information with them||· To assist with your case or to obtain information relevant to
|The legal bases I rely upon when sharing your personal information||· Sharing of personal data with such organisations will be
necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in me. This is generally because the processing of your personal data by me will be in performance of casework activities which by their nature supports or promotes democratic engagement.
|What precautions do I take?||· I will only share personal data as is necessary and will take steps to determine that the organisations are aware of the importance of protecting personal data.|
PROVIDERS OF INFORMATION TECHNOLOGY SERVICES
|Who will we be sharing your personal information with?||· Suppliers of information technology products and
services such as:
|Why I need to share your personalinformation||I use suppliers of information information with such providers technology products and services in connection with the supply, maintenance and/or improvement of my IT network, to manage casework effectively through appropriate software provision, and the creation, development hosting and maintenance of my website.|
|The legal bases I rely upon when sharing your personal information||I rely upon my legitimate interests in ensuring that my
work as an Assembly Member is managed efficiently and my IT system can function properly and efficiently and that my IT network is secure.
|What precautions do we take?||I enter into contracts with my IT providers which require them to put appropriate security measures in place and which restrict their use of your personal information.|
OTHER THIRD PARTIES
I may also need to share your personal information with others in the following circumstances:
|Legal or regulatory requirements||On occasion, I may be required to disclose your personal information to organisations such as the courts or the police to comply with legal obligations we are subject to and/or to prevent fraud or crime.|
|Safeguarding||On occasion, I may need to disclose your personal information to other organisations such as the local authority or the police for safeguarding purposes in the substantial public interest.|
|Professional advice and legal action||I may need to disclose your personal information to my professional advisers (for example, lawyers and accountants) in connection with the provision by them of professional advice and/or the establishment or defence of legal claims.|
CIRCUMSTANCES IN WHICH I WILL SEND YOUR PERSONAL INFORMATION OUTSIDE THE EEA
Other than the cloud service provided by Microsoft, I do not envisage a need to send your personal data outside the EEA. As far as Microsoft is concerned Microsoft has put a written contract in place incorporating EC model clauses relating to the transfer of personal data outside the EEA which provide safeguards to protect your personal data.
If it becomes necessary in any other circumstance to transfer your personal data outside the EEA I will let you know but rest assured that if I do need to transfer your personal data outside the EEA, I will use one of these safeguards to make sure it is protected:
I will only transfer it to a non-EEA country which the European Commission has decided has an adequate level of protection for personal data. You can find more about such countries here https://ec.europa.eu/info/law/law-topic/data- protection_en];
WHAT RIGHTS DO YOU HAVE UNDER DATA PROTECTION LAW?
Under data protection law, you have a number of different rights relating to the use of your personal information. The table below contains a summary of those rights and my obligations. More information about your rights and my obligations can be found on the ICO website https://ico.org.uk/.
Your rights: What this involves and what our obligations are:
|A right of access||This is a right to obtain access to your personal data and various supplementary information.||
your personal information and the other supplementary information without undue delay and in any event within 1 month of receipt of your request;
save in specific circumstances (such as where you request further copies of your personal information).
|A right to have personal data rectified||This is a right to have your personal information rectified if it is inaccurate or incomplete.||
incomplete information without undue delay and in any event within 1 month of receipt of your request;
|A right to erasure||
|A right to object||
|A right to restrict processing||
If you wish to exercise any of your rights, you can make a request by contacting me using the details set out in the section below titled – “How can you get in touch with me?”
If you request the exercise of any of your rights I am entitled to ask you to provide me with any information that may be necessary to confirm your identity.
YOUR RIGHT TO WITHDRAW CONSENT
If you have given me your consent to use any of your personal information, you can withdraw your consent at any time. To do so, please contact me using the details set out in the section below titled – “How can you get in touch with me?”
I am the person overseeing compliance with data protection law and this privacy notice. If you have any questions about this privacy notice, how your personal information is handled or if you wish to make a complaint, please contact me.
RIGHT TO COMPLAIN TO THE INFORMATION COMMISSIONER’S OFFICER
If I am unable to deal with a complaint to your satisfaction or if you are unhappy with the way I am using your personal data, you also have the right to make a complaint at any time to the UK’s supervisory authority for data protection issues, the Information Commissioner’s Office.
CHANGES TO THIS PRIVACY NOTICE
I may update this privacy notice from time to time. If I make any substantial updates, I will provide you with a new privacy notice. I may also notify you in other ways from time to time about the processing of your personal information.