- our statutory audit work
- job applicants
- current and former employees
- correspondence and communications including subject access requests or freedom of information enquiries
- our events
- visitors to our website
- suppliers of goods or services
- subscribers to our newsletter
Data Protection Officer
We have appointed a Data Protection Officer who is responsible for overseeing how your data is used, our information governance policies and procedures, privacy notices and your rights as an individual under data protection law. If you have any queries or concerns about our use of your personal information or this notice, please contact our Data Protection Officer, Martin Peters at firstname.lastname@example.org.
Data Protection Law
We process your personal data under data protection law applicable in the UK which includes the ‘UK GDPR’ [opens in new window] and Data Protection Act 2018 [opens in new window]. Information about data protection law is available on the ICO website [opens in new window].
We may only process personal data if we have a legal basis for that processing. The key legal bases for the work of the Auditor General or Wales Audit Office are processing that is necessary for:
- Performance of a contract with the data subject, for example, our contracts of employment or contracts under which we receive or provide goods or services.
- Compliance with a legal obligation, where we have a duty to do something under statute (where statute says we must or should do something).
- Performance of a task in the public interest or in the exercise of official authority, where we have a power to do something (where statute says we may do something).
Other legal bases, which may also apply, include:
- Consent, which must be freely given, specific, informed, clear and in the form of a statement or clear affirmative act on the part of the individual.
- Necessary to protect vital interest---processing personal data to protect someone’s life, e.g. where someone needs medical help.
Our statutory work
When we undertake audit work under our statutory powers and duties we may collect information from public bodies that contains some personal data.
Please note that a separate privacy notice is available for our National Fraud Initiative (NFI) work and is available within the NFI section of our website.
The information you provide as part of the application process will be treated in confidence and will be shared only with Human Resources and members of the selection panel for the purposes of the recruitment process. Where we want to disclose information about you to third parties, for example where a third party specialist is involved in the selection process or we want to take up a reference, we will not do so without informing you beforehand unless the disclosure is required by law.
We hold personal information about unsuccessful candidates for a maximum period of 2 years after the recruitment process has been completed, and it will then be destroyed or deleted. This information is used solely for monitoring purposes to form statistical reports on our recruitment activities.
A full job applicant privacy notice [PDF 135KB opens in new window] is provided to applicants as part of the job application process. Where you provide information to us in connection with a recruitment enquiry, at one of our events or otherwise, please see our recruitment enquiry notice [PDF 135KB opens in new window].
Current and former employees
Employees should refer to the employee privacy notice in the staff handbook. Following the end of your employment with the Wales Audit Office, we will retain your information in accordance with the requirements of our retention schedule and then delete it. We give employees who are leaving their employment with the WAO a full leavers privacy notice.
People who make a complaint or correspond with us
When we receive a complaint, correspondence or concerns about the Wales Audit Office, a public body we audit, subject access request or freedom of information request we hold the correspondence in a file.
We will only use the personal information we collect to process the complaint, correspondence or request. We may have to disclose your details when we are investigating any matters that you raise, and if you tell us that you do not want us to disclose or share your personal information we will try to respect this. However, it may not be possible to investigate your request on an anonymous basis.
Where we share information, we will share the minimum necessary, and this may be with:
- Auditors, inspectorates and other public or professional bodies
- Professional advisors and consultants
- Regulators, ombudsmen and commissioners
- Healthcare professional, social and welfare organisations
- Police, prosecuting authorities and courts
We will keep information provided to us in complaints, correspondence, subject access or freedom of information requests in line with our retention policy.
When you sign up to an event that we have organised we collect specific information about you as a delegate, facilitator or contributor. Events can include conferences, engagement, or other meetings and events. To find out more, please read our events fair processing notice [PDF opens in new window].
You can also download the privacy notice for our good practice shared learning events [opens in new window].
We organise and facilitate events solely as well as in collaboration with other public bodies.
Visitors to our website
We may need to communicate with visitors to our website for administrative or operational reasons. Where we collect specific information from you for this purpose, we will not pass it on to any other organisation.
We also collect standard internet log information and details of visitor behaviour patterns when someone visits our website. We do this to find out things such as the number of visitors to the various parts of our site, to monitor the download of our reports and publications and to help improve the service we provide.
This data collection process is carried out electronically in the background, and visitors to our website may not be aware that it is taking place. We believe that this process is not intrusive to visitors’ privacy, as we do not attempt to find out the identities of visitors to our website. The standard internet log information collected will only be used for the purposes mentioned and will not be passed on to any other organisation.
The Wales Audit Office website uses Google Analytics, which is a web analysis tool to collect the standard visitor log information we need to help us maintain and improve your visit experience. Google Analytics uses first-party cookies for this purpose. Information about Google Analytics and privacy at Google is available at on the Google Website [opens in new window]. To opt out of being tracked by Google Analytics across all websites visit the Google opt out page [opens in new window].
Our website may contain links to other websites which are outside our control and are not covered by this notice. If you access other sites using the links provided, the operators of these sites may collect information from you which will be used by them in accordance with their privacy notice, which may differ from ours.
Social media features and widgets
We hold information about our suppliers in our financial management systems for the purpose of managing our relationship with them, such as placing orders and arranging for payment to be made. The information may also be used for internal reporting purposes.
Subscribers to our newsletter
We send newsletter updates to individuals on the basis of their consent, through the opt-in sign up function. Your name and email address will only be used for the purpose of sending you a monthly newsletter, with tailored content based on the preferences you select. We will not disclose your personal information to third parties. You may amend your preferences or unsubscribe by opting out at any time, through the relevant links at the end of any email you receive from us.
Communicating with our distribution list
We hold a register of public sector contacts, and send this list updates at a minimum on a monthly basis, to publicise our work in the exercise of our supplementary powers, under sections 9 and 14 of the Public Audit (Wales) Act 2013. The legal basis under data protection legislation for sending these updates to our contacts list is performance of a task in the public interest.
On each email sent for this purpose, we provide individuals on the list the opportunity to raise queries or concerns by contacting our Data Protection Officer.
Access to personal information
You have a right to access the personal data that we hold about you by making a ‘subject access request’. You will need to make such a request in writing to the Information Officer, enclosing proof of your identify (such as staff ID card, or copy of driving licence or passport) and a clear description of the information you wish to see.
Please send requests by email to: email@example.com or write to us:
Wales Audit Office
24 Cathedral Road
The Information Commissioner’s Office
If you require further information in relation to your rights under data protection law or want to complain about with how we are handling your personal data you may contact the Information Commissioner at:
Information Commissioner’s Office
Tel: 01625 545745
Fax: 01625 524510