Privacy Policy

• Our responsibility to protect your data
• Information collected
• Your rights
• Communication and engagement activities
• Images, videos and user stories
• WeCare Wales Jobs Portal
• Event attendees and stakeholder networks
• Visitors to our offices
• People who make a complaint about Social Care Wales
• General enquiries
• Social Care Workforce data for research
• Information governance enquiries
• Visitors to our website and use of cookies by Social Care Wales
• Commissioned activity

We are registered as a Data Controller with the Information Commissioner’s Office. This means that we are responsible for:

• determining what information we will hold about you;
• informing you about the personal data we collect about you;
• telling you from where we collect your personal data, if not from you directly
• telling you how we process and utilise your personal data;
• providing details of the legal basis for the processing; and
• telling you if there are likely to be occasions where we will share your data with other agencies or third parties.

We have a responsibility to protect your data and comply with legislation, including the Data Protection Act 2018, and we take this responsibility seriously.

The type of information we collect and how we use it are set out below. Some of this information will be provided directly by yourself. On other occasions employers, trainers and other such agencies may provide it. We will only collect and retain information that we require to carry out our functions and/or to provide services to you.

There are a number of legal bases we can rely on to collect and process personal data. These are described in more detail below.

The legal bases which can be relied on to process your personal information include:

• Legal obligation - this applies where we need to collect and use your personal information to comply with a legal obligation.
• Public interest - as a public body, we collect and use personal information where this is necessary to perform tasks that are in the public interest or to perform our official functions.
• Vital interests - we collect and utilise information to protect the vital interests of yourself or of another individual.
• Consent - we may on occasion need your consent to use your personal information. In such instances you can withdraw and adjust your consent by contacting us (see below) or manage your preferences within your WeCare account if you have one.
• Contract - this applies where we have a contract with you and need to process your personal data for the purposes of the contract. It also applies where we need to process your personal data in order to enter into a contract with you.
• Legitimate interests - we are also entitled to process your personal data where it is in our legitimate interests to do so, or those of a third party. We only do this where we are satisfied that your privacy rights are protected satisfactorily. You have a right to object to any processing of your personal information based on this legal basis.

Choosing not to give personal information

If you choose not to provide us with certain personal data you should be aware that we may not be able to offer you certain services. For example, we cannot offer you training opportunities or add your job vacancies to our jobs portal. 

Accessing your data

You are entitled to request a copy of the personal data we hold about you by making a Subject Access Request (SAR). Please send your request through to FOI@SocialCare.Wales. You will have a response from us within 30 calendar days of us receiving your request. We will need to confirm your identity before processing your request. If you require assistance in making a SAR, please contact the Freedom of Information (FOI) mailbox and we will be in touch to offer support.

There is no charge for making a request unless you want an additional copy of the information or your requests are excessive.

You should be aware that in some cases we do not have to provide a copy of the data because an exemption applies. This could be where:

• the data is also the personal data of another person, and it would not be reasonable to disclose it to you without their consent
• disclosing the data would prejudice our regulatory functions, for example by making it difficult for us to conduct a fair fitness to practise investigation.

Further information is available on Social Care Wales’s Publication Scheme.

Controlling how we use your data

You have some rights under the Data Protection Act 2018 to control how we use your data, by asking us to amend it, delete it or limit how we use it. To exercise these rights, you should contact FOI@socialcare.wales or our Data Protection Officer Kate Salter, via kate.salter@socialcare.wales

You should be aware that there are exemptions from these rights. For example, we do not have to delete information if we are using it for our statutory functions and have legitimate grounds to continue using the data.

If you believe that information we hold about you is inaccurate or incomplete, you can ask us to review the information and correct it/add to it.

If you object to us processing your information or if you wish us to delete your information, please contact FOI@socialcare.wales so that we can consider your request and the basis for it.

Should you wish to change your preferences about how or what we communicate with you, you can do so at any time by contacting FOI@socialcare.wales 

If you have a WeCare Wales employer account, you can also change your preferences here.

https://wecare.wales/account-dashboard

Please note that if you do not wish us to send you communications, we would ideally wish to keep a record of this rather than delete your details completely to avoid you receiving further communications.

If you have consented to us using your image and it has been included in a publication and you wish to withdraw your consent, you should be aware that, we would be unable to destroy all copies of that document. We would, however, cease using the image in any further reproductions from the point at which you withdraw your consent.

We produce a range of materials in a variety of formats to promote good practice, developments and resources that can add to knowledge and help improve practice within the sector.

What we hold:

• contact details
• areas of interest
• employment details.

To enable us to:

• send out information in interested areas
• distribute a newsletter
• invite to attend events, webinars, training or learning
• send out surveys.

We have a legal obligation under Section 68 of the Regulation and Inspection of Social Care (Wales) Act 2016 to promote and maintain high standards in the provision of care and support services and may use information collected from the Social Care Wales Register to engage with you.

Sometimes we may require your consent* to retain this information and will make it clear on the invitation or communication.

We might share this information with third parties who may process it on our behalf to help us contact you. We ensure that any third parties we use to help us comply with Data Protection Act 2018.

Should you wish to change your preferences about how or what we communicate with you, you can do so at any time by contacting FOI@socialcare.wales

Please note that if you do not wish us to send you communications, we would ideally wish to keep a record of this rather than delete your details completely to avoid you receiving further communications.

Through our media campaigns, events and other projects we often ask consent to capture photos/videos or stories for the benefit of promoting our work, good practice and developments within the sector. Consent would be gained through completion of the appropriate form(s). If you consent to this you are able to specify how we can use your information and in what format i.e. social media, on-line on our website, press stories, in our printed literature and promotional material. On some occasions we use third party/suppliers to carry out this process and all data sharing would be controlled with contract and/or data sharing agreement.

Information held may include:

• personal stories
• photos
• videos
• contact information from you solely for the purpose of communicating with you in relation to this matter.

The purpose of holding this information is to:

• promote our work and services
• to assist with the training and development needs of the workforce.

This information may be shared with:

• the general public via social media, our website and resources.

Your personal information and associated consent is kept by us and may be used in the formats you have agreed for as long as seven years. Should you wish to revoke your consent at any point during that period, you can do so by contacting FOI@socialcare.wales 

You should be aware that where your information is shared, with your consent with a third party, such as the press on put on social media, the Privacy Notice and retention period of the relevant third party will apply and we have no control over this.

Within the WeCare Wales jobs portal (www.wecare.wales/jobs) visitor information is only stored as anonymous data and within the Cookie settings and permissions granted by the user.

Registered employer's details are retained as part of the registration process and stored in line with our data storage policy[AB1] .

We hold:

• employer’s name
• contact details
• organisation’s name
• organisations offerings (for example apprenticeship schemes, work placements).

We hold this information to:

• verify organisations
• verify job postings
• share employer’s offerings on our website.

We hold:

• names
• contact details
• job role (if applicable)
• place of employment
• access requirements
• dietary requirements.

We hold this information to:

• manage our events
• assist with training and development
• gain feedback on our existing and future work
• to keep you informed and updated of current and future work.

We do not share this information, but on occasion utilise third party software to send details, manage the bookings and circulate surveys. All third party software is compliant with the Data Protection Act 2018.

We may also, at times, use a third party facilitator to lead meetings or forums. Any access to data will be managed by our contract with the facilitator and they will be expected to sign a confidentiality agreement as part of that process.

In order to enable event attendees to network effectively at our events, we may share delegate lists. Let us know if you do not wish your details to be shared.

We hold:

• names
• contact details
• place of employment
• CCTV footage.

We hold this information to:

• manage our security and health and safety obligations. We hold use visitor registers at both our Cardiff and St Asaph offices which are used for roll call following evacuation e.g. in the event of a fire
• record CCTV images of people entering and leaving our premises as well as strategic positions surrounding the building. This information is recorded for security monitoring and the investigation of alleged criminal offences. The images may be shared as part of disciplinary matters or with law enforcement and courts as needed.

Where we are not the sole occupier of the building (Cardiff Office) there is additional CCTV which is controlled by the building owners.

We hold:

• personal details
• contact details
• nature of complaint.

We hold this information to:

• comply with our statutory requirement to manage complaints.

We do not share this information externally although we may publish anonymised statistics and details about complaints.

We retain the content of the complaint permanently as a corporate record.

We use Clobba software provided by Code Software UK ltd for our General Enquiries telephone system. The software used meets the requirements of ISO27001.

Only code engineers have access to customer data on a need to know basis for set up and support purposes.

Code Software systems and data are hosted in Microsoft Azure hosted data centres in the EU.

Code software are registered with the Information Commissioner and are compliant with UK Data Protection Act 2018 and GDPR.

The retention period for data is currently two years or deletion on request.

The information collected includes:

• calls (voice, Video and Audio Conference)
• call detail records
• name, email address, department, title
• all Teams meetings details including chats
• app sharing.

This information is used for:

• responding to enquiries
• performance reporting
• providing IT/ call management assistance as and when required.

Where activity is commissioned to a third party/supplier all appropriate data shared would be controlled within an established contract or a data sharing agreement.

We may hold:

• personal details
• information submitted by the person involved in the activity.

We may hold this information to:

• carry out the requirements within the activity.

We may also share anonymous data with third parties for research purposes but any research projects must meet the criteria of our Research Support and Engagement Framework before it can be shared. The findings of any research projects using our anonymous data will be published on our website.

We hold:

• personal information
• contact details.

We hold this information to:

• comply with statutory requirements
• process requests for information
• compile statistics
• consider if our publication scheme is sufficient.

We keep the content of these requests for the following time:

• freedom of Information requests that are still classed as open are kept for one year. Documents which are subsequently opened are kept for two years
• freedom of information requests which have been closed are kept for 10 years
• Subject Access Requests are kept for five years.

We might share this information with:

• the Information Commissioner’s Office
• the public when we publish Freedom of Information requests and responses on our website, although such information is publish anonymously.

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work more efficiently, as well as to provide analytical information to the owners of the site.

We use Civic Cookie control to manage cookie permissions.

Consent mode, the consent state and Civic is managed within Google Tag Manager (GTM). By default, consent mode is set to deny as any page loads on our sites. Until a preference has been made no cookies will be placed on the users browser and the Civic cookie banner will remain present

On first visit, you are presented with the option to set your preferences and can accept or reject cookies in their preferred language using Civic. The Civic cookie banner will provide users with information about the categories of cookies are used on the site and allow them to set their preferences for each category.

• You can update their cookie preferences at any point during a visit.
• Preferences made in Civic are recorded by Civic.
• User preferences made in Civic update the consent state in GTM.
• Updates to the consent status (accept/deny) will allow/block tags in.