This privacy notice explains the way in which we, the Public Services Ombudsman for Wales, handle your personal information when you agree to provide us with professional advice.


1. The legal basis for processing your information

2. What information we hold about you and why

3. Sharing and receiving your information

4. How long we keep your information

5. The steps we take to protect your information

6. Your rights


1.   The legal basis for processing your information

When you agreed to provide us with professional advice you would have been asked to enter into a contract with the Public Services Ombudsman for Wales.  Therefore the lawful basis on which we process your personal information is because it is necessary for the performance of our contract with you.

We will need your consent to share limited personal information about you with other Ombudsman Schemes who may approach us when looking for appropriate professional advisers.  You can choose to withdraw your consent for us to do this at any point.


2.   What  information we hold about you and why

We will need personal details such as your name, address and email address, phone number so that we can contact you.

We will hold information about your professional background such as your education, qualifications, professional membership (where appropriate), any relevant criminal records declarations and references so that we can be certain that you are qualified to provide advice.  We also ask about your employment history so we can be aware of any potential areas of conflict.   This enables us to match advisers appropriately according to the areas of expertise.

We will also require your bank details so that we can pay you for the professional services you provide or reminburse expenses where appropriate.

As we will be seeking your advice on complaints investigations your professional opinions will also be recorded within the complaint record.

We will also use the information to consider any expression of interest and to conduct reviews or appraisals of advice received.


3.   Sharing and receiving your information

We have a reciprocal arrangement with other Ombudsman Schemes and share limited information to enable us to source professional advice.  We may therefore have received your personal information from a third party such as another Ombudsman Scheme or professional body to enable us to approach you.  If you do not wish for us to pass your details onto other Ombudsman Schemes who may contact you then please let us know.

The professional  advice you provide may be shared at various stages of the investigation process and, generally, will be shared in the draft investigation report.  Whilst your name will not be included in any draft investigation report, your name will be included in a final investigation report, unless there are particular reasons for not doing so.  This will be shared with the complainant,

the public body compained about and other organisations that the Ombudsman considers it appropriate to share the report with.  For example, the Health Inspectorate Wales or other regulator.  You should raise any reasons or concerns about identification in particular cases with the Investigation Officer.

Sometimes we publish investigation reports on our website where the Ombudsman considers there is a public interest in doing so.


4.   How long we keep your information

We hold your personal information for as long as you agree to provide us with professional advice.  If you decide that you no longer wish to provide advice to the Ombudsman then please let us know.  If you also wish to have your details removed from our database please be aware that your personal data will be retained for a limited period as required for accounting purposes.  This will be a maximum of 7 years from our last contact with you in line with our Record Retention Schedule.

Please also be aware that if you have provided advice in connection with a particular investigation, it is possible that you may be identified from the report linked to the investigation.  Under our legislation that report cannot be amended.


5.   The steps we take to protect your information

We ensure that we protect your personal information in the following ways:

  • We send any confidential or sensitive personal information using encrypted secure email via Microsoft 365 email. This is necessary to protect the contents of the material.  You can access the encrypted email automatically if you have a Microsoft Office 365 account. If you do not already have a Microsoft Office 365 account, you can access the encrypted email by selecting the ‘sign in with a one-time passcode’ option when you open the email. This one time passcode will be emailed to you which you can then use to access the email.
  • We also use a secure external file sharing platform called Objective Connect.
  • We use data processors who are third parties to provide some services for us such as software suppliers. We have contracts or data processing agreements in place with them for these services which set out the instructions they must follow.  This includes ensuring that adequate safeguards are in place to protect your information.


6.   Your rights

You have the following rights over the information we hold about you:

  • to request access to your information
  • to ask that we update, complete or correct your information, if it is inaccurate or incomplete
  • the right to object to our using your information in certain circumstances, and
  • the right to limit our use of it in certain circumstances.

You can contact us to exercise your rights or to make a complaint about how your information is used by contacting Alison Parker, Data Protection Officer by email

If you are unhappy with the way in which we have used your information you have the right to complain to the Information Commissioner’s Office (ICO).


May 2022