This privacy notice explains the way in which the Public Services Ombudsman for Wales will handle your personal information (or the personal information of an individual in relation to whom you are acting). The requirements of the privacy notice are set out in the General Data Protection Regulation and the Data Protection Act 2018.
The privacy notice for consultations, surveys, and engagement events can be found here.
An easy read version can be found here.
When you submit a complaint, we will collect information about you. Depending on the nature of your complaint, and the information you give to us, this may include information concerning your physical or mental health, or the health of the person on whose behalf you are complaining. We may also receive your information from other sources – for example, other regulators, bodies in jurisdiction or other third parties.
In deciding whether to investigate the complaint, or during an investigation, we may need to obtain further information from the body or individual about whom the complaint has been made. Depending on the nature of the complaint, this may include information concerning physical or mental health, or the health of the person on whose behalf you are complaining. For example, if the complaint relates to treatment in hospital, we may need medical records.
Where we obtain these records, we will do so on the basis that we cannot consider or investigate a complaint without obtaining the records. Consequently, we will generally not require your consent. However, if you are complaining on behalf of someone else, we still need to make sure that the ‘data subject’ understands that we may access their records. If you are complaining on behalf of someone else, you should ensure that they see this notice.
Sometimes, we may need to give your information to other individuals or organisations. For example, we may need advice from an Independent Adviser, or we think that another organisation should know about a matter, such as the Information Commissioner’s Office or the General Medical Council. Where we disclose your information, we will do so in line with the requirements of our governing legislation or in the interests of natural justice.
For your information, our statutory function and associated powers for considering and investigating complaints are set out in the Public Services Ombudsman (Wales) Act 2019 and the Local Government Act 2000.
You may be asked to provide ‘Equality monitoring data’. If provided, we will use this data to comply with our legal obligations set out in the Equality Act 2010 and Wales-specific Regulations. These obligations include the annual reporting of equality data. All equality monitoring data is anonymous when included in our annual report.
You may also be asked about your level of satisfaction with the service provided by this office. We will use these responses to understand the satisfaction with our service and any areas for improvement.
In some instances, we produce summaries of complaint outcomes, which are then made publicly available. Before doing so, we will remove any names and identifying information. As part of our commitment to ‘Open Data’ and transparency, we also publish a list of complaints closed per quarter, together with reference numbers, bodies complained about, subject categories and outcomes. As with summaries, we will remove any identifying information.
You should note that we record all incoming and outgoing telephone calls. These calls are recorded for monitoring, training and complaint resolution.
We may be provided with your information by third parties – for example, if you have witnessed an incident. We may also obtain your information from publicly accessible sources, such as minutes of meetings. In these circumstances, we may use this information during an investigation – for example, in obtaining witness statements.
You should be aware that all information you provide will normally be given to the body, or individual, about whom you have complained in full, unless you highlight particular concerns. This will provide them with an opportunity to comment on the complaint. As set out above, we may also need to provide your information to third parties, such as Independent Advisers or other Ombudsman and regulators.
We may also disclose information if we feel that an individual is likely to cause a threat to the health and safety of other people – for example, regulators within the Health sector.
In some instances, we may identify or receive information that we feel should be given to the relevant authorities, such as the police – for example, threats of violent behaviour. In these circumstances, we will disclose any information which we feel necessary to protect an individual’s ‘vital interests’.
We will keep personal information contained within complaints or associated material for a number of years but usually no more than 10 years. We routinely destroy hard copies of complaint files after two years following the date on which the complaint is closed, unless there is an exceptional reason to keep the information for longer. We will remove identifying information from electronic records after ten years following the date on which the complaint is closed.
Electronic material is kept for longer so that we can keep key material should a matter require review or reopening, and so that we can identify and monitor patterns or failures in the provision of public services.
Whilst equality data is retained indefinitely, we routinely remove identifying information from case records after 10 years. We keep call recordings for 30 days, unless there is exceptional reason to keep the recording for longer – for example, a witness statement. These calls are kept for ten years following the date on which the complaint is closed.
The majority of your personal information is hosted within the European Union. However, it may be necessary to transfer your personal information to countries outside of the European Union – for example, where cloud-hosted IT software is held or supported in third countries. In doing so, we will ensure that adequate safeguards are used to secure the data – for example, by encryption and ensuring that suppliers are subject to contract clauses in respect of data security.
Where we communicate with complainants, or complainant representatives, via email, we may not be able to identify the destination of your information. Nevertheless, we will encrypt all transfers of sensitive personal information, or bulk personal information, as standard.
Subject to exemptions, and the basis for processing your information, the following rights may be available to you:
If you wish to exercise any rights, or know more information about the rights available to you, you should contact the Data Protection Officer.
The Public Services Ombudsman for Wales is the data controller for the purposes of the General Data Protection Regulation and the Data Protection Act 2018, including in respect of processing by any appointed data processors.
If you have any queries regarding the processing of personal data by the Public Services Ombudsman for Wales, or if you wish to exercise any rights set out above, you should contact Alison Parker, the Information Governance Manager on the following details:
Postal address: 1 Ffordd Yr Hen Gae, Pencoed, Bridgend, CF35 5LJ
If you remain dissatisfied, you can complain to the Information Commissioner’s Office:
Postal address: Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Tel: 0300 123 1113