This privacy notice tells you about how the Wales Audit Office (WAO) processes information about you as a current or former member of staff. “Staff” in this notice means any individual working for, or as part of, the WAO, including employees, board members, agency and casual workers, volunteers, trainees and those carrying out work experience.

Who we are and what we do

The Auditor General for Wales (AGW) is the auditor of most Welsh public bodies. His work includes examining how public bodies manage and spend public money. The WAO provides the staff and resources to enable him to carry out his work. Audit Wales is a trademark of the WAO and is the umbrella identity of the AGW and the WAO. The WAO is the employer of staff. Further information is available on the Audit Wales website.

The relevant laws

The WAO processes your personal data in accordance with data protection legislation—the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The underlying legal basis for the processing is the provision of resources under section 21 of the Public Audit (Wales) Act 2013 for the AGW’s work and the performance of the contract between the WAO and you as its staff.

In terms of the UK GDPR, your personal data is processed under Article 6(1)(b) (performance of contract), Article 6(1)(c) (compliance with legal obligation), Article 6(1)(e) (public task) and Article 6(1)(f) (legitimate interests) depending on the particular activity (see details below). Processing is undertaken under Article 6(1)(f)) where the activity does not fall within the scope of performance of contract, legal obligation or public task but nevertheless supports core business functions, as is the case with the automated transcription or summarisation of meetings.

Where necessary for the performance of statutory functions, staff special category personal data (e.g. information about health) is processed under Article 9(2)(g) of the UK GDPR (substantial public interest), and staff criminal offence data is processed under paragraph 6 of Schedule 1 to the Data Protection Act 1998 (exercise of statutory functions).

You should be aware that if you choose to make use of voice and or facial recognition software for calls or meetings in connection with Audit Wales work, this will involve processing of your biometric data, which is special category personal data. The basis for this processing will be Article 9(2)(c) (consent). This option is offered in Microsoft Teams software—the WAO does not require you to choose to do this.

What we will do with your data

We will use your data where it is necessary for the performance of your contract with the WAO or for compliance with any legal obligation that apply to the WAO.

These purposes include (but are not limited to):

• administration of your employment or other working relationship with the WAO, including pay, taxation, expenses and pension;
• management or other activity in relation to your attendance, work, working patterns and time recording, performance, personal development or progress;
• development of WAO strategies, policies, procedures and working practices, e.g. to inform future ways of working and workplaces;
• documenting attendance at and contribution to meetings and other events where relevant, in person or online as appropriate, both onsite and offsite;
• administration of independence returns to ensure compliance with the FRC Ethical Standard;
• supplying staff training, including where necessary for the registration of professional training;
• Baseline Personnel Security Standard checks and national security vetting (where required, e.g. for work with Welsh Government);
• inclusion of staff personal telephone numbers an internal telephone directory for business continuity and disaster planning;
• administration and, where necessary, monitoring of access to and use of information systems;
• routine administrative functions such as access to buildings (including use of an individual’s photograph on staff identity card);
• use of photographs on the WAO internal webpages (Hub), email, IT systems, and video conferencing software;
• operating a CCTV system, in accordance with the WAO CCTV Policy;
• data matching, for the prevention and detection of fraud; and
• equality monitoring.

We will keep your personal data for the periods specified in our Documents and Records Management Policy and we will hold your data securely in accordance with our Information Security Policy.

Any audio and/or video recordings made by the WAO will be stored securely.

Artificial Intelligence (AI) may be utilised in the processing of personal data in accordance with our Artificial Intelligence and Digital Initiatives Policy but will not be used to make solely automated decisions.

Special category (sensitive) personal information

We process sensitive personal information relating to health, sickness and well-being for the purposes of employment and/or health and safety purposes.

We process sensitive information about physical or mental health conditions or disabilities in order to:

• monitor sick leave and take decisions as to fitness for work;
• facilitate decisions relating to attendance at offices and other workspaces;
• make reasonable adjustments.

We process other sensitive personal information, such as racial or ethnic origin, religious belief, sexuality, disability and other protected characteristics to monitor compliance with equality legislation. Such processing includes statistical monitoring, but we will ensure that individuals are not identifiable from any reports produced using such information. Where special category personal data is processed this is done in accordance with our Policy for Processing Special Categories of Data, with an additional legal basis for that processing being met. The applicable basis will ordinarily be for employment, social security and social protection (authorised by law).

You should be aware that if you share personal data during the course of recorded and AI-processed interviews and meetings, such data will be processed along with other information, including sharing with third party external software providers. We therefore suggest that you refrain from sharing sensitive personal information, such as information about ailments (as might typically be shared in introductions during physical meetings) once recording has commenced unless such sharing is strictly necessary.

How we share your data

Your personal data may be shared internally in accordance with the data protection principles where there is a legal basis for such processing.

We will share your data with external organisations, such as HMRC, the Cabinet Office, UK Security Vetting (UKSV) and professional bodies (e.g. ICAEW and CIPFA), for the following purposes:

• administration of your employment or other working relationship with the WAO, including pay, expenses, taxation and pension;
• administration of registration and/or training with professional bodies or other necessary interactions with professional training suppliers and professional training bodies;
• Baseline Personnel Security Standard checks and national security vetting (where required, e.g. for work with Welsh Government);
• audit planning and corporate resource planning where disclosure is necessary to ensure compliance with the FRC Ethical Standard;
• data matching in the National Fraud Initiative, for the prevention and detection of fraud;
• responding to Public Inquiries;
• registration and administration of an employee benefits portal (staff can opt out of this).

Further information about the participation of the WAO in the data matching exercises conducted by the National Fraud Initiative and the relevant fair processing notices are available on the Audit Wales website, and hub.

We will share your data with software providers (e.g. Microsoft) to enable our use of digital services, including AI processing, in relation to the activities outlined at paragraph 6.

We may share some personal data with external organisations for the purposes of mentoring or coaching schemes, development opportunities, conferences and events.

Disclosures to third parties of your sensitive personal data may be made where there is a legal obligation, or if it is necessary to protect your vital interests (e.g. in life-threatening situations), during or after your period of employment.

Keeping your information up to date

It is important that the information we hold about you is up to date. If your personal details change or if they are currently inaccurate then it is important that you let us know by updating your information on the Employee Self Service (ESS) system or by contacting your line manager, HR or the Information Officer. You can record any special requirements or requests for reasonable adjustments in the ESS system.

Your rights

Under data protection law you have rights to ask for a copy of the current personal information held about you and to object to data processing that causes unwarranted and substantial damage and distress.

To obtain a copy of the personal information we hold about you or discuss any objections or concerns, please write to the Information Officer, Audit Wales, 1 Capital Quarter, Tyndall Street, Cardiff, CF10 4BZ or email infoofficer@audit.wales. You can also contact our Data Protection Officer at this address.

You have the right to complain directly to us about the handling of your personal data. Please email complaints@audit.wales.

Information Commissioner’s Office

To obtain further information about data protection law or to complain about how we are handling your personal data, you may contact the Information Commissioner by visiting: www.ico.org.uk, writing to: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or by telephone on: 0303 123 1113 (or 0330 414 6421 to speak in Welsh).

You should note, however, that the ICO would normally expect you to have exhausted our internal complaints procedures before dealing with a complaint. Further guidance may be found on the ICO’s website [opens in new window].