Senedd Cymru (Member Accountability and Elections) Bill: Data protection impact assessment
Data protection impact assessment of a Bill that will enhance the accountability of Members of the Senedd.
This file may not be fully accessible.
In this page
Introduction
The Senedd Cymru (Member Accountability and Elections) Bill introduces a system of recall of Members of the Senedd from office during their term. It will allow electors the final say on whether a Member of the Senedd should be removed or retained following one of two possible trigger events having occurred:
- a Member is convicted of an offence in the United Kingdom and receiving a custodial sentence or ordered to be imprisoned or detained (and it is a sentence that does not result in automatic disqualification from office)
- the Senedd agreeing to submit a Member to a recall poll following a recommendation from the Standards of Conduct Committee (‘SoCC’) to impose the sanction of recall.
It also includes measures which aim to strengthen the Senedd’s standards process including:
- providing for additional flexibility for the Senedd Commissioner for Standards (‘the Commissioner’) to carry out an investigation into a Member’s conduct of their own initiative
- allowing the Senedd (should they choose to do so) the ability to appoint lay Members to the SoCC
- requiring the Senedd to establish a SoCC in every future Seneddau, and
- providing for the ability for the Senedd to establish an appeals mechanism as part of the standards process.
The Bill also places a duty on Welsh Ministers to make provision in a future Conduct Order prohibiting the making of false statements of fact during an election period.
The processing
The Welsh Government will have no direct involvement in the collection and processing of the data.
This assessment has been completed to describe what the Welsh Government considers the data protection and privacy implications of the Bill’s measures. Many of the details, including how the data will be transferred, will need to be agreed between the data controllers. However, the Welsh Government is aware that they already have robust systems in place to carry out the collection, processing and deletion of data securely, given they currently do this in other circumstances.
The introduction of a system of recall for Members of the Senedd
The Bill places a duty on the Courts in England and Wales to provide information to the Presiding Officer Senedd Cymru (‘Presiding Officer’) - if a Member of the Senedd is convicted and ordered to be imprisoned or detained (including suspended sentences), or if they have successfully appealed against any such conviction or sentence. In these circumstances, the source of the data will be the courts. The data processors will be HM Courts and Tribunals Service officials who on the instruction of a Judge will prepare the notification to the Presiding Officer. The data that will need to be shared will be in the public domain as a result of the criminal justice process.
The Bill also places a duty on the Presiding Officer (who will be the data controller and source of the data) to give notice to a Constituency Returning Officer (‘CRO’) that one of the two recall trigger events above has occurred. The notice required must include various information including the name of the Member and details of the trigger event that has occurred (the information about the trigger event will already be in the public domain, as a result of the criminal justice process, or as a result of the Commissioner’s and SoCC’s reports, which are published on their respective websites, as per the current arrangement). The notice will likely be prepared by Senedd Commission officials who provide administrative support to the Presiding Officer and therefore they will be the data processors in these circumstances. The CRO on receipt of the notice will become the data controller, with local authority Electoral Administrator’s (‘EAs’) being the data processors, as on receipt of the notice, a CRO will instruct EAs to organise and run a recall poll. To do so, the Electoral Registration Officer (‘EROs’) and EAs in the local authority will use electoral register data to ensure those registered to vote in the relevant Senedd constituency are able to vote in the recall poll.
The Bill does not include any powers to make regulations on how electoral register data is collected for the purposes of a recall poll. This is because for the data to be used for the purposes of running a recall poll, EROs and EAs will rely on the existing data collected by either voters registering to vote or, through the annual canvass.
A data flow diagram setting out the data processing covering the 2 recall trigger events and the duties placed on the Courts and the Presiding Officer is below.
The appointment of lay Members to the SoCC and any Senedd’s appeals mechanism
Should the Senedd choose to appoint lay Members to the SoCC and any appeals mechanism, the Senedd Commission (who provide administrative support to the Senedd and the SoCC) will collect either directly, (or through use of a 3rd party recruitment agency), personal data of both applicants for the role of a lay Member and those appointed. The Senedd Commission already has systems to be able to collect and store personal data securely, such as the personal data that will be provided by lay Members on an application form (for example, name, address, email address and bank details - for remuneration purposes). The Senedd Commission already has such systems in place to collect this data for its employees. The personal data will only be shared with those that need to process it, for example, to create IT accounts or for remuneration payments purposes. The names and backgrounds of those appointed to the role will be shared with all Members of the Senedd, in order for them to be informed when voting to approve the appointments. In these circumstances, the SoCC will be the data controller, whilst the Senedd Commission (and any 3rd party recruitment agency they may use) will be the data processors. The personal data will be stored and retained for a requisite period necessary. This is likely to be shorter for those unsuccessful in being appointed, as the data will only be needed for the period of the recruitment process.
If appointed, lay Members will perform an adjudication function as part of the SoCC and any appeals mechanism, therefore details of a Member’s alleged misconduct and the investigation of it will need to be shared with the lay Members. This will be done by way of sharing a copy of the Commissioner’s investigation report. In these circumstances the Senedd Commission (who prepare papers for the SoCC and will do so for any appeals mechanism) will be the data controller and the lay members will be data processors. Given the nature of the role, they will be asked to perform, lay Members are unlikely to have existing systems in place for the processing of data. Therefore, the Senedd Commission will need to provide lay Members with appropriate data sharing agreements and overarching appointment terms and conditions which impose measures for the use and storage of personal and special category data. This will ensure the data is treated securely, retained only for a requisite period and then destroyed appropriately.
Commissioner for Standards – own initiative investigations
The Bill expands the existing function of the Commissioner to investigate complaints received, by providing a power for the Commissioner to carry out an investigation into a Member of the Senedd of their own initiative, without the need for a complaint having been received. This will mean they will process both personal and potentially special category data about a Member and any persons subject to and in witness of the alleged misconduct. The Commissioner (as the data controller) already does this as part of their existing functions set out in the National Assembly for Wales Commissioner for Standards Measure 2009, when individuals make complaints. That legislation (National Assembly for Wales Commissioner for Standards Measure 2009, S16) governs the Commissioner’s role and includes measures to ensure they and their staff maintain confidentiality, and the Bill will extend that obligation to data collected through own initiative investigations. This is in addition to obligations under GDPR and data protection legislation.
Senedd Commission officials make up staff of the Commissioner’s office and therefore will act as data processors where required to do so on behalf of the Commissioner. The Bill makes provision for a threshold which must be met before an own initiative investigation can commence, which will ensure that any data processing is proportionate and necessary in order for the Commissioner to perform their functions. Given the Commissioner’s established procedures for investigating complaints, they already have a privacy statement in place that can be provided to both Members of the Senedd and witnesses, to explain how their data will be used and how long it will be retained for. Also, the Commissioner already has as part of their procedures an operational practice whereby they anonymise the names and specific identifiable information of witnesses within their investigation reports that are published on their website. As the Commissioner already has functions for the investigation of complaints, they already have robust systems in place for the storage and eventual deletion of data within set retention periods which can be applied in relation to investigations carried out on the basis of the new function of the Commissioner. These are published in a privacy notice – for an admissible complaint, data is retained for a period of 6 years and for non-admissible complaints, the period is 2 years.
The scope of the processing
The introduction of a system of recall for Members of the Senedd
For the sharing of information between the Courts and the Presiding Officer, the data will be criminal offence data as the notification requires the court to share information about the conviction, the sentence and whether it is a suspended sentence and then in the case of an appeal, the fact that it has been overturned. All of this information will be in the public domain in any event.
Similarly, for the issuing of the notice from the Presiding Officer to a CRO, informing them that one of the recall trigger events has occurred, the notice may include details of criminal offence data where trigger event A has occurred. Alternatively, it may include special category data, with the details of a Member’s misconduct and anonymised data of those subject to or, who have been in witness of a Member’s misconduct. For the circumstances of a criminal conviction, the same information that was shared by the Courts to the Presiding Officer will be shared with the CRO. For the other trigger event, the SoCC’s report of their consideration of a Member’s misconduct will be shared with the CRO.
For each of the scenarios, the data being processed will either be information already in the public domain or, be the minimum necessary for the purpose of the functions set out above.
In the context where the courts are required to share criminal conviction data with the Presiding Officer and where they then are required to issue a notice to the relevant CRO. This will have potential application to a maximum of 96 people for the duration of each Senedd term i.e. the 96 Members of the Senedd. The actual eventuality of the circumstances occurring is expected to be in a very small number of cases i.e. only if any of the 96 members have been convicted of an offence and, sentenced to a term of imprisonment of one year or less or, any other custodial sentence that does not lead to disqualification.
Similarly, it is expected that for the second recall trigger event, that being the recommendation of recall of a Member of the Senedd as a result of consideration by the SoCC, it is expected that it will be rare that this circumstance occurs, given a Member’s misconduct would have to be of the most serious nature to warrant the SoCC recommending the sanction of recall.
The geographical area covered is England and Wales. However, the extent to that England is captured by the proposals is only in respect of the duty of the Courts to notify the Presiding Officer, with regards to a criminal conviction and sentence of a Member of the Senedd or, any successful appeal of such a conviction and sentence.
It will be for the Courts in England and Wales as the data controller and the Senedd Commission as the data processor on behalf of the Presiding Officer, as also a data controller, to decide what the retention period for the data collected and processed will be in circumstances of the duties placed on them by the Bill’s measures. Both the Courts and the Senedd Commission already have systems in place that includes consideration of retention periods for both personal, special category and criminal conviction data.
The appointment of lay Members to the SoCC and any Senedd’s appeals mechanism
For the appointment of lay Members to the SoCC, they will be asked to provide both personal and some limited special category data as part of the recruitment process. This data will be collected by either the Senedd Commission (or potentially by use of a 3rd party recruitment agency). The personal data that will be provided by applicants and those appointed is likely to include names, addresses, post codes, email addresses, telephone numbers, dates of birth, national insurance numbers, personal statements that will include employment histories and relevant experience, photographic identification as proof of permission to work in the UK and references. The special category data will be any current or recent party-political membership, for the purposes of managing and mitigating any conflicts of interest, given the role of a lay Member will involve adjudicating on the misconduct of elected Members of the Senedd.
Whilst the initial appointment of lay Members may mean more individuals are affected as a result of applying for the role, once appointed it is envisaged that the need to collect the personal and special category data will only occur when a vacancy needs to be filled. This will either be after the maximum period for a lay Member to be in the role lapses (as set out below) or, a lay Member vacates the role as a result of a resignation, death or incapacity, or is removed as a result of an investigation and adjudication process because of concerns about their conduct.
It will be for the Senedd Commission as the data processor on behalf of the SoCC who the data controller, to decide what the retention period for data collected will be. The personal and special category data will be stored and retained for a requisite period needed. Whereas for those unsuccessful in being appointed to the role, their personal data will likely be erased sooner as the data will only be needed for the period of the recruitment process.
It is for the Senedd to decide how many if any lay Members will be appointed to the SoCC and any appeals mechanism, the Senedd establishes. The Bill includes measures that lay Members may only remain in the role for a period of 12 years (two, 6-year periods) maximum.
For applicants, it is difficult to predict the number of those who may apply for the role, but given the nature of it, the need for them to meet certain criteria and the legislative disqualification criteria set out in the Bill, some individuals will be ruled out of being eligible.
The geographical area covered is primarily Wales, however it is envisaged that applicants for the role of a lay Member may be resident in other parts of the UK.
Commissioner for Standards – own initiative investigations
The ability for the Commissioner to carry out an investigation into a Member’s conduct on their own initiative, will involve the Commissioner and their office (which is made up of Senedd Commission Officials) processing personal data including the name of the Member being investigated and individuals subject to or, in witness of the Member’s alleged misconduct. The personal data may include, names, email addresses and telephone numbers. Use of this data will include the need for the Commissioner to take witness statements and collect information/evidence relating to their investigation. The information and evidence the Commissioner will collect may also include special category data depending upon the nature of the alleged misconduct. In the circumstance where a Member of the Senedd is subject to a police investigation, information the Commissioner collects may also include criminal conviction data.
The Commissioner already has obligations not only under data protection legislation but, also the Standards Measure to ensure that information remains confidential by not disclosing details of an investigation, including not confirming whether or not a complaint has been received about a Member (The Standards Measure 2009, S16).
The Commissioner will only collect and process data that supports the effective exercise of their functions, namely, to investigate allegations of a Member’s misconduct. Investigations under the Commissioner’s new function will be carried out in a similar way to the investigations the Commissioner is already required to carry out for complaints made by individuals.
It is not possible to predict how often the Commissioner will need to collect and process data as part of an own initiative investigation and therefore how many individuals may be affected, as this is subject to both a Member either breaching a declaration obligation or behaving in a way that amounts to misconduct and the Commissioner becomes aware of this.
The Commissioner retains data relating to investigations for a period of 6 years from the date of an admissible complaint (therefore requiring investigation) being made, or a period of 2 years for a non-admissible complaint. It is envisaged that the Commissioner will adopt the same approach for data gathered during investigations of which they commence of their initiative, therefore, if the Commissioner is provided with information/data that reaches the threshold for investigation they will retain this for 6 years, whilst information/data that does not result in the threshold being reached will be retained for 2 years.
The geographical area covered is primarily Wales given the Commissioner’s role is to investigate the conduct of Member, however, it is possible that the Commissioner may be required to collect evidence from individuals and organisations, for example, the Police, in other parts of the UK.
The benefits of the processing
The introduction of a system of recall for Members of the Senedd
The duty on the Courts in England and Wales to notify the Presiding Officer when a Member of the Senedd is convicted and ordered to be imprisoned or detained (including suspended sentences), or if they have successfully appealed against any such conviction or sentence and, the duty on the Presiding Officer to inform a CRO by way of a notice that one of the trigger events has occurred, is to ensure the effective operation of the system of recall.
The overall aim of the system of recall is to bring about the benefit of enhancing the accountability of Members of the Senedd and the systems that regulate and sanction their behaviour. The intended effect on the Member who will be the subject of the data transfer, is that it will lead to them becoming subject to a recall poll and therefore allowing their constituents the opportunity to decide if they want to remove or retain them.
The appointment of lay Members to the SoCC and any appeals mechanism
The collection and processing of personal data and some limited special category data for lay Members, is to support the carrying out of a recruitment and selection process. For the special category data – political party membership, this is to facilitate the mitigation and management of any perceived or realised conflicts of interest. This is in relation to the lay Member role including an adjudication function, in considering the conduct of a Member. For those ultimately appointed to the role, their personal data including names, email addresses, phone numbers and bank details will be used to arrange lay Member’s attendance at meetings of the SoCC, the sharing of documentation and to process renumeration payments.
The benefits of the data collection and data processing is to ensure the effect operation of the recruitment and selection of lay Members and to ensure the effect operation of SoCC’s meetings and any appeals mechanism.
Commissioner for Standards – own initiative investigations
The collection and processing of personal and special category data of a Member and individuals who have been subject to, or in witness of the Member’s misconduct as part of an own initiative investigation, is for the purpose of the Commissioner performing their functions specifically, investigating the Member’s alleged misconduct. The intended effect on individuals is to provide the opportunity for the Member of the Senedd to make representations on the alleged misconduct to the Commissioner and where relevant the SoCC as part of the standards process. And for individuals who have been subject to, or in witness of the misconduct, for them to provide information to the Commissioner and if required give oral evidence to the SoCC when they consider the misconduct and make a recommendation on the sanction to be imposed. The benefits of the Commissioner being able to process the data, is it provides them with the ability to investigate alleged misconduct without the need for a complaint to be made and to make best use of the flexibility that an own initiative investigation affords them, in upholding the standards expected of a Member of the Senedd.
Consultation process
The Welsh Government will not be responsible for the collection or processing of the personal or special category data. The data controllers and processes will be responsible and already have such responsibilities in other contexts, as set out above. They have robust and secure systems in place for the collection, processing, storage and within lawful timeframes the deletion of data.
For the system of recall, the passage of the Bill in early 2026 will not result in the duties for particular data controllers – the Courts in England and Wales and the Presiding Officer taking effect immediately. These duties will only be implemented after the passage of secondary legislation that the Welsh Ministers will bring forward. This will implement the detail of the system of recall. It is planned that in the preparation of that legislation, the Welsh Government will engage with the data controllers, to understand the practical method by which data will be transferred and stored securely.
The data that will to be processed by the controllers, will relate to an individual Member of the Senedd. However, the data to be processed will already be in the public domain and this may therefore mitigate the concerns of Members of the Senedd as data subjects. During the passage of the Bill through its legislative stages, Members of the Senedd will have the opportunity to debate the duties and raise any questions or concerns about the data processing. Whilst the data processing will only relate to a Member in the next Senedd, rather than the current 60 Members, there will be an opportunity for the 96 Members in that Senedd to engage on this issue, through debates during the passage of the secondary legislation and implementation of the system of recall.
For the implementation of the measures to strengthen the Senedd’s standards process, engagement has and will continue to take place with data controllers during the passage of the Bill through the legislative process. This will include, discussing with the Senedd Commission and the Commissioner what if any, additional measures or, changes to existing processes and systems they will need to make to implement the Bill’s measures. However, it is envisaged they will be able to rely on existing processes and systems to ensure the security of the data collected, processed and stored. Examples of these processes and system include, the Commissioner already having a system in place for the collection and storage of data gathered during the course of an investigation and, the Senedd Commission has a system for the collection and storage of personal and special category data for their own employees. They also have systems in place for the secure sharing of documents for meetings of Senedd Committees.
Both the Senedd Commission and the Commissioner have privacy notices in place which explain how they use and store data securely and requisite retention periods.
Necessity and proportionality
Duty on the criminal courts Wales and England to notify the Presiding Officer of any conviction and sentence, or successful appeal
For the purposes of this provision the Court will be required to share the name of the Member (personal data) and details of their conviction and sentence (criminal conviction data). As the requirement to share the information will be a duty in the legislation, the processing of personal data by the Court will be lawful by virtue of Article 6(1)(c) of the UK GDPR – compliance with a legal obligation. Section 10 of the Data Protection Act 2018 makes additional provision about the processing of criminal conviction data requiring the processing to meet one of the conditions in Parts 1, 2 or 3 of Schedule 1 to the Act. The condition in paragraph 6 in Part 2 of Schedule 1 is that the processing is for a purpose listed in sub-paragraph (2) and is necessary for reasons of substantial public interest. One of the purposes in sub-paragraph (2) is the exercise of a function conferred by an enactment. It is likely this condition will be met in the case of the courts as the function will be conferred on them by the legislation and it is in the public interest to ensure the system of recall can operate properly. The new requirement is considered to be necessary to ensure the effective operation of the recall system. The personal data that will be processed is the minimum required to ensure the effective operation of the system. The criminal conviction data is data which will already be in the public domain; imposing an obligation on the Court to provide the personal and conviction data directly to the Presiding Officer will ensure that the data is accurate, up to date and is processed only to the extent necessary to give effect to the recall system; it is considered that the processing for this specific purpose is reasonable and proportionate.
Duty on the Presiding Officer to notify the CRO
The notice the Presiding Officer will be required to give to the CRO will include processing of personal data and criminal conviction data. As above, it is likely the lawful basis for the processing of the personal data will be article 6(1)(c) of the UK GDPR and for the criminal conviction data, it again will be section 10 of and paragraph 6 of Schedule 1 to the Data Protection Act 2018. As above the new requirement is considered to be necessary to ensure the effective operation of the recall system. The personal and conviction data that will be processed is the minimum required to ensure the effective operation of the system. The criminal conviction data is data which will already be in the public domain; imposing an obligation on the Presiding Officer to provide the same personal and conviction data directly to the CRO will ensure that the data is accurate, up to date and is processed only to the extent necessary to give effect to the recall system; it is considered that the processing for this specific purpose is reasonable and proportionate.
Appointment of lay Members to the SoCC
Whilst it will be for the Senedd Commission to ensure their processes for appointment of lay members are lawful under data protection law, persons seeking appointment will very likely give their consent to the processing of their data for the purpose of recruitment and appointment. It is possible that the recruitment process may result in the processing of both personal data and special category data. Consent is a lawful basis for processing personal under article 6(1)(a) and explicit consent is one of the conditions under which processing of special category data is permitted in Article 9.
Powers of the Commissioner
The Commissioner already has investigations functions the exercise of which must be compliant with data protection law. The measures in the Bill create a new discretionary investigatory function. The new discretionary power is necessary to ensure the effective operation of the Commissioner’s statutory function in promoting, encouraging and safeguarding high standards of conduct in the public office of Members of the Senedd. The discretionary function is limited by a threshold test (a requirement that the Commissioner must have reasonable grounds for suspecting that there has been misconduct by the Member before investigating) and by a conduct test (that the misconduct is on one of a number of specific grounds) ensuring that the processing of personal data (and any special category and/or criminal conviction data) is limited to that which is necessary, reasonable and proportionate to discharge that discretionary function.
The processing by the Commissioner will include personal data and may include special category data and criminal conviction data. It is likely for personal data the Commissioner can rely on Article 6(1)(e) of the UK GDPR – necessary for the performance of a task in the public interest. The basis for the processing, i.e. the power to investigate will be in law and the purpose of the investigation is to hold elected members to account. For any special category data, reliance may be placed on article 9(2)(g) – that the processing is necessary for reasons of substantial public interest on the basis of domestic law. And finally, for any criminal conviction data, the same condition referred to above is likely to be met i.e. section 10 of and paragraph 6 of Schedule 1 to the Data Protection Act – the processing is in the exercise of a function conferred on the Commissioner – the power to investigate – and is necessary for reasons of substantial public interest.
Data quality and data minimisation
There is no opportunity for function creep in relation to each of the policy proposals because for the duties on the Courts and the Presiding Officer to share data, the purpose of the duty is clearly set out in the Bill’s measures. Similarly, for data collected as part of any Commissioner own initiative investigation, the reason for the use of the data is clearly set out in the legislation that governs the Commissioner’s role and functions (The National Assembly for Wales Commissioner for Standards Measure 2009). This legislation includes measures to ensure the Commissioner and their office maintain confidentiality and the Bill will extend that obligation to data collected through own initiative investigations. This is in addition to obligations under GDPR and data protection legislation. Therefore, the data in the two circumstances set out above will not be used for any other purpose than is set out in the legislation, furthermore the data to be collected will be for the minimal purpose required to support operation of the recall process and for the Commissioner to perform their functions effectively.
For the appointment of lay Members, the data processing is for the specific purpose of the recruitment and selection process and for those appointed for the practical purposes of sharing documentation and attendance at meetings. The data will not be used for any other purpose, and this will be set out in a privacy notice, given the Senedd Commission who will collect and store the data already do this for public appointments and their employees.
Information available for data subjects
The system of recall
For the personal and criminal conviction data of a Member that will be processed by the Courts to the Presiding Officer and from the Presiding Officer to a relevant CRO, they will be aware of the recall process either through being part of the legislative scrutiny of the Bill (for the current 60 Members of the Senedd) and for new 96 Members of the Senedd following the 2026 election, they will be made aware through the induction process for new Members. Whilst it is likely that not all Members, current or future will be aware of the specific data processing involved in the situation of recall, for a Member subject to the specific circumstances of a criminal conviction resulting in an automatic recall process, or, as a result of a recommendation by the SoCC they will become aware of the data that is processed and that in any event it will be information that is already in the public domain.
Voters
For voters to be eligible to vote in a recall poll, they will be aware that their data on the electoral register will be used for the purposes of sending them information about how they can vote, as is the case for any other election for their constituency. The Bill does not contain any measures that change the nature of the data processing relating to voter registration.
Applicants and those appointed to be lay Members of the SoCC
For applicants for the role of a lay Member, the Senedd Commission (who will be the data processor on behalf of the SoCC who will be the data controller) will publish a privacy statement setting out how applicants personal and limited special category data will be used and how long their data will be retained for, before being deleted securely. The privacy statement is likely to be similar to the statement for public appointments available on the Senedd Commission’s website. For those appointed to the role, the Senedd Commission will provide them with an additional privacy statement setting out how their data will be used on an on-going basis and a requisite retention period.
Individuals relating to Commissioner for Standards own initiative investigations
The Commissioner already has a privacy statement in place for Members subject to an investigation, individuals who make complaints and individuals who are asked to provide information to the Commissioner for the purposes of conducting an investigation. Therefore, this can be provided to individuals that the Commissioner may contact to provide information for the purposes of an own initiative investigation. The privacy statement sets out the Commissioner uses personal and special category data for the purposes of their functions.
Measures to ensure compliance
All the data controllers and processes have robust systems in place for the collection, storage and where relevant eventual deletion of data within requisite retention periods.
For the role of lay Members on the SoCC, the Senedd Commission will be the data controller and the lay members will be data processors. Given the nature of the role, they will be asked to perform they are unlikely to already have existing systems in place for the processing of data, including the sharing of documents for meetings they will attend. Therefore, the Senedd Commission will need to provide lay Members with appropriate data sharing agreements and overarching appointment terms and conditions which impose measures for use and storage of the personal and special category data. In addition, they may want to provide training to lay Members on data protection. This will ensure that data is treated securely and destroyed appropriately, etc.
Assessments of risks and mitigations
Risks
Risk 1
A leak of the criminal conviction data relating to a Member of the Senedd when being transferred from the Courts to the POSC or, the POSC to the relevant CRO.
Risk 1 Likelihood of harm
Possible (on the basis that the process of transferring the data maybe by secure email depending on the individual courts access to a secure transfer system).
Risk 1 Severity of harm
Minimal impact given the information will already be in the public domain.
Overall risk: Low
Risk 2
A leak of the personal data or limited special category data of those applying for and appointed to the role of a lay Member.
Risk 2 Likelihood of harm
Remote (on the basis that there will be control measures in place).
Risk 2 Severity of harm
Minimal impact as much of the personal information will be known given the applicants are likely to be prominent individuals within their professions. However, the limited special category data may be significant given the potential to undermine the individual’s application as the data may reveal an actual or perceived conflict of interest in relation to their support for a political party.
Overall risk: Low
Risk 3
A leak of the personal data or special category data of a Member of the Senedd and individuals who are subject to, or in witness of a Member’s alleged misconduct with regards to a commissioner own initiative investigation.
Risk 3 Likelihood of harm
Remote (on the basis that there will be control measures in place).
Risk 3 Severity of harm
Significant on the basis of the circumstances in which an investigation by the Commissioner is brought to a close without the need for them to report it to the SoCC and therefore any details of the allegations against the Member or the Commissioner’s conclusions should not be in the public domain. For those investigations where the Commissioner is required to report their conclusions to the SoCC, they publish a report on their website. Therefore, the special category data – the allegations and evidence of misconduct by a Member is put into the public domain, meaning the risk of a leak is minimal, as it will not be anything that is not already known to the public and potentially the press. As part of the reporting process, the Commissioner anonymises the names of any individuals who have made a complaint or provided information to them relating to a Member’s misconduct. If that information was to be leaked it could be significant for the individual as the Commissioners investigation and the Member’s misconduct may be the subject of press coverage and public interest.
Overall risk: Medium
Risk 4
Connected to risk 3 above, should the circumstances materialise, could also create the risk of confidence in the Commissioner and their office being undermined.
Risk 4 Likelihood of harm
Remote (on the basis that there will be control measures in place to prevent risk 3 being materialised).
Risk 4 Severity of harm
Significant, as if the circumstances arose it could result in Members of the Senedd and individuals who are asked to provide information to the Commissioner, not wanting to co-operate with investigations, which would undermine the Commissioner’s ability to carry out their functions. It would also therefore undermine the Commissioner’s ability to uphold the standards expected of an Member of the Senedd.
Overall risk: Medium
Mitigations
Risk 1
Risk 1: Options to reduce or eliminate risk
The data being transferred, will be the minimum required to give effect to actions to be completed as part of the recall system, and in any event will be information already in the public domain.
Risk 1: Effect on risk
Eliminated as the information being transferred is already in the public domain.
Residual risk: Low
Measure approved: Yes
Risk 2
Risk 2: Options to reduce or eliminate risk
The Senedd Commission has robust and secure systems in place to collect, process and store the data. They also have a system in place ensure that data is deleted at the end of requisite retention periods.
Risk 2: Effect on risk
Reduced by only using the data for the purposes of the recruitment and selection process for applicants and only retained for a minimal period. For those appointed to the role the data will only be used for the minimum purposes required to share documentation, arrange attendance at meetings and process renumeration payments.
Residual risk: Low
Measure approved: Yes
Risk 3
Risk 3: Options to reduce or eliminate risk
The Commissioner’s office has robust and secure systems in place to collect, process and store data. They also have retention periods in place and a system to ensure that data is deleted within requisite periods, including a shorter period for investigations resulting in non-substantiated allegations of a Member’s conduct.
Risk 3: Effect on risk
Reduced by only using data for the purposes of an investigation of an Member’s misconduct. The Commissioner already has a process in place to anonymise the details of individuals who have provided information that is referenced in their investigation report.
Residual risk: Low
Measure approved: Yes
Risk 4
Risk 4: Options to reduce or eliminate risk
The measures for risk 3) above will reduce the possibility of this risk materialising.
Risk 4: Effect on risk
Reduced as a result of measures to reduce the possibility of risk 3) above being materialised.
Residual risk: Low
Measure approved: Yes