Human Resources privacy notice
How we handle personal data at the Welsh Revenue Authority (WRA) for human resources (HR) activities related to recruitment and employment.
This notice informs you about how we collect and use your personal information:
- when you apply for a job
- while you work with us
- after you leave us
As an employer and data controller, we have legal and contractual obligations. This means we need to process your personal data for a variety of HR activities related to your employment.
A data controller is someone who, on their own or jointly with others, decides what and how your personal data is used. We’re responsible for all personal data we hold and use for HR purposes. If you have any queries about how your personal data is used, please contact us.
We’ll process your personal data in line with data protection law, including the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA).
Why we collect and use your personal data
We use your personal data to support the following.
During recruitment, we’ll use it to ensure:
- procedures are fair and open
- employees are appointed based on merit
While you’re an employee with us, we’ll use it to:
- carry out tasks related to your employment, such as:
- contacting you
- updating your records
- adhering to security vetting
- monitoring attendance and leave including sickness
- consider requests for special leave
- comply with the terms of your contract, including:
- paying your salary
- contributing to your pension
- providing benefits, including advances, travel and subsistence and allowances
- ensuring all statutory and voluntary deductions are made
- enable you to access information about your pay through electronic payslips
- support you and make any reasonable adjustments
- comply with health and safety and provide an inclusive and safe working environment
- comply with all policies and procedures in place
- enable the HR system to be maintained, including finding system errors, fixing and testing
- provide training and development opportunities
- publish anonymised data about workforce demographics about equality
- enable us to fulfil any other legitimate requirement related to your contract of employment
If you leave us, we’ll still use it to:
- liaise with pension providers to contribute to pensions
- pay death in service benefits and survivor pensions to dependents
Access to IT equipment
While you’re an employee, we’ll ask for your consent to store your biometric data (such as your fingerprint or facial recognition), on your WRA issued IT equipment for use as a secure method of access.
Using biometric data means you do not have to sign in with your email address and a password each time. Your biometric data provides secure identity verification.
If you consent to this use of your biometric data, your details will be encrypted and stored securely on your WRA device.
When you return your IT equipment, we’ll wipe your biometric data as part of cleansing the equipment ready for the next user.
Some of the applications or software we use, for example Trello for project management, may store your personal data outside the UK. Where this is the case, we will ensure that only the minimum amount of personal data is shared. We’ll also use internationally agreed standard contract terms to ensure your personal data is kept secure, as required by the data protection legislation.
Personal information we collect
We hold both personal data and sensitive personal data.
Personal details, such as:
- title and name address
- date of birth
- contact details
- marital status
- emergency contact
Education and employment information, such as:
- employment history (last 3 years)
- National Insurance Number
- employee contracts and loan agreements
- office location
- start date
- job role
- department and line manager
- Civil Service profession
- membership of professional bodies
Financial information, including:
- bank details (for payroll and travel and subsistence claims)
- payroll records
- pay band and salary
- tax status
- pension information
Proof of identity, such as:
- birth certificate
- work permit
Security information, including:
- vetting information (identity, nationality, and immigration status)
- criminal records (unspent convictions)
- employee photograph for security pass
- employee biometric data (fingerprint or facial recognition) with your consent
Health and safety information, such as:
- health declaration checks
- any medical impairments, including those that may constitute a disability under the Equality Act 2010
We may also need information about you and other people you know to fulfil and comply with the contract of employment. This information may relate to:
- pay and pensions
- special leave on compassionate grounds
- disciplinary and grievances
- accident reporting
- occupational health provision
- business continuity and emergencies
- internal recruitment
You will be invited to undertake an online Display Screen Equipment risk assessment. This service is currently provided by Awaken Ltd (the Welsh Government’s supplier), but this may change to another contractor at a future date. Strict controls are placed on who can see your personal data, which is held securely in UK data centres.
See Annex A for more details we may record during employment.
Sharing your data
Sometimes by law or by your contract of employment, we may need to share your personal data with other organisations.
We will only do this if there’s a clear legal basis for sharing. We’ll only share the minimum data needed for the required purpose.
Organisations we may share your data with include:
- Welsh Government (such as for processing pay, pension, and for security)
- CGI IT UK Ltd (payroll provider)
- myCSP (Civil Service pension provider)
- security vetting agencies
- trade union
- occupational health providers
- training providers (your name and corporate email address for contact)
How long we’ll use your information
We’ll keep your data for as long as we need to carry out our duty as an employer.
Our retention policy sets out how long we’ll keep personal data for and specifies retention periods we follow.
Protecting your information
Any personal information we collect about you will be collected, stored, and transmitted securely.
We’ll only share information about you with others where:
- it’s lawful to do so
- required for an identified purpose
Providing your personal information
Mostly, you’ll need to supply personal data, by law or by your contract of employment, for us to carry out our duty as an employer. For example, we need to provide your data to HMRC for National Insurance purposes.
If you refuse to provide accurate information, you may no longer be able to work for us.
If we need your consent to process some of your personal data, or your biometric data (fingerprint or facial recognition), we’ll tell you:
- why we’re processing it
- what we will do with it
- how long we will keep it for
We’ll ensure that consent obtained is explicit, freely given and informed. You can withdraw your consent at any time.
UK GDPR lists certain rights that you have concerning your data.
You have the right to:
- request access to your own personal data
- request us to correct incomplete or inaccurate information we hold about you
- request we delete or remove your personal information
- withdraw your consent for any data processed about you
- restrict processing of your personal information
- object to processing of your personal information
- request an electronic copy of your data in a structured, easily readable, and transferrable format
Not all of these rights will be available all of the time, for example, if we need to process your personal data by law. If so, you may not be able to request that we delete or remove your personal data.
For any questions about this notice or your rights, please contact our Data Protection Officer. If you’re unhappy with the way we manage your personal data, please let us know in the first instance by writing to the Data Protection Officer.
Data Protection Officer
Welsh Revenue Authority
PO Box 108
Rydym yn croesawu gohebiaeth yn Gymraeg / We welcome correspondence in Welsh.
You can also complain directly to the Information Commissioner’s Office (ICO). The ICO is the UK supervisory authority for data protection issues.
Information Commissioner’s Office Wales
17 Churchill Way
Telephone: 029 2067 8400 / 0303 123 1113
Changes to this privacy notice
Any changes to this privacy notice will be updated on this page and through our internal communications channels, for example, any new uses of personal data.
From time to time, we may also contact you through other means about the processing of your personal data.
Annex A: Other information we may record during employment
Pay related information and personal payroll history, including:
- record of pay
- salary advances
- maternity, paternity, adoptive, shared parental pay record
- statutory sick pay records
- pay enhancements
- performance related pay
- overtime pay
- payment for untaken leave
- reduced or no pay
- any refund of PCSPS contributions
- specialist and temporary allowances
- voluntary deductions (including trade union subscriptions, student loan repayments or charitable giving)
- withholding an increment
- over-payment documentation
- advances of pay and loans
- variable payments
- bankruptcy and insolvency
- additional voluntary contributions
- salary sacrifice
- student loan information
- County Court Judgements
- attachment of earnings information
- travel and subsistence claims and related information
- name and address of dependents
- death in service beneficiaries and their relationship to the employee
Leave information, including:
- annual leave records
- unpaid leave periods
- maternity, fostering, adoption, parental and shared parental leave
- confirmation of adoption placement
- career breaks
- special leave
Working pattern information, including:
- home working, compressed hours, term-time/part-time working, job-sharing
- variation of hours – calculation formula for the individual
- working time directive opt-out forms
Car parking details, including:
- vehicle registration number
- information about blue badge holders
Health and medical information, including:
- sickness records, medical certificates, fit notes
- occupational health and medical information
- DSE assessments and workplace adjustments
- workplace adjustments
- maternity information (maternity records, certificates (Mat B1 form, or other medical evidence),
- personal certificates (death certificates, gender recognition certificate)
Continued assessment of employment information, including:
- attendance (including Return to Work interview records)
- probation status
- annual appraisals
- performance management reviews
- underperformance documentation
- performance improvement plans
- training and learning and development records
- Welsh language skills
- employment history (job roles, secondee or loan appointments)
Conduct information, including:
- investigations into disciplinary issues
- disciplinary discussions and decisions
- disciplinary records of penalties and sanctions
- action taken, including:
- informal and formal warnings
- monitoring periods
- other sanctions
Leaving information, including:
- termination documents
- voluntary or compulsory exit or redundancy details
- calculations of payments and refunds
- employee feedback from exit interviews
Pension retirement information and documents, including:
- death in service
- ill health retirement
- additional voluntary contributions
- partnership pensions
Business information, including:
- business directory and business cards
- business appointment rules, applications, and outcomes
- contact details for:
- members of the Business Continuity Command Centre contact group
- Business Continuity Coordinators, shared with Welsh Government to provide emergency updates, such as office closures
- Emergency Text Messaging Service system
- records of:
- gifts and hospitality offered and received
- actual and potential conflicts of interest
- Public Appointments
- whistleblowing allegations and outcomes
- use of computers including:
- using system and human monitoring of inbound/outbound emails to prevent accidental disclosure of personal information or Protected Taxpayers Information (PTI) and to protect from attacks to our systems
- using alerts and blocks on outbound emails containing specific trigger information, for example, National Insurance numbers, PTI, financial information