Who we are

Qualifications Wales is a ‘data controller’ as defined by Article 4(7) of the General Data Protection Regulation (GDPR). This means that we have a duty of care towards the personal data that we collect and use.

We have an appointed Data Protection Officer, and their contact details are:

QW Data Protection Officer

Qualifications Wales

Q2 Building, Pencarn Lane

Imperial Park

CoedKernew

Newprt

NP10 8AR

01633 373222

Informationgovernance@qualifications.wales

What data do we collect?

In order to perform our statutory function as a regulator, we need to collect and use your personal data and sometimes your special category personal data. 

We collect the following personal data:

  • personal identifiers – this may include your name, date of birth, national insurance number, unique pupil number, organisation name and job title
  • contact details – this may include your home or work address, phone number and email address
  • characteristics – for example your age and language preferences.
  • qualifications taken, subjects taught and education provider
  • employment details
  • special category data – this may include your race, ethnic origin, trade union membership, religious beliefs, health data and sexual orientation
  • photos
  • videos

We may also collect your views on aspects of qualifications and the qualifications system in Wales.  

There may be instances where we will anonymise your data. For example, in a survey we may not need your contact details. In which case, we'll only collect your survey responses.

How do we collect your data and what do we use it for?

We collect your personal data through the following processes:

  • collection of learner data from awarding bodies and other public bodies for research and statistical purposes and to perform our function as a regulator
  • engagement, research and consultation with you as a stakeholder
  • when you register to attend a stakeholder event
  • when you contact us with an enquiry, complaint, subject access request, EPRS application or freedom of information request;
  • when you apply for a job with us or if you are a current or former employee
  • when applying for recognition as an awarding body
  • when you visit our website
  • when you subscribe to one of our mailing lists
  • when visiting our office
  • when entering a contract for goods or services with us

We collect this data so that we can:

  • perform our function as a regulator
  • ensure that qualifications, and the Welsh qualification system, are effective for meeting the reasonable needs of learners in Wales
  • promote public confidence in qualifications and in the Welsh qualifications system
  • respond to general enquiries
  • investigate complaints or concerns raised by you or other individuals
  • keep stakeholders updated on the work of Qualifications Wales.

Who has access to your personal data?

We may hold your personal data on databases and systems so that we can provide information to you, and easily identify you if you contact us. Access to your personal data is strictly restricted and officers of Qualifications Wales may only access your personal data if they need it for a task they are working on and are authorised to do so.

Who do we share your personal data with?

Third party processors

In order to support our regulatory work, we sometimes use third party organisations. These organisations will sometimes need access to your personal data in order to complete their work. If we do use a third-party organisation, we will always have an agreement in place to ensure that your data is kept secure.

Other organisations

Sometimes we have to pass your data to other organisations. This could be because it is necessary to perform our public task as a regulator, there is a legal requirement, or because a court orders us to do so. For example, we may need to share information with the police to help prevent or detect a crime. We may not have to tell you if we do share with other organisations in this way.

Statutory functions

Our internal auditors, data protection officer, and external auditors may also have access to your personal data in order to complete their work. We will only share personal data with another organisation if we have a lawful basis to do so, and we will always keep records of when your data has been disclosed to another organisation.

There are various legal reasons for us to collect and use your personal data. 

Our main lawful basis for collecting and using your personal data is to enable us to fulfil our public task as the regulator for the qualifications system in Wales and to exercise our official functions under the Qualifications Wales Act 2015 under Article 6(1)(e) GDPR.

Where you give us clear consent to process your personal data for a specific purpose our lawful basis will be consent under Article 6(1)(a) GDPR.   

Where processing is necessary to comply with our legal obligations, our lawful basis will be Article 6(1)(c).

Where we are collecting and processing data using other legal powers, we will let you know.

When collecting and processing special category data we use the legal basis of explicit consent to process this information.  Providing this data is optional.

How long do we keep your personal data for?

We will only keep your personal data for as long as it is needed for the purpose it was collected, or for as long as is required by legislation, and will destroy it when we no longer need to retain it for those purposes. There are different retention periods for different types of information.

Do we transfer your data outside of the UK?

Usually, the information that we hold is held within the UK. However, some information may be held on computer servers which are outside of the UK. In these cases, we will take all reasonable steps to make sure your data is not processed in a country that the UK government does not consider to be ‘safe’. If we do need to send your data out of the UK, we will ensure it has extra protection from loss or unauthorised access. 

What are your data protection rights?

Subject to some legal exceptions, you have the right to:

  • request a copy of the personal information Qualifications Wales holds about you;
  • have any inaccuracies corrected;
  • have your personal data erased;
  • place a restriction on our processing of your data; and
    object to processing. 

You can find out more about your rights by visiting the ICO website here: Your data protection rights | ICO

How can you complain about the way in which we have handled your personal data?

If you have concerns about the way in which we have handled your personal data, then please contact our data protection officer:  

QW Data Protection Officer

Qualifications Wales

Q2 Building, Pencarn Lane

Imperial Park

CoedKernew

Newprt

NP10 8AR

01633 373222

informationgovernance@qualifications.wales

 

You can also complain to the Information Commissioner’s Office (the data protection regulator) about the way in which we have handled your personal data:

Information Commissioners Office

2nd Floor

Churchill House

Churchill Way

Cardiff

CF10 2HH

0330 414 6421

wales@ico.org.uk

Freedom of Information

As a public body, all written information that we hold is subject to Freedom of Information requests.  We will comply with the Data Protection Act 2018 and UK GDPR when considering requests made under the Freedom of Information Act. 

Service Specific Privacy Information

Access Arrangements Research [Phase 1]

As part of this activity, Qualifications Wales will be processing information about you which may include your name, job title, contact details, and the additional learning needs of learners participating in the research, together with your views, for the purpose of improving our understanding of the access arrangements system. 
  
The information gathered during phase one will be used to improve our understanding of the access arrangements system and to inform future approaches.  It may also be used during phase two, when we explore the extent to which access arrangements are fair and manageable, and to produce and publish research reports. 

The lawful basis for processing this information is consent under Article 6(1)(a) of the UK General Data Protection Regulation (GDPR).  The separate condition for processing special category data is explicit consent under Article 9(2)(a). 
 
Qualifications Wales will be the data controller and a data processor of the personal information provided.  Appen, a third-party transcription company, commissioned by Qualifications Wales will transcribe the recorded interviews and will be a data processor of any personal information provided to them by Qualifications Wales.   

We only keep your personal data for as long as it is needed for the purpose it was collected for, or for as long as is required by legislation, and will destroy it when we no longer need to retain it for those purposes.   Personal information collected as part of this research will be kept securely for the duration of the project and will then be destroyed.

CCTV and Visitors to the Office 

Qualifications Wales is the data controller of our CCVT footage and attendance records. 

We monitor our car park using CCTV under the legal basis of processing for legitimate interests, Article 6(1)(f) GDPR.  The legitimate interests being for the purposes of crime prevention and evidential purposes, and the safety of our staff and visitors. 

The footage is held securely and will only be accessible to Facilities staff and our CCTV contractor.  It will be retained for 31 days and then destroyed if not required for evidential purposes.
  
Contractors and visitors to the office will be asked to sign in at reception and log their attendance times.  This is to comply with our legal obligations under the Health and Safety at Work Act and any public health requirements that may be in place.  In the case of contractors, information is also retained for contract records.  
Visitor information will be retained for 60 days, and contractor information will be kept for one year. 

Complaints, EPRS and Whistleblowing 

When investigating complaints about us, cases of whistleblowing, regulatory incidents and EPRS it may be necessary for Qualifications Wales to process personal information.  

We may process personal data to:
• investigate complaints made about awarding bodies regulated by Qualifications Wales;
• investigate complaints made about us;
• investigate whistleblowing cases brought to our attention;
• consider applications made to use for the Exam Procedure Review Service; and
• monitor how awarding bodies manage evets that could have an adverse effect in Wales. 

Qualifications Wales is the controller of this data and special category data will only be processed if there is a legal basis to do so.  Any personal data collected to investigate complaints, EPRS and whistleblowing will be retained for five years and then reviewed for disposal.  

Access to this information may be given to independent reviewers contracted by us to review cases.  In some cases, it may be necessary to share information with other UK regulators or our appointed lawyers.
 
Cookies

Cookies are files saved on your phone, tablet or computer when you visit a website.

We use cookies to store information about how you use this website, such as the pages you visit. Cookies may store user preferences and other information.  You can configure your browser to refuse all cookies or to indicate when a cookie is being sent.  However, some website features or services may not function properly without cookies.
We may use the following on our site:

• cookies that measure website use
• cookies that help with communications and marketing
• cookies that remember your settings
• other strictly necessary cookies

The lawful basis we rely on to process your personal data is either consent under Article 6(1)(a) or legitimate interests under Article 6(1)(f) whereby the legitimate interest is the maintenance and integrity of our ICT systems.

Developing effective practice guidelines on how to deal with assessed work completed in Welsh where qualifications are not offered bilingually.

As part of this activity, Qualifications Wales will be processing information for the purpose of gathering examples of effective practice on how to deal with assessed work completed in Welsh where qualifications are not offered bilingually. The information gathered will be used to produce and publish guidance for awarding bodies.

The lawful basis for processing this information is to enable Qualifications Wales to fulfil its public task as the regulator for the qualifications system in Wales, under Qualifications Wales Act 2015, Article 6(1)(e) GDPR.

Qualifications Wales will be the ‘data controller’ of the personal information provided.  Iaith, a third-party independent research company, commissioned by Qualifications Wales will be conducting the research on our behalf.  Iaith will be a ‘data processor’ of the personal information provided. 

Personal information collected as part of this project will be kept securely for the duration of the project and will then be destroyed. 

Engagement HQ

In order to register on our consultation platform - we will collect certain personal information from you. This includes your name, email address and your language preferences together with information that will help us understand what types of stakeholders we have reached through our engagement.

We may use your email address and language preferences to send you mailings about stakeholder engagement that may be of interest to you. There will be an option to unsubscribe from these mailings. We may also use your email to contact you about your responses.

The content you create as part of your interactions on this platform can include responses to public consultations, surveys, quick polls, comments and discussions forums. This will be retained along with your identifiable registration information.

Responses to consultations and surveys will be retained according to our retention schedule. 

The providers of the platform - Engagement HQ (Granicus) - act as Processors for Qualifications Wales.  Qualifications Wales is the Controller of the personal information contained within the platform.
Our lawful basis for processing your personal data is consent under Article 6(1)(a) GDPR and public task under Article 6(1)(e).

Events 

We may use third party ticketing and webinar platforms to manage events e.g. Eventbrite.  Personal information collected for events may include participant details, participation records and Welsh language preferences etc.  This information will be exported from third party websites and held securely on our systems.   Qualifications Wales will be the controller of personal information provided for our events.  
Third party systems may also act as a data controller for some personal information submitted by its users e.g. if you are registering for their site.  Please also refer to the privacy notices of these websites when registering.

We may take photos and videos at events for use on our website and social media channels.  These may include participants at events.  We will ask permission before recording the image of a person in a way that could identify them.  Please notify the event organiser at the beginning of the event if you do not wish to be included.  

Inclusivity in international assessment systems

The intention of this research is to explore how international jurisdictions design/embed inclusivity into their assessment/qualification system.

Information which identifies individuals, such as organisation name, job title, participants name and contact details, will be collected during these interviews.

Alpha Plus will be acting as a processor on behalf of Qualifications Wales and will be retaining the personal data. Qualifications Wales will not have access to personal data. Alpha Plus will securely keep your personal data for twelve months and then destroyed. 
Our lawful basis for processing your personal data is consent under Article 6(1)(a) GDPR.

Learner Data

As the regulator of awarding bodies and qualifications in Wales, we will request learner data from awarding bodies, Welsh Government and other public bodies which may identify individuals. Such data collections may include special category such as a learner's ethnicity or data about a learner's health where this may be linked to special considerations. 

Our purposes for requiring the data are:
• to carry out our monitoring and audit functions
• to publish statistics about the qualifications system 
• to carry out evidence-based research
• to investigate particular issues reported to us

This information will be processed under Article 6(1)(e) GDPR to enable us to fulfil our public task as the regulator for the qualifications system in Wales and in order to exercise our official functions under the Qualifications Wales Act 2015.

No data identifying individual learners will be published.
The data will be retained for 15 years to enable trends to be analysed. After this point it will usually be destroyed. 

We may share data with third parties to undertake research and analysis on our behalf. All third parties processing personal data on our behalf are required under contract to abide by the GDPR.

As producers of official statistics, we comply with the Code of Practice for Statistics in the production of statistics.

Newsletters and Mailings

It is essential that key stakeholders remain updated about the work of Qualifications Wales and our monthly newsletter will automatically be sent to all primary contacts at awarding bodies, schools and colleges.  Primary contacts include responsible officers, heads of schools and colleges, FE college principals, exam officers and the regional consortia.  These contacts will automatically receive mailings.  If you would like to update the primary contact details, please contact us.
By subscribing to our newsletter or any mailing lists you are consenting to us retaining your personal identifiers and contact details for the purposes of sending you the newsletter or mailing list to which you have subscribed.  Our lawful basis for processing your personal information is consent under Article 6(1)(a) GDPR.

Your personal data will be processed in accordance with the Corporate Privacy notice, and you may unsubscribe from your mailing list at any time by clicking ‘unsubscribe’ at the bottom of the mailing. 

Procurement and Contractors 

Qualifications Wales will be the controller of personal information you provide to us as part of the procurement process. 

This information will be processed under the legal basis that it is necessary in order to take steps at your request with a view to entering into a contract for goods and services, Article 6(1)(b) GDPR.  
Should you be successful in your application, we will retain your personal information for the length of our contract with you and thereafter according to our retention schedule. 

We may transfer your details to third parties processing data on our behalf where it is necessary to facilitate payment, to fulfil the contract or for analysis of third-party expenditure data.  
All third parties processing personal data on a client’s behalf are required under contract to abide by the GDPR.  

We publish a contract register on our website of all awarded contracts and this includes supplier name, contract name, contract commencement and expiry dates, and the total value of the contract (where appropriate). 

We will hold information about unsuccessful applicants for three years following the financial year in which the contract was awarded, it will then be destroyed.  

Research into adaptations to assessment arrangements in summer 2022
Information which identifies individuals (teacher’s names, contact details, job role, and subjects taught, or learner names and qualifications taken) will be collected during these interviews and focus groups. This is necessary for us to collect information from stakeholders about their views on the adaptations to assessment arrangements in summer 2022.

ORS (a third-party UK-based research company) will be carrying out the research on behalf of Qualifications Wales. Qualifications Wales will be the data controller of any personal data submitted.

Your personal information will be kept securely for twelve months and will then be destroyed. We will then retain your responses without identifying information according to our retention schedule.
Our lawful basis for processing your personal data is consent under Article 6(1)(a).

Recognition Process

Qualifications Wales will be the controller of any personal information you provide to us through the awarding body recognition process. 
This information will be collected for the purposes of determining an awarding body application for recognition and may be used in monitoring any future compliance with our 'Standard Conditions of Recognition'.
Should you be successful in your application, we will retain your personal information for as long as you remain a recognised awarding body and thereafter according to our retention schedule. Where applicants are successful, we will hold your personal information for twelve months after the application procedure has been completed, it will then be securely destroyed.

Your personal information may be shared between UK regulators for the following reasons:
• you have already been recognised by another UK regulator
• you have applied to other UK regulators at the same time
• you have been previously unsuccessful in applying for recognition with other UK regulators

Recruitment

If you apply for a job with us, we will only hold information relating to your application for as long as necessary. If you are unsuccessful, we will hold any personal data provided by you (or others) for one year after which time it will be securely deleted.

We will process your personal data during your application process for the purpose of complying with legal obligations, Article 6(1)(c) GDPR, and taking steps with a view to entering into an employment contract with you, Article 6(1)(b) GDPR. This includes:
• to assess your suitability for the role you are applying for
• to take steps to enter into a contract with you
• to check that you are eligible to work in the UK
• to ensure that we are fulfilling our obligations under the public sector equality duty 

We will not share information gathered during your application process with third parties, other than:
• Welsh Government approved vetting agencies carrying our pre-employment checks on our behalf
• external panel members who may be part of a recruitment process
• Audit Wales in connection with its audit work

Stakeholder confidence in qualifications and qualifications system

Information which identifies individuals, such as organisation name, job title, participants name and contact details, will be collected during these interviews.

There will be a dedicated stage of this research exploring EDI (equality, diversity, inclusion). In the case of parent interviews, special category data will be collected including ethnicity, sexual orientation, religious beliefs.

Beaufort Research (A UK-based research company) will be acting as a processor on behalf of Qualifications Wales and will be retaining the personal data. Qualifications Wales will be the data controller of any personal data submitted. Your personal data will be kept securely for twelve months and then destroyed.

Our lawful basis for processing your personal data is consent under Article 6(1)(a) GDPR.

Wider Offer – Learner Engagement

As part of this learner engagement activity, we will keep some information on your consent forms that identifies you, such as your name, age, the name of your school, college or education provider and the name of your parent/carer. This is necessary for us to keep appropriate records of your consent to take part in the activity. Your personal information will be kept securely for twelve months. After this time, it will be destroyed.

Our lawful basis for processing your personal data is consent under Article 6(1)(a).