Natural Resources Wales (NRW) is committed to protecting your privacy when you use our services.
This Privacy Notice explains how we use information about you and how we protect your privacy. It also describes the rights you have as to how we handle your personal data.
We comply with all aspects of the UK’s data protection legislative framework, which includes the UK General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations (“PECR”) and the Data Protection Act, as amended and updated from time to time (the “Relevant Legislation”).
We are a Data Controller as we determine the purposes and means of the processing of personal information. Our ICO (Information Commissioner’s Office) registration number is Z356493.
We have a Data Protection Officer who makes sure we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information, please contact the Data Protection Officer at firstname.lastname@example.org or by calling 03000 065 3000 and asking to speak to the Data Protection Officer.
We carry out a wide range of different services, from regulation, to flood warning to providing advice. Each service has its own specific privacy notice detailing who we may share your information with and why. Each service related privacy notice explains the legal reason that provides the basis for handling your personal data.
Do you know what personal data is?
Personal data can be anything that identifies and relates to a living person. This can include information that, when put together with other information, can then identify a person. For example, this could be your name and contact details.
Did you know that some of your personal data might be ‘special’ or ‘sensitive’?
Some personal data is ‘special’ or ‘sensitive’ which means that it needs more protection. It’s often information you would not want widely known and is very personal to you. This is likely to include anything that can reveal your:
- Sexuality and sexual health
- Religious or philosophical beliefs
- Physical or mental health
- Trade union membership
- Political opinion
- Genetic/biometric data
- Criminal history
Whose Personal Data Do We Handle?
NRW will process personal data relating to a wide variety of individuals including the following:
- Staff, contractors, consultants and advisers of NRW including volunteers, agents, temporary and casual workers, suppliers and students
- Individuals who purchase any of our products
- Individuals who use any of our services
- Individuals voluntarily passing information to NRW or requesting information, eg complainants
- Former and potential members of staff and beneficiaries
- Individuals identified in the course of our investigations or regulatory enquiries and activities
- External stakeholders and partners
- Individuals captured by CCTV images
What Types of Personal Data Do We Handle?
NRW may process personal data relating to or consisting of the following:
- Personal details such as name, address, contact details and biographical details
- Lifestyle and social circumstances
- Financial details
- Skill and interests
- Employment details, education and training details
- Goods or services provided
- CCTV images
- Licenses or permits held
- Information relating to health and safety
- Details of any enquiry submitted to us
- Details of any complaint, claim, incident, civil litigation and/or accident
Why do we need your personal data?
We may need to use some information about you to:
- Carry out our regulatory and statutory duties
- Manage our land
- Respond to environmental incidents
- Investigate complaints, provide advice and information
- Send promotional communications about the services we
- Help a wide range of people use the environment as a learning resource
- Collaborate with the public, private and voluntary sectors to improve our natural environment
- Gather evidence, monitor our environment, commission and undertake research, develop our knowledge, and as a public records body
- Employ staff, as well as support other employment through contract work, staff administration, occupational health and welfare
- Manage public relations, journalism, advertising and media
- Manage finance and contracts
- Internally review, account and audit
- Manage property and estates, including the procurement, lease and sales of assets
- Manage vehicles and transport
- Manage information technology systems
- Provide legal services
- Licensing and registration
- Conduct research, including surveys and consultations
- Manage health and safety and security
- Manage events and for marketing
- Prevent and/or detect crime (including matters of national security)
- Conduct any legal duty or responsibility of NRW
- To assist in the collection and management of Landfill Disposals Tax
Who do we share personal data with?
NRW may disclose personal data to a variety of recipients, including those from whom personal data is obtained.
Sometimes we have a legal duty to provide personal data to other organisations or individuals when required or permitted to do so by, or under, any act of legislation, by any rule of law, and by court order. We may also disclose personal data for the purpose of, and in connection with, any legal proceedings or for obtaining legal advice.
We use a range of organisations to either store personal data or help deliver our services to you. Where we have these arrangements, there is always an agreement in place to make sure that the organisation complies with their legal requirements.
If required, we will complete a privacy impact assessment (PIA) before we share personal data with other organisations, to make sure we protect your privacy and comply with the law.
Where do we obtain and share personal data from?
NRW may obtain personal data from a wide variety of sources, including but not limited to the following:
- Central government, governmental agencies and departments
- Law enforcement and security agencies and bodies
- HM Revenue and Customs
- Licensing authorities
- Legal representatives
- Prosecuting authorities
- Private sector organisations working with the police in anti-crime strategies
- Voluntary sector organisations
- Individuals themselves, relatives, guardians or other persons associated with the individual
- Current, past or prospective employers of the individual
- Healthcare, social and welfare advisers or practitioners
- Education, training establishments and examining bodies
- Business associates and other professional advisors
- Employees and agents of NRW
- Suppliers, providers of goods or services
- Financial organisations and advisors
- Credit reference agencies
- Survey and research organisations
- Trade, employer associations and professional bodies
- Local government
- Voluntary and charitable organisations
- Ombudsmen and regulatory authorities
- The media; social media
- Data Processors working on behalf of NRW.
- Our Website and Apps
- Telephone calls received, texts, writing by post or email, or communicating via online channels, such as social media
- Health and Safety Executive
- The National Fraud Initiative - see below
- The Cabinet Office
- IT providers
- Bodies or individuals working on our behalf (e.g. Engineering and IT contractors, legal advisors, or survey organisations, etc.)
- Law enforcement and security agencies
- Welsh Revenue Authority
National Fraud Initiative
As a public body, we are required to protect public funds and therefore we may use your personal information in connection with the prevention, detection and investigation of fraud. This may include sharing personal information with other bodies responsible for auditing, and/or administering public funds in order to prevent and detect fraud.
As part of our fraud prevention and detection activities, we participate in the National Fraud Initiative ("NFI") which is a part of the Cabinet Office's work to help counter fraud across government by identifying and reducing losses. This includes sharing some personal data relating to our employees and suppliers.
Data matching exercises involve comparing sets of data, such as the payroll and supplier details (including personal data), of one body against other records held by the same or another body to see how far they match. This allows potentially fraudulent claims and payments to be identified. Where a match is found, it may indicate that there is an inconsistency that requires further investigation by the relevant participating body; it is not necessarily evidence of fraud. No assumptions can be made as to whether there is fraud, error or other explanation until an investigation is carried out. Where no match is found, the data matching powers will have no material effect on those concerned.
The data we provide to the Auditor General for Wales will be the minimum needed to undertake the matching exercise, to enable individuals to be identified accurately and to report results of sufficient quality. The personal data that the Auditor General for Wales requires can be found on the Audit Wales website.
As a participating body we are required to provide the personal data in accordance with the provisions of data protection legislation. The legal basis for us sharing your personal data with the Auditor General for Wales are that it is necessary for the performance of a task carried out in the public interest. The data protection legislation does not require us to obtain the consent of the individuals concerned.
The data matching exercises and the use of personal data by the Auditor General for Wales is undertaken pursuant statutory authority under Part 3A of the Public Audit (Wales) Act 2004 and data protection legislation does not require the consent of the individual concerned for processing of personal data for this reason.
As a participating body, in addition to complying with data protection laws, we must also have regard to the Auditor General’s Code of Data Matching Practice, which is available on the Audit Office Wales website. This also provides more information as to the Auditor General for Wales' powers as well as how personal data is used in a secure way.
The Auditor General for Wales's Privacy Notice tells you about how your personal information is processed in connection with the Auditor General for Wales' data matching exercises. It also sets out your rights under data protection legislation. This is available on the Audit Office Wales website at this is available on the Audit Office Wales' website.
Personal data will not be held for longer than is necessary and data retention will be in accordance with the data deletion schedule published on the Cabinet Office's website.
If you have a concern about the way that the Auditor General deals with personal data you can raise it with the Wales Audit Office Data Protection Officer by emailing email@example.com or by writing to:
Wales Audit Office,
24 Cathedral Road,
or phoning 029 2032 0500.
You may also raise such concerns with the Information Commissioner (see below for further details).
How the law allows us to use your personal data
There are a number of legal reasons why we may need to collect and use your personal data. We are only allowed to collect and use personal data where:
- You have given consent
- You have entered into a contract with us
- It is necessary to perform our statutory duties
- It is necessary to protect someone in an emergency
- It is required by law
- It is necessary for employment purposes
- It is necessary to deliver the services we provide
- It is necessary for legal cases
- It is necessary to protect public health or the environment
- It is necessary for archiving, research, or statistical purposes
We only use what we need
We will only collect and use personal data if we need it to deliver a service or meet a legal requirement.
If we don’t need personal data, we’ll either not record it or we won’t ask you for it. For example, in a survey, we may not need your contact details, so we’ll only collect your survey responses.
If we use your data for research and analysis, we’ll always keep you anonymous or use a different name unless you’ve agreed that your personal data can be used for that research.
We don’t sell your personal data to anyone else
GDPR gives you a number of rights to be informed about the personal data that we receive and use. Please see individuals rights.
How do we protect your personal data?
NRW takes the security of all personal data under our control very seriously. We will take reasonable steps to comply with our legal obligations. We will ensure that appropriate policy, training, technical and procedural measures are in place to protect our manual and electronic information systems from data loss and misuse. These measures can include:
- Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what’s called a ‘cypher’. The hidden information is said to then be ‘encrypted’
- Pseudonymisation, meaning that we’ll use a different name so we can hide parts of your personal data from view. This means that someone outside of NRW could work on your information for us without ever knowing it was yours
- Controlling access to systems and networks to stop people who are not allowed to view your personal data from getting access to it
- Training our staff to make them aware of how to handle personal data and how and when to report when something goes wrong
- Regular testing of our technology and ways of working including keeping up to date on the latest security updates
How long do we keep your personal data?
NRW keeps personal data as long as is necessary for the particular purpose or purposes for which it is held. Our information is held in accordance with our Retention, Review and Disposal schedule.
How to make a complaint
If you are unhappy with the way in which your personal data has been processed you may in the first instance contact NRW’s Data Protection Officer using the contact details above.
If you remain dissatisfied, then you have the right to apply directly to the Information Commissioner for a decision.
Information Commissioner’s Office,