Introduction

We are committed to ensuring that your personal data is secure.

To prevent unauthorised access or disclosure, we have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect about you. 

We have third party assurance of our information security systems via the Cyber Essentials Plus certification.

Your personal data

We will only process your personal data when there is a legal basis to do so under the UK GDPR and UK Data Protection Act 2018.

We may collect personal data about you through the following processes:

  • through collections of learner data from awarding bodies and other public bodies for research and statistical purposes and to perform our function as a regulator
  • through engagement, research and consultation with you as a stakeholder
  • when you register to attend a stakeholder event
  • when you contact us with an enquiry, complaint or other request
  • when you apply for a job with us or if you are a current or former employee
  • when applying for recognition as an awarding body
  • when you visit our website
  • when you subscribe to one of our mailing lists
  • when visiting our office
  • when entering into a contract for goods or services with us

Data handling

We may hold your personal data on databases and systems so that we can provide information to you, and easily identify you if you contact us. Access to your personal data is strictly restricted and Qualifications Wales staff may only access your personal data if they need it for a task they are working on and are authorised to do so.

In order to support our regulatory work we sometimes use third party organisations. These organisations will sometimes need access to your personal data in order to complete their work. If we do use a third party organisation, we will always have an agreement in place to ensure that your data is kept secure.

We will only share personal data with another organisation if we have a lawful basis to do so, and we will always keep records of when your data has been disclosed to another organisation.

We will only keep your personal data for as long as it is needed for the purpose it was collected for, or for as long as is required by legislation, and will destroy it when we no longer need to retain it for those purposes. There are different retention periods for different types of information.

Usually, the information that we hold is held within the UK. However, some information may be held on computer servers which are outside of the UK. In these cases, we will take all reasonable steps to make sure your data is not processed in a country that the UK government does not consider to be ‘safe’.

Freedom of Information

As a public body, all written information that we hold (including written enquiries) is subject to Freedom of Information requests. 

We will comply with the Data Protection Act 2018 and GDPR when considering requests made under the Freedom of Information Act.

Your rights

Subject to some legal exceptions, you have rights to:

  • request a copy of the personal information Qualifications Wales holds about you
  • to have any inaccuracies corrected
  • to have your personal data erased
  • to place a restriction on our processing of your data
  • to object to processing
  • to request your data to be ported (data portability)

To learn more about these rights please see the ICO website.

Please address any such requests to the

QW Data Protection Officer
Qualifications Wales
Q2 Building
Pencarn Lane
Imperial Park
Coedkernew
Newport
NP10 8AR

01633 373222

dpo@qualifications.wales

If you are dissatisfied with our response you can complain to the Information Commissioner's Office

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Service specific privacy information

Qualifications Wales will be the 'Controller' of any personal information that we collect. 

When we collect personal data from you or about you, our privacy notices will tell you about our legal basis for collecting the data, why we need it, what we do with it, our criteria for how long we keep it and if we need to transfer it to third parties processing data on our behalf.

Newsletters and mailings

Our monthly newsletter will automatically be sent to all primary contacts at awarding bodies, schools and colleges. Primary contacts include responsible officers, heads of schools and colleges, exam officers and the regional consortia. 

By subscribing to our newsletter or any mailing lists you are consenting to us retaining your contact details for the purposes of sending you such correspondence. You may unsubscribe at any time by clicking ‘unsubscribe’ at the bottom of the emails.

Events

We may use third party ticketing and webinar platforms to manage events. Personal information collected for events may include participant details, participation records and language preferences. This information will be exported from third party websites and held securely on our systems.

We will be the controller of personal information provided for our events. Third party systems may also act as a data controller for some personal information submitted by its users, for example if you are registering for their site. 

We may take informal photos and videos at events for use on our website and social media. We will ask permission before recording the image of a person in a way that could identify them.

Office visits

We monitor our car park using CCTV under the legal basis of processing for legitimate interests for the purposes of crime prevention and evidential purposes, and the safety of our staff and visitors. The footage is held securely and will only be accessible to key staff and our CCTV contractor. It will be retained for 31 days and then destroyed if not required for evidential purposes.

Contractors and visitors to the office will be asked to sign in at reception and log their attendance times. This is to comply with our health and safety obligations. 

Visitor information will be retained for 60 days and contractor visit information will be kept for one year.

Procurement and contractors

Qualifications Wales will be the controller of personal information you provide to us as part of the procurement process.

This information will be processed under the legal basis that it is necessary in order to take steps at your request with a view to entering into a contract for goods and services.

Should you be successful in your application, we will retain your personal information for the length of our contract with you and thereafter according to our retention schedule.

We may transfer your details to third parties processing data on our behalf where it is necessary to facilitate payment, to fulfil the contract or for analysis of third-party expenditure data.

All third parties processing personal data on a client's behalf are required under contract to abide by the GDPR.

We publish a contract register on our website of all awarded contracts and this includes supplier name, contract name, contract commencement and expiry dates, and the total value of the contract (where appropriate).

We will hold information about unsuccessful applicants for three years following the financial year in which the contract was awarded, it will then be destroyed.

Complaints, EPRS and whistleblowing

When investigating complaints about us, cases of whistleblowing, regulatory incidents and EPRS it may be necessary for Qualifications Wales to process personal information.

We may process personal data to:

• investigate complaints made about awarding bodies
• investigate complaints made about us
• investigate whistleblowing cases brought to our attention
• consider applications made as part of the Exam Procedure Review Service
• monitor how awarding bodies manage incidents and events 

Any personal data collected to investigate complaints, EPRS and whistleblowing will be retained for five years and then reviewed for disposal. Access may be given to independent reviewers contracted by us to review cases. In some cases, it may be necessary to share information with other UK regulators or our legal representatives.

Cookies

Cookies are files saved on your phone, tablet or computer when you visit a website.

We use cookies to store information about how you use this website, such as the pages you visit. These cookies are not used to identify you personally.

We may use the following on our site:

  • cookies that measure website use
  • cookies that help with communications and marketing
  • cookies that remember your settings
  • other strictly necessary cookies

Recruitment

If you apply for a job with us, we will only hold information relating to your application for as long as necessary. If you are unsuccessful, we will hold any personal data provided by you (or others) for one year after which time it will be securely deleted.

We will process your personal data during your application process for the purpose of complying with legal obligations and taking steps with a view to entering into an employment contract with you. This includes:

• to assess your suitability for the role you are applying for
• to take steps to enter into a contract with you
• to check that you are eligible to work in the UK
• to ensure that we are fulfilling our obligations under the public sector equality duty 

We will not share information gathered during your application process with third parties, other than:

  • Welsh Government approved vetting agencies carrying our pre-employment checks on our behalf
  • external panel members who may be part of a recruitment process
  • Audit Wales in connection with its audit work

Recognition Process

This information collected for the purposes of determining an awarding body application for recognition and may be used in monitoring any future compliance with our 'Standard Conditions of Recognition'.

Should you be successful in your application, we will retain your personal information for as long as you remain a recognised awarding body and thereafter according to our retention schedule. Where applicants are successful, we will hold your personal information for twelve months after the application procedure has been completed, it will then be securely destroyed.

Your personal information may be shared between UK regulators for the following reasons:

• you have already been recognised by another UK regulator
• you have applied to other UK regulators at the same time
• you have been previously unsuccessful in applying for recognition with other UK regulators

Learner Data

As the regulator of awarding bodies and qualifications in Wales, we will request learner data from awarding bodies, Welsh Government and other public bodies which may identify individuals. Such data collections may include special category such as a learner's ethnicity or data about a learner's health where this may be linked to special considerations. This special category data will only be collected under the legal basis that processing is necessary for archiving purposes in the public interest.

Our purposes for requiring the data are:

• to carry out our monitoring and audit functions
• to publish statistics about the qualifications system 
• to carry out evidence-based research
• to investigate particular issues reported to us

No data identifying individual learners will be published.

The data will be retained for 15 years to enable trends to be analysed. After this point it will usually be destroyed. 

We may share data with third parties to undertake research and analysis on our behalf. All third parties processing personal data on our behalf are required under contract to abide by the GDPR.

As producers of official statistics, we comply with the Code of Practice for Statistics in the production of statistics.

Wider Offer – Learner Engagement

As part of this learner engagement activity, we will keep some information on your consent forms that identifies you, such as your name, age, the name of your school, college or education provider and the name of your parent/carer. This is necessary for us to keep appropriate records of your consent to take part in the activity. Your personal information will be kept securely for twelve months. After this time, it will be destroyed.

Stakeholder confidence in qualifications and qualifications system

Information which identifies individuals, such as organisation name, job title, participants name and contact details, will be collected during these interviews.

There will be a dedicated stage of this research exploring EDI (equality, diversity, inclusion). In the case of parent interviews, special category data will be collected including ethnicity, sexual orientation, religious beliefs.

Beaufort Research (A UK-based research company) will be acting as a processor on behalf of Qualifications Wales and will be retaining the personal data. Qualifications Wales will be the data controller of any personal data submitted. Your personal data will be kept securely for twelve months and then destroyed.

Research into adaptations to assessment arrangements in summer 2022

Information which identifies individuals (teacher’s names, contact details, job role, and subjects taught, or learner names and qualifications taken) will be collected during these interviews and focus groups. This is necessary for us to collect information from stakeholders about their views on the adaptations to assessment arrangements in summer 2022.

ORS (a third-party UK-based research company) will be carrying out the research on behalf of Qualifications Wales. Qualifications Wales will be the data controller of any personal data submitted.

Your personal information will be kept securely for twelve months and will then be destroyed. We will then retain your responses without identifying information according to our retention schedule.

Inclusivity in international assessment systems

The intention of this research is to explore how international jurisdictions design/embed inclusivity into their assessment/qualification system.

Information which identifies individuals, such as organisation name, job title, participants name and contact details, will be collected during these interviews.

Alpha Plus will be acting as a processor on behalf of Qualifications Wales and will be retaining the personal data. Qualifications Wales will not have access to personal data. Alpha Plus will securely keep your personal data for twelve months and then destroyed. 

Engagement HQ

In order to register on our consultation platform - Have Your Say - we will collect certain personal information from you. This includes your name, email address and your language preferences together with information that will help us understand what types of stakeholders we have reached through our engagement.

We may use your email address and language preferences to send you mailings about stakeholder engagement that may be of interest to you. There will be an option to unsubscribe from these mailings. We may also use your email to contact you about your responses

The content you create as part of your interactions on this platform can include responses to public consultations, surveys, quick polls, comments and discussions forums. This will be retained along with your identifiable registration information.

Responses to consultations and surveys will be retained according to our retention schedule. The providers of the platform - Engagement HQ (Granicus) - act as processors for Qualifications Wales for the personal information contained in it.

Developing effective practice guidelines on how to deal with assessed work completed in Welsh where qualifications are not offered bilingually.

As part of this activity, Qualifications Wales will be processing information for the purpose of gathering examples of effective practice on how to deal with assessed work completed in Welsh where qualifications are not offered bilingually. The information gathered will be used to produce and publish guidance for awarding bodies.

The lawful basis for processing this information is to enable Qualifications Wales to fulfil its public task as the regulator for the qualifications system in Wales, under Qualifications Wales Act 2015 (under article 6e of the UK GDPR.)

Qualifications Wales will be the ‘data controller’ of the personal information provided.  Iaith, a third-party independent research company, commissioned by Qualifications Wales will be conducting the research on our behalf.  Iaith will be a ‘data processor’ of the personal information provided. 

Personal information collected as part of this project will be kept securely for the duration of the project and will then be destroyed. 

Access Arrangements Research [Phase 1]

As part of this activity, Qualifications Wales will be processing information about you which may include your name, job title, contact details, and the additional learning needs of learners participating in the research, together with your views, for the purpose of improving our understanding of the access arrangements system.   

The information gathered during phase one will be used to improve our understanding of the access arrangements system and to inform future approaches.  It may also be used during phase two, when we explore the extent to which access arrangements are fair and manageable, and to produce and publish research reports. 

The lawful basis for processing this information is consent under Article 6(1)(a) of the UK General Data Protection Regulation (GDPR).  The separate condition for processing special category data is explicit consent under Article 9(2)(a).  

Qualifications Wales will be the data controller and a data processor of the personal information provided.  Appen, a third-party transcription company, commissioned by Qualifications Wales will transcribe the recorded interviews and will be a data processor of any personal information provided to them by Qualifications Wales.   

We only keep your personal data for as long as it is needed for the purpose it was collected for, or for as long as is required by legislation, and will destroy it when we no longer need to retain it for those purposes.   Personal information collected as part of this research will be kept securely for the duration of the project and will then be destroyed.

Update

We review our privacy policy regularly and at least every 12 months. This notice was last updated on 15/04/2024.