Primary Privacy Notice
The Citizen Voice Body for health and social care (referred to in this notice as “Llais” 1 , “we”, “us” or “our”) treats your privacy and confidentiality very seriously. We comply with all aspects of the UK’s data protection legislative framework, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
In the course of carrying out our statutory functions we may gather a range of personal information from you. Our statutory functions/ tasks include public engagement, representation and complaints advocacy. We also have legislative duties relevant to the conduct of these functions/tasks including, for example, promoting Llais activities.
We have developed this privacy notice in order to be as transparent as possible about the personal information we collect and use about you.
Does this privacy notice apply to you? This privacy notice has been written for the benefit of the following categories of people (referred to in this notice as “you”):
- our volunteers
- complaints advocacy clients and people that represent or accompany them
- family and friends of advocacy clients if they have provided any information in the course of the advocacy process
- anyone else who is identified in advocacy service records, for example health and social care professionals
- complainants who have submitted a complaint against us
- people who receive updates, information or invitations to our events and those who attend such events
- people who visit our website
- our stakeholders, interest groups and other contacts along with people who work for them
- other individuals who contact us for advice and information
- people who share their views and experiences with us
- suppliers that we use
- our insurers, auditors and professional advisers and
- Welsh Government, NHS, Local Authorities or other public bodies and those who work for them.
This privacy notice does not apply to people who currently work for us, have worked for us or who are interested in working for us.
If you believe that we are processing your personal information, but you are not included in the above list please contact us to discuss this.
What this notice covers?
We ask that you read this privacy notice carefully as it contains important information about:
- the personal information that we collect and use
- the lawful bases we rely on to collect and use it
- why we collect and use personal information
- where we get the personal information from
- with whom we share personal information
- when we transfer personal information outside the UK
- how long we keep information and how we ensure it is secure and
your privacy rights
You should ensure that you read this general privacy notice alongside any specific privacy notice we may issue to you from time to time.
Your information will be held by Llais as Data Controller.
We have appointed a dedicated Data Protection Officer (DPO) to ensure appropriate oversight of our data processing activities. The DPO is the Strategic Director of Operations and Corporate Services. If you need any more information about this privacy notice and how your data will be used, you can contact us by letter, email or telephone. Contact information is included below:
Postal address: 33/35 Cathedral Road, Cardiff, CF11 9HB
Telephone: 02920 235 558
Email: [email protected]
Categories of personal information that we hold
The personal information that we collect from you includes:
- basic information, such as your name (including name prefix or title), the company you work for, your title or position and your relationship to a person
- contact information, such as your postal address, email address and phone number(s)
- communication preferences, for example you may wish to communicate with us through the medium of Welsh
- identification and background information provided by you. This may include date of birth, nationality and previous addresses
- where you are a complaints advocacy client, we will collect information about your circumstances that have led to you wishing to use our services. This may include special category data where this is relevant to the matter we are working on for you. We also keep records of your contact with us.
- if you are involved in one of our complaints advocacy matters, we will collect information about you that is relevant to the matter. This may include special category data.
- if you are a Llais volunteer we may hold records of your attendance at meetings (including video recordings of Microsoft Teams meetings until they are transcribed at which point they are deleted) and other events or your participation in monitoring, surveys on ways of working or other activities.
- technical information collected when you visit our website or digital platforms or in relation to materials and communications we send to you electronically, which includes information about the type of device you are using, your IP address and geographic location, your operating system and version, browser type, the content you view and the search terms you enter.
- information you provide to us for feedback purposes including through your participation in surveys which we run from time to time either on our own or in conjunction with partners including, but not limited to, Welsh Government and other NHS/social care providers.
- information you provide to us for the purposes of attending meetings and events we host, including access and dietary requirements.
We might also receive information from third parties such as your relatives or other parties relevant to the services we are providing (e.g. health and social care providers). The information we collect will be relevant to the services that we are providing to you and may include special categories of data, but only where it is lawful for us to process.
The lawful basis for processing personal information
We will only use your personal information when the law allows us to. Most commonly, we rely on the following legal bases to process your personal information:
Public Task - We are a public body and we collect and use personal information where this is necessary to perform tasks that are in the public interests or necessary for our official functions, and the task or function has a clear basis in law.
Legal obligation - This applies where we need to collect and use your personal information to comply with applicable laws and regulatory requirements.
Legitimate interests - We may collect and use your personal information to further our legitimate interests (provided the processing is not in the performance of our tasks as a public authority). We only do this where we are satisfied that your privacy rights are protected satisfactorily. You have a right to object to any processing of your personal information based on this legal basis (see below).
Consent - We may (but usually do not) need your consent to use your personal information. You can withdraw your consent by contacting us (see below).
Performance of a contract - This applies where we need to collect and use your personal information in order to takes steps to enter into a contract with you or to perform our obligations under a contract with you.
Why do we collect and use personal information?
We collect and use the personal information for the following purposes, relying on the specific lawful bases set out below:
Why The relevant lawful basis
To manage and administer our relationship Public Task
with our advocacy clients and to provide
advice services to them
To provide an advocacy service and to liaise Public Task
with third parties on behalf of clients in the
course of providing that service
To deal with complaints by advocacy clients, Public Task
volunteers or others
To manage, administer and keep records of our Legal obligation
relationship with volunteers Public task
To undertake background checks on potential Legal obligation
volunteers where this is appropriate Public task
To report to the Board, Welsh Government or Legal obligation
other public bodies where we are required to do so Public task
To ensure that we provide excellent standards of Public task
service through our own audit, review and quality Legitimate interests
assurance checks or by those undertaken by
auditors, professional advisers or certification
To manage and administrate our relationships Performance of a contract
with suppliers of good and services to us Legitimate interests
To make and manage supplier payments Performance of a contract
To otherwise carry out the day to-day operations Legal obligation
of our organisation efficiently including managing Public task
our financial position, capability, planning,
communications, corporate governance and audit
To undertake activities designed to promote Public task
and market our services including sending Consent (where legally
out newsletters, updates, holding events and required)
seminars and keeping records of your interests
in these activities
To train and develop our staff and people Public task
who work for us Performance of a contact
To prevent and respond to actual or Legal obligation
potential fraud or unlawful activities Legitimate interests
To better understand how we can improve Legitimate interests
our services, products or information by
conducting analysis and market research,
asking you take part in a survey and inviting
you to take part in focus groups
In an emergency information to prevent harm Vital interests
to you or another person
To ensure network and information security, Legitimate interests
including preventing unauthorised access
to our computer and electronic
communications systems and preventing
malicious software distribution
To determine access needs in respect of Legal obligation
visitors to our premises
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. Also, we may collate, process and share statistical reports based on an aggregation of anonymised personal information held by us. This is useful for a variety of organisational reasons.
How we use particularly sensitive personal information
As indicated above, it will sometimes be necessary for us to process “special categories” of personal information, such as information about your health, where this is relevant to the matter that we are working on for you.
"Special categories" of personal information require higher levels of protection and we need to have further justification for collecting, storing and using this type of personal information. We will process special categories of personal information primarily in the following circumstances:
- Where it is necessary for reasons of substantial public interest, such as statutory and government purposes or for equality of opportunity or treatment.
- If we reasonably believe that you or another person are at risk of harm and the processing is necessary to protect you or them from physical, mental or emotional harm or to protect physical, mental or emotional well-being.
- Where it is needed to establish, exercise or defend our legal rights or for the purpose of legal proceedings in which we may be involved.
Less commonly, we may process this type of information where you have already made the information public. We do not need your consent to process special categories of your personal information for the reasons outlined above.
In very limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.
We do not need your consent where the purpose of the processing is to protect you or another person from harm or to protect your well-being and if we reasonably believe that you need care and support, are at risk of harm and are unable to protect yourself.
We undertake a range of activities designed to promote our functions and values and to build on relationships with stakeholders and other interested parties.
While we want to keep you fully aware of all of the services we offer, we are keen to ensure that we are not responsible for sending you unwanted material. We therefore do our best to tailor the information and invites we send out. To do this we store information about your interests and communication preferences. We may also track your level of engagement with us.
We have a legislative responsibility to promote Llais. The basis on which we process this data is public task. We do not consider that we need your consent to do this lawfully, but we are obliged to inform you that you have a right to object to this.
The law also allows us to send marketing communications by electronic means to existing consumers of our services and business contacts without needing consent. Again, you have the right to object to this activity if you wish.
We take the view that we can keep information for these purposes indefinitely, and keep communicating with you from time to time, until and unless you ask us to stop. When we send you information about the services we offer or invitations to our events, we always include a simple “unsubscribe” option. If you have any difficulty using it or wish to find out more about this activity please contact us.
Sources of Information
The personal information we collect about you comes from a range of sources:
- you give us your personal information directly, when you engage with us, including via our website, over the telephone (including when you leave a voicemail) or other digital media
- we obtain additional information in the course of undertaking checks in order to comply with our statutory and regulatory obligations or where such checks are in the public interests
- we obtain and generate personal information in the course of providing services to you or if you are not an advocacy client, to others
- we obtain contact details and other information from our organisational contacts and our suppliers
- we collect information from publicly available sources such as telephone directories, social media, the internet and news articles.
If you wish to give us personal information about another person, please speak to us to ensure that you are legally entitled to give us the information and for advice on whether you need to inform that person.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
Sharing your personal data
A number of third parties may have access to your personal information or we may share or send it to them. This includes:
- Suppliers, bound by obligations of confidentiality, who provide goods, services and professional advice to us to help us run our organisation
- Third parties engaged in the course of services we provide to advocacy clients such as social services or the police
- the Public Services Ombudsman for Wales where to required to fulfil our functions (for example in connection with complaints from advocacy clients, volunteers or others or in connection with surveys which we may run from time to time)
- In the case of volunteers, to training providers for the purposes of accessing the training required to perform their duties as a volunteer
- Third parties involved in the complaints advocacy process such as NHS Local Health Boards, Trusts, Local Authorities or other health and social care providers
We may also share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction.
We may also be required to share personal information with regulatory authorities, government agencies and law enforcement agencies. We will use reasonable endeavours to notify you before we do this, unless we are legally restricted from doing so. We do not sell, rent or otherwise make personal information commercially available to any third party.
Transfers Outside the UK
We do not send personal data outside the UK as a matter of course. None of the service providers we use to help us run our businesses are based outside of the UK.
Choosing not to give personal information
If you choose not to provide us with certain personal data you should be aware that we may not be able to perform certain services or we may not be able to comply with our legal obligations. For example, we may not be able to deal with a complaint unless you provide us with certain information.
How long do we keep personal information
Our policy is to not hold personal information for longer than is necessary. We have established data retention timelines for all of the personal information that we hold based on why we need the information. The timelines take into account any statutory or regulatory obligations we have to keep the information, our ability to defend legal claims, our legitimate interests, best practice and our current technical capabilities.
We have developed a Data Retention Policy that captures this information. We delete or destroy personal information securely in accordance with the Data Retention Policy.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
We are strongly committed to information security and we take reasonable and appropriate steps to protect your personal information from unauthorised access, loss, misuse, alteration or corruption. We have put in place physical, electronic, and managerial procedures to safeguard and secure the information you provide to us including the use of encryption. We have Cyber Essentials Plus certification.
If you wish to discuss the security of your information please contact us.
You have a number of rights in relation to your personal data which we have. Not all of the rights apply in all circumstances. If you wish to exercise any of the rights, please contact us in the ways detailed below. You have the right:
- to be informed about how we collect and use the personal information we hold about you, the purposes we use your information for, how long we will keep your information, and who we will share it with. This privacy notice and our data retention schedule is one of the ways we will use to ensure you are informed.
- of access to the personal information we hold about you. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- to ask us to correct any information we hold about you that you think is wrong or incomplete.
- to object to any processing of your personal information where we are processing your data in relation to our statutory functions, or where we are relying on a legitimate interest and public task to do so and you think that your rights and interests outweigh our own and you wish us to stop. There may, however, be legal or other legitimate reasons why we need to keep or use your information. If this is the case, we will consider your request and explain why we cannot comply with it. You can ask us to restrict the use of your personal information while we are considering your request.
- to object if we process your personal data for the purposes of marketing our aims and objectives. If you no longer want to receive communications from us, please contact us. We will stop sending you communications, but will continue to keep a record of you and your request not to hear from us. If we deleted all of your information from our databases, we would have no record of the fact that you have asked us not to communicate with you and it is possible that you may start receiving communications from us at some point in the future, if we obtain your details from a different source.
- to ask us to delete your information. This is also known as the right to be forgotten or to erasure. We will not always agree to do this in every case as there may be legal or other legitimate reasons why we need to keep or use your information. If this is the case, we will consider your request and explain why we cannot comply with it. You can ask us to restrict the use of your personal information while we are considering your request. You can contact the DPO.
- to ask us to restrict how your data is processed in certain circumstances. You may do this if:
- you have told us you think the data we hold is wrong or incomplete, whilst we investigate and make any changes
- we are processing your data unlawfully and you would prefer us to restrict how it is processed rather than deleting it.
- we no longer need the data for our own purposes but you need us to keep it in relation to a legal claim or proceeding
- you have exercised your right to object to processing, whilst we consider whether we can lawfully retain and process your data
- where our processing of your personal information is based on your consent, you have the right to withdraw it at any time. Please contact us if you want to do so.
- in limited circumstances you may have a right to obtain the personal information that you have given us in a format that be easily re-used and to ask us to pass this personal information on in the same format to other organisations. Please contact us to find out if this right applies to you.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.
How to complain
Please let us know if you are unhappy with how we have used your personal information.
To notify us of a concern please contact our DPO, the Strategic Director of Operations and Corporate Services. You can do this by letter, telephone or email using the details below:
Postal address: 33/35 Cathedral Road, Cardiff CF11 9HB
Telephone: 02920 235 558
Email: [email protected]
You also have the right to complain to the Information Commissioner’s Office. Find out on their website (www.ico.org.uk) how to report a concern. The contact details are:
Postal address: Information Commissioner’s Office – Wales 2 nd floor, Churchill House, Churchill Way, Cardiff, CF10 2HH
Telephone: 0330 414 6421
Email: [email protected]
Changes to this Privacy Notice
This privacy notice was last updated on 31/03/2023.
We keep this privacy notice under regular review and reserve the right to update it at any time by updating this page in order to reflect changes in the law and/or our privacy practices. We would encourage you to check this privacy notice for any changes on a regular basis.
We may also notify you in other ways from time to time about the processing of your personal information