Using your personal information
Personal information which you supply to us will be held by CEIC, an operation funded by the European Social Fund (ESF) through the Welsh Government’s Welsh European Funding Office (WEFO). The operation is led by Swansea University in partnership with Cardiff Metropolitan University.
The CEIC operation is committed to protecting the rights of registered users in line with Data Protection legislation. For data the Welsh Government or the Welsh European Funding Office (WEFO) requires the operation to collect (Section A below), the Welsh Government is the data controller and Swansea University is a data processor.
The Data Protection Officer for the Welsh Government can be contacted at Data.ProtectionOfficer@gov.wales.
For other personal data collected by CEIC (Section B below), Swansea University is a data controller and has a dedicated Data Protection Officer contactable at firstname.lastname@example.org.
This document provides an explanation of why we collect personal data as part of the CEIC operation, how we process it and the steps we take to ensure data security at all stages. All data collected through the operation is processed and stored in accordance with Data Protection legislation.
What personal information do we collect?
A. Data which we are required to collect on behalf of the Welsh Government and WEFO
Data covers the European Structural Funds 2014-2020 in respect of a) the monitoring data laid out in the Structural Funds definitions and b) information requirements under the Eligibility rules and conditions for EU funds support.
A1. Monitoring Data - for further information on the required monitoring data, see: Guidance on Monitoring and Evaluation, https://gov.wales/docs/wefo/publications/180525-monitoring-eval-guidance.pdf and General Data Protection Regulation (GDPR) 2018 and Structural Funds – Information document explaining how Welsh European Funding Office deals with personal data under GDPR, https://gov.wales/docs/wefo/publications/180525-wefo-gdpr-en.pdf
A2. Eligibility Information - for information on the required data collected under the Eligibility rules and conditions, see https://gov.wales/docs/wefo/publications/170627-esf-guidance-participant-eligibility-en.pdf
For CEIC to satisfy the above requirements and process data on behalf of WEFO, we collect the following personal information from enterprises and individuals who wish to take part in the programme:
- Evidence that the participant is eligible for support under the aims and objectives of the individual ESF project (in this case that the participant works in the public or third sectors);
- Name of enterprise lead contact / employees involved in the project;
- Work contact details of personnel involved in the project;
- Job role/title of personnel involved in the project;
- Total monthly employment costs attributed to the project (on an individual level this is payslip information and contract).
B. Data which is collected and processed by CEIC
B1.Data for the delivery of the programme
We collect the following personal information about you to enable the delivery of the programme support to you and to enable participation in events and activities:
- Health information such as dietary or accessibility requirements when attending events;
- Contact details of your next of kin and GP, and any medical conditions, if attending overnight residential events for safety purposes;
- Behaviours, competencies and interests to best adapt the delivery of training to your circumstances and challenges faced at an individual or organisational level.
B2. Data for research
To maximise the impact of the operation for the participant individuals, organisations and networks and beyond at regional and national level, we will carry out and publish research around the programme methodology, outcomes and impacts. This may involve collecting certain demographic data about participants such as: gender, ethnicity, academic achievement, geographical base. Any published data will be pseudonymised. Participation in the research will be optional (where it falls outside the requirements for WEFO reporting). All research will follow Swansea University and Cardiff Met Research Integrity policies, including obtaining consent for the research from the Universities’ Research Ethics Review Committees.
B.3 Data for direct marketing
Information may be collected in the interests of providing you with an opportunity to benefit from the operation’s delivery and research programme. This is to enable us to inform you about the activities we can offer and our events, to learn about similar engagement activities across the Universities such as funding training programmes or graduate placements, or to keep in touch with those organisations with whom we have collaborated. Therefore, the following information may be collected, stored and used or otherwise processed by CEIC:
- Name and contact details of individuals who make enquiries to the CEIC team via telephone, email or the webpage and/or who self-register for events and/or newsletters;
- Name and contact details of named individuals within participating organisations with whom we make contact by telephone, email or post where appropriate;
- Data including registration documentation for events, seminars etc;
- Photographs and video footage taken during CEIC related events for official use. Participants will be informed when photographs and/or video footage are taken during events. Where an image clearly identifies an individual and constitutes personal data, informed consent will be obtained from the relevant participant/s before its release.
Why do we collect personal information and how do we use it?
We collect your personal information for the following reasons:
- To evaluate eligibility for CEIC support according to funding compliance requirements;
- To monitor and evaluate projects at operation management and governance boards and as part of the operation’s external evaluation so as to assess the effectiveness of working practices, delivery of projects and project outputs and impacts in line with funding requirements;
- To report to the Welsh Government, WEFO and the European Commission for regulatory operation monitoring, claim and audit purposes. These bodies may also use your data for the purposes of research, evaluation and verification regarding Financial Support from the Structural Funds. This may involve linking participants’ personal data collected as part of this operation with other personal data held on participants by other organisations – this will only be done for research and evaluation purposes;
- To maximize the impact of the project by carrying out research that will deliver broader societal benefits;
- To keep in touch and provide optimal support, informing you of CEIC news, event and highlights that could benefit you or your organisation and promoting the operation;
- To deliver optimal training and support to you; and
- For health and safety reasons on attendance at residential events.
What is our legal basis for processing?
Data which we are required to collect on behalf of WEFO (Section A above)
The relevant section of the GDPR for collecting personal data in relation to the Structural Funds is Article 6(1)(e) where: “processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller”
The European Regulations governing Structural Funds give the Welsh Government official authority to process the personal data referred to above. Article 54(2) of Regulation (EU) No 1303/2013 common provisions on the European Structural and Investment Funds (CPR Regulation) states that “Member States shall provide the resources necessary for carrying out evaluations, and shall ensure that procedures are in place to produce and collect the data necessary for evaluations, including data related to common and where appropriate programme-specific indicators.”
Data which is collected and processed by CEIC (Section B above)
There is a legitimate interest for us to process data for the delivery, evaluation and monitoring of the operation and to provide you with direct marketing including information relating to opportunities for collaboration, up-to-date news and up-and-coming events (Article 6(1)(f) of the GDPR). A legitimate interests assessment has been carried out to ensure your personal data is used appropriately and in ways you would reasonably expect with minimal privacy impact.
You have the right to object to processing for the purposes of direct marketing if you wish and will always be given the opportunity to unsubscribe from future communications. Where an image constitutes personal data/special category data, we will always seek the data subject’s consent for its use under Article 6(1)(a) and 9(2)(a) of the GDPR.
Who receives your personal information?
Information is made available to personnel requiring access in limited circumstances for the reasons outlined above. These include:
- Operation and University delivery and administrative staff;
- The operation governance and management boards;
- External advisors and consultants directly engaged with the operation, including third party evaluators we appoint to undertake an evaluation of the operation as required by the funders;
- The Welsh European Funding Office and the European Commission including their independent auditors and commissioned research organisations.
In some circumstances, images or video footage may be released on our operation website, Swansea University and/or Cardiff Met University website, social media platforms and/or via press release. Where an image or footage constitutes personal data, you will be informed of this and your consent for media release will be obtained.
Information for reporting and research purposes is collected through the use of surveys using the JISC Online Survey tool. JISC Online Surveys is GDPR compliant and is certified to ISO 27001 standard for information security management (https://www.onlinesurveys.ac.uk/security/).
CEIC may use the third party processors (such as Eventbrite for event organization), which would involve international data transfer. Eventbrite’s Terms of Service incorporates a DPA in which it states they are l be bound by the Controller-to-Processor Standard Contractual Clauses (https://www.eventbrite.co.uk/support/articles/en_GB/Troubleshooting/eventbrite-eu-data-protection?lg=en_GB and (https://cdn.evbstatic.com/s3-s3/static/images/en_US/legal_policies/EU/Eventbrite_Standard_Contractual_Clauses.pdf)
How your personal information is stored.
Data Protection legislation requires us to keep your information secure. This means that your confidentiality will be respected, and all appropriate measures will be taken to prevent unauthorised access and disclosure. Only members of staff who need access to relevant parts or all of your information will be authorised to do so. Information about you in electronic form will be subject to password protection and other security restrictions, while paper files will be stored in secure areas with controlled access.
Any data we provide to the Welsh Government in relation to the operation will be held and processed in accordance with the requirements of the DPA 2018. The Welsh Ministers are registered as a data controller on the Information Commissioner’s public register of data controllers under the registration number Z7107446.
How long will your information be held?
The data will be held for the duration of the CEIC operation and for a reasonable period of time upon its conclusion to comply with regulatory audit and document retention requirements, at least until 31 December 2026. Information held for research and archiving purposes may be kept beyond this period and in line with GDPR Article 89 safeguards.
What are your rights?
You have a right to access your personal information, to object to the processing of your personal information, to rectify, to erase and to restrict your personal information (please note, however, that exercising these rights may compromise your ability to participate due to the operation’s contractual funding constraints).
In the case of direct marketing, you have an absolute right to object to processing for this purpose.
Please visit the Swansea University Data Protection webpages for further information in relation to your rights. Any requests or objections should be made in writing to:
Swansea University Compliance Officer (FOI/DP)
If you are unhappy with the way in which your personal information has been processed, you may in the first instance contact the University Data Protection Officer using the contact details above.
If you remain dissatisfied, then you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at:
Information Commissioner’s Office
Please advise us of any changes to your name, address, contact details as soon as practically possible so that we can amend our records accordingly.
Consequences of not providing your information
The consequence of not providing your information when necessary is likely to affect your eligibility for the programme and our ability to enter into a contract with you to provide services.
Freedom of Information Act
Swansea University is a designated public authority for the purposes of the Freedom of Information Act 2000 and Environmental Information Regulations 2004 and is therefore subject to receiving requests for recorded information. Freedom of Information or Environmental Information requests will be responded to in line with the provisions of the relevant legislation.