Privacy Notice
Our privacy notice sets out the kind of personal information we may need to collect about you, what we do with it, who we may need to share it with, how long we will hold it for and what your rights are in relation to it.
A PDF download of this document will be available soon.
What we do
Care Inspectorate Wales (CIW), as part of Welsh Government (WG), is the independent regulator of social care and childcare in Wales. In order to carry out our work effectively and in line with statutory requirements, we have to collect, hold and use certain kinds of information about people. These include service providers, service users and representatives of service users. This may include information by which specific individuals can be identified, and information which is sensitive to the individuals concerned. In regulating services provided to children and vulnerable adults we seek to reduce or eliminate risks to their welfare and ensure that care providers operate within the law.
How we work with you
Chief Inspector’s Correspondence
When you correspond with us, your personal information is processed in the same way as it is at a corporate level for Welsh Government staff. You can find out how your personal information is processed in this way by viewing the Welsh Government Privacy Notice (External link).
Child Care at Home Voluntary Approval Scheme
The Child Care at Home Voluntary Approval Scheme is operated by CIW and authorised by Welsh Government. It is a voluntary scheme based on consent. CIW does not register nannies, but through the scheme, you can be vetted for childcare at home. The scheme only applies to nannies providing care in Wales. It needs to be annually renewed and is completed through a downloadable application form. The application form provides your personal details, your childcare and first-aid training and includes a check on criminal records.
The personal information you supply is processed in these ways:
- to assess your skills, suitability and eligibility for Approval
- (as anonymised information) for the purposes of evaluation of this scheme and research.
These are the retention periods that apply to the information you supply:
- Application documents are kept for 3 years after application
- Application information kept for 6 years after approval has ended
- Anonymised research information is kept in line with Welsh Government corporate policy.
Your information is shared with HMRC. It is only shared with local Family Information Services (FIS) if you give us your consent to do so in the application form. This sharing of information is to allow parents to find out about approved home child carers available in their area.
Communications
We collect images, videos, pen portraits as well as written comments, reviews and personal accounts for use in further communications to promote our work, educate and consult further with stakeholders. These are used over a variety of communication channels which include social media and our website and presentations. Your information is reviewed every 10 years to ensure that it is still relevant to these purposes. This personal information is only used with your consent and that consent can be withdrawn by contacting us.
Complaints about our staff
Complaints about our staff are handled at a corporate level in Welsh Government. You can find out how your personal information is processed in this way by viewing the Welsh Government Privacy Notice (External link).
Concerns
When we receive a concern relating to care providers or services we will acknowledge this and endeavour to respond in a timely manner. We may share your information further in line with the safeguarding regulations that govern our activities (see Who we share information with). Your communication will be retained for 3 years from the satisfactory resolution of the concern. If however the concern leads to the exercise of other regulatory functions (eg enforcement activities) then the retention periods for those functions will apply (see How long we keep your information).
Consultations and Surveys
In order to support our regulatory functions we conduct a range of online consultations and surveys throughout the year. The aim of these is to gather evidence and insight into the state of the social care market that we regulate as well as to support and inform our own operational functions. Those we work with include service providers, local authorities and any other organisations and individuals directly related to these.
The information is analysed and aggregated to produce summary reports. These are used to support our own functions (eg inspections). They may be shared directly with the providers of that information where necessary. If further issues are identified (eg concerns or safe-guarding issues), these may be shared in line with the regulations governing those activities (see Who we share information with).
Information relating to responders is retained until the consultation is complete. Information gathered from a consultation is retained for a period of 3 years after the close of the consultation. When information is used in support of our other functions (eg safe-guarding, enforcement activities) then the retention periods for those functions apply (see How long we keep your information).
Engagement activities
We undertake a number of engagement activities. These include general communications, stakeholder events and working groups. These are handled in the same way as at a corporate level in Welsh Government. You can find out how your personal information is processed in this way by viewing the Welsh Government Privacy Notice (External link).
Enquiries
When you send us an enquiry it is processed in the same way as it is at a corporate level for Welsh Government staff. You can find out how your personal information is processed in this way by viewing the Welsh Government Privacy Notice (External link).
Freedom of Information and Data Subject Access requests
When you send us a Freedom of Information or Data Subject Access request, these are handled as part of a corporate process for Welsh Government. You can find out how your personal information is processed in these ways by viewing the Welsh Government Privacy Notice (External link)..
Further Education Colleges, Boarding Schools and Residential Special Schools
We carry out our regulatory duties with Further Education Colleges, Boarding Schools and Residential Special Schools, using in the main the same processes we do for registered services. These duties include inspections, safeguarding and concerns as well as the necessary support services to carry out these functions. However, such services are not required to be registered under the current legislation and therefore CIW does not have the same enforcement powers. The main product of our inspections is publically available anonymised reports published on our website.
Registered Care Services and Providers
The types of information we hold
In order to fulfil our regulatory functions we have to collect and hold personal information. Personal information is that by which an individual can be identified. At times this information can be sensitive in nature (for example, it can be about an individual’s health or police record). Below is a list of the main types of personal information we collect and hold. The nature of our work means that we cannot know in advance all the types of personal information that we will be presented with and need to collect and hold to fulfil the requirements of our regulatory functions.
- General information
- Name, address, date of birth, age, gender, language and communication preferences, contact details, references, copies of photographic identification
- Provider/service information
- CIW Online username and PIN, details of registration with other bodies such as Social Care Wales registration number, financial records, qualifications and training, history of service
- Medical
- Care plans, medical reports, medication records
- Law enforcement
- Police records, convictions, allegations of misconduct at work, Disclosure and Barring Service checks
- Safeguarding and enforcement activities
- Enforcement activities, conditions of deprivation of liberty, child protection referral details, abuse allegations
What we do with your information
The personal information which we collect and process enables the evaluation of the performance of service providers and local authorities and their compliance with regulatory requirements. In the case of local authorities, the purpose is to evaluate whether a local authority has fulfilled its statutory functions. This entails analysing information collected during inspections and preparing reports. These reports will be shared with service providers and local authorities before being published and may be the subject of correspondence between ourselves and the provider/local authority before the report is finalised and published.
We are also called on to participate in adult protection and child protection procedures: personal information will be processed to support decision-making by local authorities and other public bodies with statutory responsibilities for protection of children and adults. Personal information will also be processed, to the extent necessary, to support criminal or civil enforcement action against service providers or to support interventions against local authorities which are in default or who may be in default of their statutory duties.
Personal information may be processed in the exercise of our functions of referring individuals to the Disclosure and Barring Service (DBS) or referring individuals to professional regulatory bodies. Personal information may also be shared with other regulatory or law enforcement bodies where we are required by law to do so or where sharing the information is consistent with our statutory functions.
The specific processes we are involved in include:
Registration
- Providing secure online access for service providers
- Undertaking ‘fitness’ checks on registration applicants
- Registering providers and services
- Providing a public register of providers and services
Inspections
- Inspecting providers and services
- Inspecting the delivery of social services by local authorities
- Processing notifications received from registered services
Safeguarding
- Monitoring the safeguarding of people receiving care and support, including where individuals have to be deprived of their liberty.
- Taking part in multi agency safeguarding discussions and investigations where people are believed to have been abused or are at risk of abuse.
Enforcement
- Enforcing regulatory requirements that apply to the services
- Conducting civil and criminal enforcement actions
Support Services
- Organising events, meetings and consultations
- Producing engagement communications, including newsletters
- Collecting Self Assessment of Service Statements (SASS) from service providers
- Administering DBS checks for service providers
- Responding to general service enquiries
In addition to the processes above, we also use and share anonymised information to:
- Produce publicly available annual reports (e.g. Deprivation of Liberty Safeguards; CIW annual report ) and thematic reports (e.g. learning disability provision in Wales)
- Prepare statistical analyses
- Support research or consultations commissioned by the Welsh Ministers
- Provide information to Welsh Ministers to help them make decisions relating to policy changes
How long we keep your information
- CIW Online access
- 6 years from de-registration of service
- Registration
- Pre-registered service: retained until registered
- Registered service: 6 years from de-registration of service,
- Application documents: 3 years following determination of the applications,
- Refused and enforced cancelled services: indefinitely
- Inspection of providers and services
- 6 years from publication of report
- Notifications
- 3 years from receipt of notification
- Deprivation of Liberty Safeguards
- 3 years as a result of notifications,
- 6 years as a result of inspections
- Enforcement activities
- 3 years from end of enforcement activity
- Events, meetings, consultations newsletters and bulletins
- Until de-registration of service
- Self Assessment of Service Statements
- 6 years from publication of next inspection report
- DBS certification
- In line with Disclosure and Barring Service policy
- Anonymised statistical information
- In line with Welsh Government corporate policy
Who we share your information with
We only share information with other organisations when it is lawful to do so. Typically this is to aid the safeguarding and support of vulnerable people or the necessary lawful processes of the other organisations. We may share your information with, and obtain information about you from the organisations set out below. This sharing is in accordance with the General Data Protection Regulations and is governed by formal agreements (ad hoc requests are governed by the same controls) which test the legal basis for the sharing of that information before it is shared.
The organisations we have information sharing agreements with include:
- Financial services
- Her Majesty’s Revenue and Customs
- Local authorities
- Social Services
- Family Information Services
- Welsh Local Government Association
- Children's Commissioning Support Resource
- Emergency services
- Fire and Rescue Authorities
- Welsh Ambulance Service NHS Trust
- Regulatory bodies
- Public Services Ombudsman Wales
- Older People's Commissioner for Wales
- Wales Audit Office
- Ofsted
- Estyn
- Health and Safety Executive
- Social Care Wales
- Nursing and Midwifery Council
- Her Majesty’s Inspectorate of Constabularies, Fire and Rescue Service
- Law enforcement
- Police
- Disclosure and Barring Service
Website (including CIW Online)
Our privacy policy explains how it handles your personal information when you visit the website. If you use your CIW Online account, which allows greater access to our transactional services, this has its own CIW Online privacy policy.
Whistle-blowing
When you contact us in regard to a case of whistle-blowing, we will decide within seven days what action is required. When this raises any concerns regarding registered care services and providers, your personal information will be handled in line with the related processes governing these.
Your rights
For all the personal information we hold about you, you have the right to:
- access the personal information that we are processing about you
- require us to rectify inaccuracies in that information
- (in certain circumstances) object to our processing your information
- have your information erased
- lodge a complaint with the Information Commissioner’s Office (ICO) who is our independent regulator for data protection (see Contacts)
In addition, where you have consented to give us personal information (for example, so that you can receive our newsletter or for the Nannies Approval Scheme), you have the right to:
- remove consent
- request your information in a commonly accessible digital format
However, as set out above, you should note that there may be exceptions to these rights under certain circumstances, for example where the safeguarding of others may be compromised or when law enforcement actions are underway.
Contacts
For any concerns relating to specific personal information that Care Inspectorate Wales holds, use the contact details here:
Email: CIWInformation@gov.wales
Website: www.careinspectorate.wales
For any concerns relating to information controls within Welsh Government, use the contact details here:
Email: Data.ProtectionOfficer@gov.wales
Website: www.gov.wales (External link)
For independent advice regarding the General Data Protection Regulation, use the contact details here:
Telephone: 01625 545 745 or 0303 123 1113
Website: www.ico.org.uk (External link)