Privacy Policy

We (the Procurement Centre for Excellence Project) carry out research to test and improve services we are delivering as part of the scope of our work.

The project is funded and commissioned by Welsh Government.  Welsh Government is the data controller and CURSHAW are the data processor for all data collected by the project. A data controller determines how and why personal data can be processed.

This privacy notice gives you general information on how we handle research data. For more details about a specific piece of research, you can refer to the information provided when you’re invited to take part in that session. This should also include contact details for the researcher and their team in case you have any further questions.


What personal data do we hold and where do we get this information?

Personal data is defined under the General Data Protection Regulation (GDPR) as ‘any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier’.

Contact information we collect for the purpose of inviting public sector staff to participate in the project.

Participants will be asked to provide their names and contact details if they would be willing to participate in the project. Your participation, and provision of contact information, is entirely voluntary.

Contact information will only be used for the purpose of contacting you to participate in our project. Your contact details are never linked to the responses or views you provide.

Your participation is voluntary and if you do not wish to take part, or be sent reminders to participate in our project, then please contact the project team.

Information we collect in our research

We do use survey software (Smart Survey, all data is processed within the UK) that allows respondents to save and return to a survey so they do not have to complete a survey in one go. If you select ‘save and continue later’, the software will ask your name and email address so that a unique link is generated and emailed to you so you can go back and complete the survey at a convenient time. This information is only retained by the software so you can re-access the survey.  It is never made available as part of your survey response and is inaccessible to the project team. This information is then deleted in line with the software’s data retention procedures (i.e. survey data is deleted at the end of the project and then purged from the software after 30 days).

In addition, we may also inadvertently collect personal data via open comments questions or through interviews and focus groups if respondents provide information that could identify them.

Please do not provide personal data in order to raise a specific query or complaint about the project. Any queries or complaints should be made through normal organisational channels. Personal data provided relating to this will be deleted by the project team.


Recording  sessions

As part of the project we will be running various sessions which will be recorded:

  • Show and tell sessions – sharing the latest from our alpha project to create Cyd; and
  • Cydrannu – the name of our knowledge sharing series for procurement and commercial professionals in Wales.  

These recordings will be made available on YouTube and/or other media platforms. The presenter will make attendees aware that the session is to be recorded prior to the recording commencing.


What is the lawful basis for using your data?

The lawful basis of processing information as part of the Procurement Centre of Excellence project is Legitimate Interest. That is, processing public sector staff information, views and experiences is in the legitimate interest of the running of the Welsh Government and helping to obtain best value from public sector procurement spend.

Participation is completely voluntary. However, we really appreciate the participation of public sector staff, since your views and experiences are important in order to inform improvement.


How secure is your personal data?

All data, including personal, is kept securely.

Any data provided that contains personal identifiers or information that could potentially identify individuals will only be accessed and analysed by the project team.


When reporting findings for the research we conduct, the project will ensure that no information is provided that could be used to identify individual participants. All data gathered through our research will be reported in an anonymised format. Published reports will not contain your contact details and any identifiable information in open-ended answers will be removed.

We ensure that individuals cannot be identified through the way results are reported. We will never report on groups of less than 10.


Does the project team ever share personal data with a third-party?

No, other than the supplier that is contracted for the project who will only use the data for the purposes of the project. The project will not share any data that contains personal identifiers or information that could potentially identify individuals with anyone outside of the project. We will never provide any personal identifiers when reporting findings to policy leads/customers.


How long do we keep your personal data?

We will only retain the personal data if it is relevant for the project. Any personal data is retained for a defined period of time.


Contact information

We will keep any contact information for up to 5 years after the project has been completed. We may delete the information sooner if it is no longer being used. Keeping this information allows us to minimise staff burden by ensuring the same people aren’t contacted too often. It also enables us to conduct future and longer-term research or benchmarking exercises by allowing us to re-contact individuals who have, for example, participated in the project, in order to monitor change. This will be made clear when you are invited to take part in research.


Survey data

We conduct a review of the data we hold on an annual basis (at the beginning of each financial year) in order to ensure the retention periods are adhered to.

Aggregate results from surveys (which do not count as personal data) will be kept indefinitely, or until they are no longer considered useful.

Comments and transcripts

Where possible, personal information provided in comments or interviews/focus groups is removed early on in the project. It is simply deleted from comments, or removed when recordings of interviews/focus groups are transcribed.

Any personal data not already removed at an earlier stage because it is relevant for the project will be deleted 12 months after project completion. This information is retained for a 12 month period to allow some flexibility in case additional analysis is required.

Recordings of interviews/focus groups are deleted once transcribed.


Individual rights

 Under GDPR, you have the following rights in relation to the personal information you provide through any of the research conducted through the Employee Research Programme, specifically you have the right:

  • To access a copy of your own data;
  • For us to rectify inaccuracies in that data;
  • To object to or restrict processing (in certain circumstances);
  • For your data to be ‘erased’ (in certain circumstances); and
  • To lodge a complaint with the Information Commissioner’s Office (ICO) who is our independent regulator for data protection.

The contact details for the Information Commissioner’s Office are: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Phone: 01625 545 745 or 0303 123 1113. Website:



Cookies are files saved on your phone, tablet or computer when you visit a website.

We use cookies to store information about how you use this website, such as the pages you visit. These cookies are not used to identify you personally.


Further Information

If you have any further questions about how the data provided as part of this project will be used by the Welsh Government or wish to exercise your rights using the General Data Protection Regulation, please contact:

Name: David Nicholson

E-mail address:

Telephone number: 03000 257310


The Welsh Government’s Data Protection Officer can be contacted at:

Welsh Government, Cathays Park, Cardiff, CF10 3NQ, Email:

Cyd site is currently in Beta and this website will be developed as new services are created.