Privacy and cookie policy

This policy applies to information we collect in connection with:
  • our statutory audit work
  • job applicants
  • current and former employees
  • correspondence and communications including subject access requests or freedom of information enquiries
  • our events
  • visitors to our website
  • the use of cookies by the Wales Audit Office
  • suppliers of goods or services
  • subscribers to our newsletter

Data Protection Officer

We have appointed a Data Protection Officer who is responsible for overseeing how your data is used, our information governance policies and procedures, privacy notices and your rights as an individual under data protection law. If you have any queries or concerns about our use of your personal information or this notice, please contact our Data Protection Officer at

Data Protection Law

We process your personal data under data protection law applicable in the UK which includes the ‘UK GDPR’ [opens in new window] and Data Protection Act 2018 [opens in new window]. Information about data protection law is available on the ICO website [opens in new window].

We may only process personal data if we have a legal basis for that processing. The key legal bases for the work of the Auditor General or Wales Audit Office are processing that is necessary for:

  • Performance of a contract with the data subject, for example, our contracts of employment or contracts under which we receive or provide goods or services.
  • Compliance with a legal obligation, where we have a duty to do something under statute (where  statute says we must or should do something).
  • Performance of a task in the public interest or in the exercise of official authority, where we have a power to do something (where statute says we may do something).

Other legal bases, which may also apply, include:

  • Consent, which must be freely given, specific, informed, clear and in the form of a statement or clear affirmative act on the part of the individual.
  • Necessary to protect vital interest---processing personal data to protect someone’s life, e.g. where someone needs medical help.

Our statutory work

When we undertake audit work under our statutory powers and duties we may collect information from public bodies that contains some personal data.

Personal data that we collect from public bodies or directly from individuals (but not through the use of cookies) may be used in audit tests to help us form audit opinions and to provide reports on accounts, value for money reports, improvement assessments, and sustainable development examination and inspection reports.  We will only use this information for the purpose for which it was collected. We will hold it securely in accordance with our Information Security Policy [PDF 89KB opens in new window], and when it is no longer needed it will be disposed of in accordance with our the retention schedule within our Documents and Records Management Policy.

Our general audit fair processing notice (updated 2023) sets out:

  • Who we are and what we do
  • How you can contact our Data Protection Officer
  • The relevant laws
  • Who will see the data
  • How long we keep the data
  • Our rights
  • Your rights
  • How you can contact the Information Commissioner’s Officer

Please note that a separate privacy notice is available for our National Fraud Initiative (NFI) work and is available within the NFI section of our website.

A separate privacy notice is also available for data matching in respect of a community pharmacy pilot, as well as the Data Deletion Schedule for the pilot.

Job applicants

The information you provide as part of the application process will be treated in confidence and will be shared only with Human Resources and members of the selection panel for the purposes of the recruitment process.

We may disclose information about you to third parties, for example where a third party specialist is involved in the selection process or we want to take up a reference.

We hold personal information about unsuccessful candidates for a maximum period of 1 year after the recruitment process has been completed. This information is used solely for monitoring purposes to form statistical reports on our recruitment activities.

Our Recruitment and Applicant Privacy Notice provides further detail of how the Wales Audit Office will process your information when you apply for a job or make a recruitment enquiry.

Current and former employees

The Employee Privacy Notice sets out how the Wales Audit Office (WAO) processes information about you as a member of staff. Staff means any individual working for, or as part of, the WAO, including employees, board members, workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.  Following the end of your employment with the Wales Audit Office, we will retain your information in accordance with the requirements of our retention schedule and then delete it. We give employees who are leaving their employment with the WAO a full leavers privacy notice.

People who make a complaint or correspond with us

When we receive a complaint, correspondence or concerns about the Wales Audit Office, a public body we audit, subject access request or freedom of information request we hold the correspondence in a file.

We will only use the personal information we collect to process the complaint, correspondence or request. We may have to disclose your details when we are investigating any matters that you raise, and if you tell us that you do not want us to disclose or share your personal information we will try to respect this. However, it may not be possible to investigate your request on an anonymous basis.

Where we share information, we will share the minimum necessary, and this may be with:

  • Auditors, inspectorates and other public or professional bodies
  • Professional advisors and consultants
  • Regulators, ombudsmen and commissioners
  • Healthcare professional, social and welfare organisations
  • Police, prosecuting authorities and courts

We will keep information provided to us in complaints, correspondence, subject access or freedom of information requests in line with our retention policy.

Our events

When you sign up to an event that we have organised we collect specific information about you as a delegate, facilitator or contributor. Events can include conferences, engagement, or other meetings and events. To find out more, please read our events fair processing notice [PDF opens in new window].

You can also download the privacy notice for our good practice shared learning events [opens in new window].

We organise and facilitate events solely as well as in collaboration with other public bodies. 

Read the Wales Audit Office events terms of reference [PDF 51KB opens in new window] or read the Good Practice Exchange terms of reference [opens in new window].

Visitors to our website

We may need to communicate with visitors to our website for administrative or operational reasons. Where we collect specific information from you for this purpose, we will not pass it on to any other organisation.

We also collect standard internet log information and details of visitor behaviour patterns when someone visits our website. We do this to find out things such as the number of visitors to the various parts of our site, to monitor the download of our reports and publications and to help improve the service we provide.

This data collection process is carried out electronically in the background, and visitors to our website may not be aware that it is taking place. We believe that this process is not intrusive to visitors’ privacy, as we do not attempt to find out the identities of visitors to our website. The standard internet log information collected will only be used for the purposes mentioned and will not be passed on to any other organisation.

Use of Cookies

We use cookies to collect internet information from visitors to our website.  A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is usually a small file sent from a website and stored in a user's web browser when a user accesses certain websites.  We use cookies to help make our website function effectively and efficiently, and to give us information about your use of the site, along with that of other visitors.  Our recruitment webpages also use cookies to allow visitors to securely apply for vacancies.

The Wales Audit Office website uses Google Analytics, which is a web analysis tool to collect the standard visitor log information we need to help us maintain and improve your visit experience. Google Analytics uses first-party cookies for this purpose. Information about Google Analytics and privacy at Google is available at on the Google Website [opens in new window].  To opt out of being tracked by Google Analytics across all websites visit the Google opt out page [opens in new window].

The YouTube and Twitter software programmes in use on our site also use cookies, and the relevant cookie policies are as follows:

Other websites

Our website may contain links to other websites which are outside our control and are not covered by this notice. If you access other sites using the links provided, the operators of these sites may collect information from you which will be used by them in accordance with their privacy notice, which may differ from ours.

Social media features and widgets

Our website includes links to social media such as Facebook, Twitter and LinkedIn and these features may collect information such as your IP address, which web page you are looking at on our website and may set a cookie to enable a feature to function properly. Social media features may be hosted by a third party or directly on our website. Your interactions with these features are governed by the privacy policy of the company providing them.


We hold information about our suppliers in our financial management systems for the purpose of managing our relationship with them, such as placing orders and arranging for payment to be made.  The information may also be used for internal reporting purposes. 

Subscribers to our newsletter

We send newsletter updates to individuals on the basis of their consent, through the opt-in sign up function. Your name and email address will only be used for the purpose of sending you a monthly newsletter, with tailored content based on the preferences you select. We will not disclose your personal information to third parties. You may amend your preferences or unsubscribe by opting out at any time, through the relevant links at the end of any email you receive from us.

Communicating with our distribution list

We hold a register of public sector contacts, and send this list updates at a minimum on a monthly basis, to publicise our work in the exercise of our supplementary powers, under sections 9 and 14 of the Public Audit (Wales) Act 2013. The legal basis under data protection legislation for sending these updates to our contacts list is performance of a task in the public interest.

On each email sent for this purpose, we provide individuals on the list the opportunity to raise queries or concerns by contacting our Data Protection Officer.

Access to personal information

You have a right to access the personal data that we hold about you by making a ‘subject access request’.  You will need to make such a request in writing to the Information Officer, enclosing proof of your identify (such as staff ID card, or copy of driving licence or passport) and a clear description of the information you wish to see.

Please send requests by email to:  or write to us:

Information Officer
Wales Audit Office
24 Cathedral Road
CF11 9LJ

The Information Commissioner’s Office

If you require further information in relation to your rights under data protection law or want to complain about with how we are handling your personal data you may contact the Information Commissioner at:

Information Commissioner’s Office               
Wycliffe House
Water Lane


Tel: 01625 545745
Fax: 01625 524510