Privacy notice relating to the processing of personal data by Rhondda Cynon Taf County Borough Council for the purpose of the Cwm Taf Morgannwg Multi Agency Safeguarding Hubs
This privacy notice is intended to provide information about how Rhondda Cynon Taf County Borough Council (referred to as ‘RCTCBC’, ‘Council’, ‘Local Authority’, ‘we’) will use (or ‘process’) personal data about individuals for the purpose of the Cwm Taf Multi Agency Safeguarding Hub and Bridgend Multi Agency Safeguarding Hub (MASH) (jointly known as the Cwm Taf Morgannwg Multi Agency Safeguarding Hubs)
Whilst we have tried to make this privacy notice as clear and concise as possible, the categories of personal data we process may vary depending on person of concern. This notice should be read in conjunction with;
The Data Controller
The Council is a data controller for the personal data processed for the purposes of the MASH.
The Council is registered with the Information Commissioner’s Office (ICO) as a controller under reference Z4870100.
Queries relating to this privacy notice
If you have any questions or queries relating to this privacy notice please contact the service on:
By email : firstname.lastname@example.org
By telephone : 01443 490122
In writing : Safeguarding Board Business Unit, Ty Catrin, Martime Industrial Estate, Pontypridd, CF37 1NY
Who we are what we do
The Cwm Taf Multi Agency Safeguarding Hub and Bridgend Multi Agency Safeguarding Hub (often referred to as MASH) are the single point of contact for professionals (such as social workers, care and support staff, teachers or doctors), to report safeguarding concerns about adults at risk and children across Cwm Taf Morgannwg.
The MASHs are a partnership between the following organisations and agencies:
- Rhondda Cynon Taf County Borough Council
- Merthyr Tydfil County Borough Council
- Bridgend County Borough Council
- South Wales Police
- Cwm Taf Morgannwg University Health Board
- Probation Service
If there is a risk of harm to an adult at risk or child, partner organisations work together to make informed timely decisions about what action to take and the appropriate support required to protect the most vulnerable from harm, neglect and abuse.
Whose personal data we process
We may process personal data relating to the following individuals if a referral has been made to the Hub:
- Person of Concern (Adult or Child)
- Suspected Perpetrator(s)
- Family Members such as parents, next of kin or carers
- Anyone living at the same property, if it is believed they are also at risk
- Person who raised the concern, i.e professionals or members of the public
The categories of personal data we process
The type of information we process will vary depending on the nature of the referral, but will typically include:
Person who is at risk:
- Personal Identifiers such as Name, D.O.B, Address, Telephone Number, NI Number, WCCIS Number, Health Number.
- Ethnicity, Nationality, Race, Sexual Orientation, Gender
- Details of any previous involvement with the organisations listed above.
- Health Information i.e disability, sex life, GP practice
- GP / Social Worker details
- Domestic violence history
- Alleged / Previous convictions
- Risks to other
- Victim concerns
Professional reporting the concern (please note professionals are unable to remain anonymous when reporting a concern):
- Personal Identifiers such as name, Job Title, Organisation, Email Address
- Relationship to adult or child.
- Personal identifiers such as Name, D.O.B, Address, Telephone Number
- Gender, Ethnicity, Race, Sexual Orientation
- Relationship to adult or child
- Alleged / Previous Convictions
Family Members or those that live in the same property
- Personal identifiers such as Name, D.O.B, Address, Telephone Number, Email Address
- Relationship to the person at risk / parental responsibility
- Gender / Ethnicity / Race
Professional’s involved with the person at risk
- Personal Identifiers such as name, Job Title, Email Address
- Organisation / Department
- Relationship to adult or child i.e Social Worker
Why we process the personal data
We process the personal data to support adults and children at risk. This may include but is not limited to the following activities;
- To respond to any incidents reported to the hub,
- To Hold a ‘Multi Agency Strategy Discussion’. At the meeting all relevant information gathered from partner agencies will be reviewed to determine the most appropriate course of action and to support the most urgent cases.
- To Feedback to the person who has reported the concern.
Our lawful basis for processing the personal data
Under the General Data Protection Regulation (GDPR), our lawful basis for processing the personal data is:
- Legal Obligation Article 6 (c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
- Public Task - Article 6 (e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Substantial public interest - Article 9 (2) (g) - processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
- Schedule 1, Part 2, Paragraph 18 Data Protection Act 2018.
The primary legislation, regulations and guidance that supports this includes, but is not limited to;
Who or where we get the personal data from
We may receive the personal data from the following categories of individuals or organisations;
- The person at risk
- A family member or friend of the person who is at risk
- A concerned member of the public
- A professional such as social worker, teacher, GP etc
Who we share personal data with
For concerns that meet the serious harm criteria information will be shared between the partner organisations within the MASH as listed above.
Once a Multi-Agency Strategy Discussion has taken place and the most appropriate course of action determined, referrals may be made to a number of internal and external support services such as:
When sharing the personal data, we only share the minimum amount necessary in relaton to the purpose. The information shared and who it is shared with will depend on the nature and severity of the concern and the organistions and agencies involved in supporting the adult or child at risk.
Children Services - Intake and Assessment Teams
To provide the appropriate support for children at risk
Adult Services - Short or Long Term Assessment and Care Management Teams
To provide the appropriate support for adults at risk
Care and Support Providers
To provide the appropriate support for children and adults at risk
Independent Domestic Violence Advocates
To provide high-risk victims of domestic abuse with a tailored and person centred safety support plan.
A data processor is a company or organisation that processes personal data on our behalf. Our data processors act only upon our instruction. They cannot do anything with the personal data unless we instruct them to do so. They will not share the personal data with any organisation apart from us or use it for their own purposes. They will hold it securely and retain it for the period we instruct.
The categories of data processors we use for the purpose of MASH are
- Goss Interactive Ltd – IT System
How long we retain the personal data
We retain the personal data contained within MASH records for:
Length of time
Children Safeguarding Concerns will be retained for 75 years from the childs D.O.B.
Adult Safeguarding concerns will be retained for a minimum of 7 years from the date any social care service ends.
In keeping with the General Data Protection Regulation storage limitation principle, records are periodically reviewed. Not all personal data is retained. Only personal data that is relevant to the record is retained for the entire retention period Information that has no long term or evidential value is routinely destroyed in the normal course of business.
Your data protection rights
The General Data Protection Regulation (GDPR) gives individuals important rights, including the right of access to the personal data that the Council holds about you.
Click here for further information on your information rights and how to exercise them.
Your right to make a data protection complaint to the Council
You have the right to complain to the Council if you believe we have not handled your personal data responsibly and in line with good practice.
You can do this by contacting the the Cwm Taf Morgannwg Safeguarding Board Business Unit. Most concerns can be resolved relatively quickly through a simple phone call or email;
- By telephone : 01443 490122
- In writing : Safeguarding Board Business Unit, Ty Catrin, Martime Industrial Estate, Pontypridd, CF37 1NY
Alternatively, you can raise a formal complaint via the Council’s Customer Feedback Scheme using the following link (Make a comment, compliment or complaint online) or you can contact the Council’s Data Protection Officer at Information.email@example.com.
Your right to make a data protection complaint to the ICO
You also have the right to complain to the ICO if you are unhappy with how we have used your data. However, we encourage you to contact us first and provide us with an opportunity to look into your concern and put things right.
The ICO can be contacted:
- Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Helpline number: 0303 123 1113
- Website: https://www.ico.org.uk