Employment privacy notice

As part of our candidate application, recruitment and employment process Natural Resources Wales (NRW) collects, processes and stores personal information about you. We process this information for a range of purposes relating to recruitment process to support your application and to enable us to determine your eligibility and suitability to work with NRW; and/or to carry out our functions as an employer and to comply with certain statutory obligations. This document sets out:

  • Why we collect your personal information;
  • What information is collected and;
  • How it is processed.

Throughout this Privacy Notice we use the term “processing” to cover all activities involving your personal information, including collecting, handling, storing, sharing, accessing, using, transferring and disposing of the information.
Natural Resources Wales (NRW) is the Data Controller and is committed to protecting the rights of individuals in line with General Data Protection Regulation (GDPR).

Natural Resources Wales has a Data Protection Officer who can be contacted through dataprotection@cyfoethnaturiolcymru.gov.uk or 0300 065 3000

Application stage - what information do we collect about you?

Your application*

When you apply for a vacancy with us (whether you already work for NRW or not), you will be asked to provide personal information to support your application and to enable us to determine your eligibility and suitability to work with us. This will include the personal information we need to enable us to select the right candidate for the role, and will include name, address, date of birth, telephone number, e-mail address, past employment details including references, educational qualifications, skills, and volunteering activities. If you are successful in the employment process any personal information provided to us will then form part of your HR record which we will hold.

Diversity information*

Natural Resources Wales is a Disability Confident Employer and operates a guaranteed interview scheme for anyone with a disability as defined in the Equality Act (EA) 2010. This means that all job applicants and members of staff will receive equal treatment and that we will not discriminate on grounds of gender, marital status, race, ethnic origin, colour, nationality, national origin, disability, sexual orientation, religion or age. As part of our commitment to equal opportunities we will from time to time use information provided by you for the purposes of diversity monitoring. All such information will be used on an anonymised basis. Please click here for more information on diversity.

How will your information be used?

At the application stage your personal information on the application form will be shared internally with the following people (but does not include your Equality and Diversity monitoring form):

  • Members of the recruiting panel for assessing and progressing your application
  • Assessing your suitability (skills, qualifications and/or experience for the role)
  • Activities needed to complete the pre-employment checks should your application be successful.
  • Employees in HR who have responsibility for certain HR processes (for example recruitment, assessment, pre-employment screening);
  • Audit and Investigations employees in relation to specific audits/investigations.
  • Your Equality and Diversity form is used by HR staff to collate its information for monitoring purposes, this is collated anonymously and the original form is disposed of confidentially.

Offer Stage

At the offer stage and prior to you starting work with us, we will ask you to provide further information:

Pre-employment checks

Prior to you starting work with us or changing jobs within NRW, we will use your personal information to carry out pre-employment checks, including criminal record checks, Nationality / visa / right to work permit information; (e.g. passport, driving licence, National Insurance numbers). For more information regarding pre-employment checks, click on this link

Health Declaration

So that we can identify if you have any medical conditions which might require us to make reasonable adjustments to the post to which you have been offered. We may pass on the information to our Occupational Health Advisors, who may need to write out to your GP/specialist about any condition that you have, which we consider might affect the way we require you to work. If you are concerned about confidentiality, you may wish to enclose your completed form in a sealed envelope, to be opened only by our Occupational Health Advisor. We may need to pass the information to your Line Manager. We will ensure that they only have enough information to monitor your work and its impact on your condition.


We will ask for your bank details and national insurance number so that we can make salary payments, and pension deductions, and pay tax and national insurance contributions.

Emergency Contact

We will ask for your emergency contact details, so we know who to contact in case you have an emergency at work.

During your employment

Personal information about you will be generated throughout your employment with us. Generally, we will collect, use and hold your information for the purposes of:

  • Managing your employment with NRW including:

    • Performance management, learning and development, monitoring policy compliance, disciplinary procedures, conflict of interest, health, safety and well-being, processing salary and pay related membership.

You may be required to provide additional information during your employment for the purposes of:

  • Driving on behalf of NRW
  • Incident response and standby rotas
  • Facilities (personal identification for building security)

Who receives your information?

To administrate your employment with NRW, we will share your personal information securely and confidentially with the following external service providers who manage these functions on our behalf.

  • Disclosure Barring Service
  • Occupational Health provider
  • Pension Administrators
  • HMRC

We will ask for your written consent before providing any information to third parties regarding your employment, these include:

  • References for prospective employers
  • Financial references given in connection with a worker’s application for a mortgage/renting
  • References given in connection with legal proceedings

What is our legal basis for processing your personal data?

We will rely on your consent to process the information marked with an * above which is collected at the outset of the recruitment process.

Information and documentation to establish your right to work is processed by us as because processing is necessary for compliance with a legal obligation

Information in relation to criminal record checks, which are relevant if you get an offer of, will be processed on the basis that it is necessary for compliance with a legal obligation or consent will be obtained, if required.

In respect of health information, the basis for us processing this will depend on the circumstances but will usually be for one of the following reasons: it is necessary to protect health and safety or to prevent discrimination on the grounds of disability or where consent has been obtained, if required.

Once a position has been found for you, we will process your personal data, including financial information, Processing is necessary for the performance of a contract, to fulfil your role and to enable us to pay you, depending on the specific contractual arrangements and circumstances.

Any transfers to third countries and the safeguards in place

No personal data will be transferred outside of the EU

How long will your information be held?

In the event that your application is unsuccessful, your details will be kept for a maximum of 12 months, after which time they will be confidentially destroyed. You may remove your details at any time.

If we employ or otherwise engage you as a result of your application, your Personal Information collected by us will form part of your personnel file. This will be stored and used for purposes connected with your employment or engagement by us.

National Fraud Initiative

As a public body, we are required to protect public funds and therefore we may use your personal information in connection with the prevention, detection and investigation of fraud. This may include sharing personal information with other bodies responsible for auditing, and/or administering public funds in order to prevent and detect fraud.

As part of our fraud prevention and detection activities, we participate in the National Fraud Initiative ("NFI") which is a part of the Cabinet Office's work to help counter fraud across government by identifying and reducing losses. As part of the NFI, a biennial data matching exercise is conducted by the Auditor General for Wales to match data across organisations and systems to help public bodies identify fraud and overpayments. Since its commencement in 1996, NFI exercises have resulted in the detection and prevention of more than £35.4 million of fraud and overpayments in Wales and £1.69 billion across the UK.

Data matching exercises involve comparing sets of data, such as the payroll (including personal data), of one body against other records held by the same or another body to see how far they match. This allows potentially fraudulent claims and payments to be identified. Where a match is found, it may indicate that there is an inconsistency that requires further investigation by the relevant participating body; it is not necessarily evidence of fraud. No assumptions can be made as to whether there is fraud, error or other explanation until an investigation is carried out. Where no match is found, the data matching powers will have no material effect on those concerned.

The data we provide to the Auditor General for Wales will be the minimum needed to undertake the matching exercise, to enable individuals to be identified accurately and to report results of sufficient quality. The personal data that the Auditor General for Wales requires can be found on the Audit Wales website

As a participating body we are required to provide the personal data in accordance with the provisions of data protection legislation. The legal basis for us sharing your personal data with the Auditor General for Wales are that it is necessary for the performance of a task carried out in the public interest. The data protection legislation does not require us to obtain the consent of the individuals concerned.

The data matching exercises and the use of personal data by the Auditor General for Wales is undertaken pursuant statutory authority under Part 3A of the Public Audit (Wales) Act 2004 and data protection legislation does not require the consent of the individual concerned for processing of personal data for this reason.

As a participating body, in addition to complying with data protection laws, we must also have regard to the Auditor General’s Code of Data Matching Practice, which is available on the Audit Office Wales website. This also provides more information as to the Auditor General for Wales' powers as well as how personal data is used in a secure way.

The Auditor General for Wales's Privacy Notice tells you about how your personal information is processed in connection with the Auditor General for Wales' data matching exercises. It also sets out your rights under data protection legislation. This is available on the Audit Office Wales website at this is available on the Audit Office Wales' website.

Personal data will not be held for longer than is necessary and data retention will be in accordance with the data deletion schedule published on the Cabinet Office's website.

If you have a concern about the way that the Auditor General deals with personal data you can raise it with the Wales Audit Office Data Protection Officer by emailing infoofficer@audit.wales

or by writing to

The Complaints Manager,
Wales Audit Office,
24 Cathedral Road,
CF11 9LJ,

or phoning 02920320500.

You may also raise such concerns with the Information Commissioner (see below for further details).

What are the individual rights?

You have a right to;

  • Access your personal information,
  • Object to the processing of your personal information,
  • Rectify, Erase, Restrict.

Please visit the Data Protection webpages for further information in relation to your rights. Any requests should be made in writing to NRW’s Data Protection Officer:

Data Protection Officer,
Natural Resources Wales,
Maes y Ffynnon,
Penrhos Road,
LL57 2DW,


Security of your information

Our HR and Recruitment systems are protected to ensure that unauthorised or unlawful processing of personal information, accidental loss or destruction of, or damage to, personal information does not occur. This is done in accordance with the Policy.

How to make a complaint

If you are unhappy with the way in which your personal data has been processed you may in the first instance contact NRW’s Data Protection Officer using the contact details above.

If you remain dissatisfied, then you have the right to apply directly to the Information Commissioner for a decision.

Information Commissioner’s Office,
Wycliffe House,
Water Lane,


Last updated