Privacy Notice
To deliver our services effectively, South Wales Fire and Rescue Service (“SWFRS”) may need to collect and process your personal data. SWFRS is committed to protecting that data and this privacy notice explains how SWFRS uses personal data about you and how we protect that personal data.
This notice may be updated from time to time, to reflect the changing nature of our services.
SWFRS is a data controller for personal data and is registered accordingly with the Information Commissioner’s Office (“ICO”) who is the UK’s independent regulatory body set-up to uphold information rights, including those contained within data protection legislation. Data protection legislation includes all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (and all regulations made thereunder); and the Privacy and Electronic Communications Regulations 2003 as amended; and all other legislation and regulatory requirements in force from time to time relating to the use of personal data (including without limitation, the privacy of electronic communications).
Our registration number with the ICO is Z4777683 and this can be viewed on the ICO’s website.
Our Data Protection Officer is our Information Governance Manager, and they have the day-to-day responsibility for data protection and other information governance issues at SWFRS.
They can be contacted by contacting our Information Governance Team:
The personal data that we collect, and process enables us provide prevention, protection, and emergency services to the communities that we serve. We may also use some of the personal data to help us to improve our services. Examples of why we collect or otherwise process personal data includes:
If we are not provided with personal data when requested, we may not be able to provide the necessary help, support, advice, and care. It might also prevent us from putting people in touch with other organisations and services that can provide help, support, advice, and care.
Whilst we will often collect and process personal data because we have a duty or obligation that does not require consent, we would always encourage people to provide us with the personal data that we need when asked so that we can do our job.
Should you have any questions or concerns then you can contact our Information Governance Team.
The type of personal data we collect and process about individuals will vary, depending on the type of service being provided. This might include personal data about individuals such as:
This might also include special categories of personal data such as:
This might also include data relating to criminal convictions and offences or related security matters such as:
However – we will only collect or otherwise process what data we need to deliver the service being provided. Some examples of the services that we provide and examples of the types of personal data we may collect or otherwise process are provided below.
To respond to an emergency and allocate resources appropriately then we may collect or otherwise process personal data such as:
We may also collect or otherwise process special categories of personal data such as:
SWFRS operates a joint emergency services control room with staff from partner organisations – South Wales Police and Mid and West Wales Fire and Rescue Service.
When a call is made to the 999-emergency number and a request is made for the Fire and Rescue Service, the caller will be connected to the Joint Fire Control. The Fire Control operator that the caller speaks with may be from either SWFRS or Mid and West Wales Fire and Rescue Service. Operators have received extensive training to deal with calls from both Fire and Rescue Service areas and use the same incident management system.
To ensure the ongoing safety of our staff and members of the public at our locations and whilst carrying out our duties, to protect our assets, to improve situational awareness at incidents, to record evidence, to assess and monitor performance, and to aid training we may record still images (photographs), moving images (film/video), and audio, for example, via CCTV on our buildings and vehicles, body-worn video cameras on our employees, cameras and drones used at incidents, or during calls made to any of our telephone lines that are recorded.
We may collect or otherwise process personal data such as:
We may also collect or otherwise process special categories of personal data such as:
To provide our services and to fulfil our core functions as described in the Fire and Rescue Services Act 2004 and to enforce and regulate fire safety law such as the Regulatory Reform (Fire Safety) Order 2005, we provide job alerts (where you have applied to receive these), undertake recruitment exercises and process applications for employment. We may collect or otherwise process personal data such as:
We may also collect or otherwise process special categories of personal data such as:
We may also collect or otherwise process personal data relating to criminal convictions and offences or related security matters.
The personal data that is provided as part of a recruitment exercise and application process will only ordinarily be used for those purposes. The details that we hold will be the personal data that was provided on our e-recruitment application form, or that is provided to us by email or verbally as part of the application process, or personal data that we obtain during background and vetting processes such as from a previous employer and any character references, as part of disclosure and barring checks, and part of any medical that may be required for the role.
If you have chosen to complete the Equal Opportunities element of the application process, we may also hold and process personal data such as ethnic origin, sexual orientation, disability, religion and belief, and language. This personal data will be held for statistical and monitoring purposes only and will not be seen by the shortlisting or selection panels.
To provide specific advice about safety in a home we may collect or otherwise process personal data such as:
We may also collect or otherwise process special categories of personal data such as:
To provide tailored, one-to-one fire safety education for children and young people (those up to the age of 18) with fire setting behaviour, as well as support and advice for parents, guardians, and carers to help reduce deliberate fires and address fire safety concerns, we may collect or otherwise process personal data such as:
We may also collect or otherwise process special categories of personal data such as:
To provide specific advice regarding Fire Safety in a business and to enforce and regulate fire safety legislation such as The Regulatory Reform (Fire Safety) Order 2005 we may collect or otherwise process personal data such as:
We may also collect or otherwise process special categories of personal data such as:
Whilst we may record how a building is used which may indicate, for example, it is used for the purposes of healthcare – we would not ordinarily require information concerning a specific person’s health.
We may also collect or otherwise process personal data relating to criminal convictions and offences or related security matters.
SWFRS may use videos, audio, or photography by publishing them publicly for communications, attraction, and engagement purposes. This includes reasons such as education, recruitment, promotion, or community safety. Videos, audio, or photography materials may be taken, for example, at public events. We may collect or otherwise process personal data such as:
Much of the personal data will be obtained directly from you. But we may also obtain personal data from our partner services, or personal data that is already in the public domain.
SWFRS may publish videos, audio, or photography materials on the internet (such as YouTube), on other media (such as television, radio, cinema, DVDs or other hard media), on social media, the press, printed material (such as posters or other hard copy material).
Where SWFRS uses such material in the above way, it will ordinarily rely on its legitimate interest to do so where we believe it is reasonable to do so and does not impact your right of privacy. Where SWFRS relies on its legitimate interest, individuals have the right to object to such use.
We also endeavour to keep your personal data accurate and up to date, however, if you believe the personal data, we have is incorrect or you know some details have changed do let us know so that we can record those changes.
If you want to raise an objection regarding the use of videos, photographs, or audio recordings or withdraw consent where consent has been relied upon, please contact our Information Governance Team:
Whilst an objection may be raised or consent withdrawn at any time, once we publish videos, audio, or photography materials, it will have been available in the public domain, and as such SWFRS cannot guarantee materials will be fully erased from all sources.
SWFRS may conduct consultations, for example, where we have a statutory duty to do so and to help us make informed decisions about how we exercise our public functions and statutory powers. To conduct consultations, SWFRS may collect or otherwise process personal data such as:
We will process personal data to plan and conduct a consultation, and where applicable to analyse results. It is recognised that individuals may choose to identify themselves in a response to a consultation. We will though always endeavour to remove any identifying information before a report is produced and published.
Where we publish, receive requests, or are otherwise required to share personal data, this will only be done where there is a lawful basis to do so.
If you have registered to join our Stakeholder Register, you can opt-out or update your preferences at any time. Please contact our Media and Communications team:
SWFRS process information, including personal data, about the services we provide, to generate statistics. These are used to enable us to identify areas where we can improve the services we provide and/or to enable us to develop specific advice. As well as using them for our own purposes – we also receive requests, and are sometimes required, to provide information to other organisations, such as other Emergency Services, Welsh Government, Government Agencies, Health Providers and Local Authorities.
Whilst we process personal data to generate the statistics, ordinarily the actual statistics produced are anonymous. Where we receive requests or are otherwise required to share statistical data that is not anonymous, this will only be done where there is a lawful basis to do so.
To generate statistics, we may collect or otherwise process personal data such as:
We may also collect or otherwise process special categories of personal data such as:
Where personal data is requested only for statistical purposes, it is optional for you to provide it (which will be explained to you at the time).
Often, the personal data is provided by you – for example when you contact us by telephone, fill in one of our online forms or when we visit you at home or at your place of business.
Sometimes it may be provided by:
Some personal data is voluntary, but it may affect the service that we provide if this personal data is not provided. Some personal data may be collected automatically, such as by our incident management system what may collect the phone number you are calling from and your location.
The personal data that we hold enables us to undertake prevention, protection, and provide emergency services to the communities that we serve. We may also use some of the personal data to help us to improve our services.
You can find examples of what personal data we collect and where we collect it from above.
Whilst we will often collect and process your personal data because we have a duty or obligation that does not require your consent, we would always encourage you to provide us with the personal data that we need when asked so that we can do our job. Should you have any questions or concerns then you can contact our Information Governance Team.
If you do not provide us personal data when requested, we may not be able to provide you with the necessary help, support, advice, and care. It might also prevent us from putting you in touch with other organisations and services that can provide you with help, support, advice, and care.
For us to process personal data, we must have a legal basis to do so – these are defined in data protection legislation. The legal basis will differ depending on the service we are providing or specific activity we are undertaking. We collect and process your personal data based on one or more the following basis / reasons:
We will not reuse your personal data for a new purpose other than for what it was originally collected, unless the new use is compatible with the original purpose for which the personal data was collected, we have notified you of the new use and given you a reasonable opportunity to object to it, or the new use is otherwise permitted or required by law.
For us to process special categories of personal data, we must also have an additional condition for processing which does not necessarily have to be linked.
Where we process special categories of personal data, the condition for processing will differ depending on the service we are providing or specific activity we are undertaking. We collect and process your special categories of personal data based on one or more the following conditions:
Reasons of substantial public interests include:
For us to process criminal convictions and offences or related security matters, it must either be under the control of official authority, or we must also satisfy a condition for processing which includes:
SWFRS has an Appropriate Policy Document in place setting out how we will protect Special Categories of Personal Data and Criminal Convictions Data, which supports our Corporate Policy on Information Management, Data Protection Procedure, and Privacy Notices. This meets the requirements of the Data Protection Act 2018 that an appropriate police document be in place where Processing Special Categories of Personal Data and Criminal Convictions Data in certain circumstances. It explains SWFRS’ processing and satisfies the requirements of Schedule 1, Part 4, Data Protection Act 2018.
SWFRS has general powers under Section 5A of the Fire and Rescue Services Act 2004 that does enable us to do anything which we consider appropriate for the purposes of carrying-out any of our functions, or anything incidental to them. These general powers would include the collection and processing of personal and sensitive personal data to fulfil those functions.
The personal data held by the SWFRS may be accessed by authorised SWFRS staff who need it to undertake their role. This may be staff across a variety of departments and locations, however, as stated, controls are in place to ensure staff only have access to the personal data relevant to their role.
For example, the personal data you provide within your application form may be accessed by any member of our Recruitment and Assessment Team, and, if required by other members of our wider HR department. It will also be provided to members of the Shortlisting and Interview Panel, as part of the selection process.
Whilst most of our work is done by our staff, we do use third-party service providers to perform certain functions on our behalf. It may also be necessary for us to share data with other organisations to fulfil our responsibilities such as during emergencies, major incidents, or in the interests of public safety.
Where we work with any third-party, they too have legal obligations to protect your data. However, where appropriate, SWFRS will carry out a variety of checks and have agreements in place to ensure that your data is given an adequate level of protection. Where we need to share your data with other organisations, we will do so electronically (where possible) to ensure that it is accurately and communicated quickly. We will always ensure that any transfer of personal data is done so appropriately and securely.
We have listed below examples of the categories of organisations with who we might share data:
We will not share your personal data with external organisations or partners for any commercial use without your prior consent.
It may sometimes be necessary to transfer your personal data outside of the United Kingdom or outside of the European Economic Area, particularly recognising that IT Service, Support and Data storage is increasingly based globally.
Any transfers will be in full compliance with applicable data protection legislation, ensuring appropriate safeguards are in place.
For example:
We use cookies to make our website work. We also use cookies to help us improve it and the site also has third party cookies that result from content embedded into our site. By continuing to use the site you agree to the use of cookies. Please see below for further information on managing your cookie preferences.
What is a cookie?
A cookie is a small file that can be placed on your device that allows us to recognise and remember you. It is sent to your browser and stored on your computer’s hard drive or tablet or mobile device. When you visit our site, we may collect information from you automatically through cookies or similar technology.
What types of cookies do we use?
1. Necessary cookies
Necessary cookies help make the website work. They enable core functionality such as security, network management, and accessibility. Without these cookies the website will not function properly.
2. Analytics cookies
We use Google Analytics cookies to help us to improve our website by collecting and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
3. Third party cookies
This includes cookies from sites such as YouTube, in videos embedded on our site from our YouTube channels, where cookies are set on your computer once you click on the YouTube video player.
To find out more about cookies, visit https://www.aboutcookies.org/ and https://allaboutcookies.org/.
It is possible to stop your browser from accepting cookies by changing your browser’s cookie settings. You can usually find these settings in the “options” or “preferences” menu of your browser.
To find out how to manage cookies on popular browsers, visit:
You can switch some cookies off through Your Online Choices. You may need to do this again each time you use a different IP address or device.
To opt out of being tracked by Google Analytics across all websites, visit: http://tools.google.com/dlpage/gaoptout
Our data retention periods are based on trigger events such as when the data was originally collected, when consent was given, the completion of a report, the last action or update that occurred on a record, and the end of a financial year. There are a number of factors that we consider when determining how long we keep your personal data such as legal requirements including our need to defend or take legal action, administration requirements to conduct our day-to-day functions, accountability, good governance, and transparency, and best practice.
We will not keep your personal data for any longer than is necessary for the purpose that it was originally collected, unless a longer retention is compatible with the original purpose for which the personal data was collected, we have notified you of the longer retention and given you a reasonable opportunity to object to it, or the longer retention is otherwise permitted or required by law.
Where required, we will endeavour to keep your personal data accurate and up to date. However, if you believe the personal data, we have is incorrect or you know some details have changed, please let us know so that we can record those changes.
SWFRS are committed to ensuring that all our information, including personal data, is held safely.
Much of our information is recorded and held on electronic/computer systems. These are protected by security measures to prevent unauthorised access. The systems that hold personal data have higher access level controls.
This is supported by having secure work areas, as well as staff training, guidance, and procedures to ensure that everyone is aware of the importance of looking after personal data.
This combination of measures helps us to ensure that your personal data cannot be seen, accessed by, or disclosed to, anyone who should not see it.
If we are disposing of information, we will make sure that we do so in a secure way. Electronic information is deleted from our systems, any paper copies of information are stored securely then shredded on site.
You have a legal right to request a copy of the data that we hold about you, unless subject to an exemption. Your request will be dealt with in line with data protection legislation.
We want to make sure that your personal data is accurate, and you have the right to request we correct or remove data which you think is inaccurate.
You have the right to withdraw your consent to the processing of your personal data where we are relying on consent as the legal basis. You have the right to object to the processing of your personal data where processing is based on legitimate interests, the performance of a task carried out in the public interest or in the exercise of official authority vested in us as a fire and rescue service.
You also have the right to ask for any personal data to be deleted – this will only be where the personal data is inaccurate, incorrect and/or where there is no legal basis for us to retain it.
For further information as to your individual data rights, please see the ICO website.
To exercise your personal data rights, or if you have any questions or concerns regarding our use of personal data, please contact our Information Governance Team:
Please note that when exercising your personal data rights, you will only be entitled to do so in relation to your personal data. For example, when making a data subject access request, you will only be entitled to personal data that is about you as an individual. Any references to other people, or information that is not about you will ordinarily be removed from any documentation provided (however, this will be clearly shown and explained).
If you are seeking to exercise the personal data rights of another person, we will require clear, written consent from that person. We will require identification from that person too – as well as proof of their address, or your address, if that is where they wish the response and any relevant documentation to be sent. They will only be entitled to personal data that is about them as an individual – any references to other people or information that is not about them will be removed from any documentation provided (however, this will be clearly shown and explained).
We will respond to your request as soon as possible and, in any event, normally within 1 calendar month, starting on the day that we receive the request. This is even when that falls on a weekend or public holiday. However, if the end date falls on a weekend or public holiday, the calendar month for reply ends on the next working day. Additionally, if the corresponding calendar date does not exist because the following month has fewer days, it is the last day of the month.
If your request is of a complex nature or you make more than one request, we may extend the time period by a further two calendar months to a maximum of three calendar months.
Our legal basis for processing your request, and your personal data in this context, is the fulfilment of a legal obligation (Article 6(1)(c) of the UK GDPR). In this case the legal obligations contained within data protection legislation. If you provide us or we need to process any personal data that is classed as special category data in fulfilling your information request, it would be for reasons of substantial public interest (Article 9(2)(g) of the UK GDPR), namely safeguarding your statutory data rights (Schedule 1 part 2(6) of the Data Protection Act 2018).
In addition, we will use your personal data for secondary reasons such as to coordinate your request and even to request advice and support. For example, we will record the details of your request in our database. This will normally include your name, contact details, and other information you have given us. We will store a copy of the information that falls within the scope of your request. We may use this information to compile and publish statistics showing information such as the number of requests we receive, but not in a form that identifies anyone.
In relation to the secondary reasons listed above, the legal basis is processing that is necessary for the performance of a task caried out in the public interest or in the exercise of official authority vested in us.
Incident and Fire Investigation Reports
SWFRS is entitled to charge for certain services by way of Section 18A of the Fire Services Act 2004. SWFRS charges for access to more comprehensive and detailed information regarding incidents that have been attended, as is common practice among fire and rescue services.
As incident information is reasonably accessible by other means, even though it is accessible only on payment, requests for Incident or Fire Investigation Reports under the Freedom of Information Act 2000 will be refused under Section 21 (i.e. information accessible to an applicant by other means), and as this exemption is absolute it is not subject to a public interest test.
This approach to charging by fire and rescue services has been reviewed and approved by the Information Commissioner’s Office as evidenced by Decision Notice FS50859031.
Personal data in Incident and Fire Investigation Reports is often limited and ordinarily relates to any victims that may have been injured at an incident. Normally, we can only disclose information to the occupier of a property, driver of a vehicle or someone operating a business at a premises at the time of an incident. However, we understand that often it is the landlord/letting agent or insurers who will request the report – in those cases, we can release the report, provided we have the consent of those individuals. If there are multiple persons involved with an incident, we require consent from all individuals to release an unredacted version, should it contain their personal data – or another legal basis to disclose their personal data. This is essential, in order to comply with data protection legislation and to protect unwanted intrusions into people’s privacy.
Under data protection legislation individuals are only entitled to a copy of their own personal data. It does not entitle them to a copy of original documents, or information that does not relate to them as an identified individual.
If you are looking to request an incident or fire investigation report, please see Incident and Fire Investigation Reports for more information.
If you are dissatisfied with the handling of your personal data or how we have responded to a request to exercise your data subject rights, you have the right to request an internal review. An internal review will consider whether your personal data and/or request were handled appropriately, in line with applicable data protection legislation.
Internal review requests should be submitted to the Information Governance Manager, who also holds the position of Data Protection Officer, by using the contact information above. Internal reviews will be conducted by the Senior Information Risk Owner (SIRO) or Deputy. We aim to respond within twenty working days of the receipt of the request for an internal review.
If you are dissatisfied with the outcome of the review, then you may seek a review by the Information Commissioner’s Office (“ICO”), which has the powers to uphold or overturn the decision. Please see ICO contact information below. SWFRS will abide by the decisions of the ICO unless it considers itself to have grounds for an appeal to the First-Tier Tribunal (Information Rights).
Please be aware that the ICO will be unlikely to accept a complaint until you have first been through our internal complaints / review procedure first.
Last Updated: 15th May 2024