Privacy Policy

Last updated: 22 April 2021

About Us

Media Academy Cymru (MAC) is a not-for-profit, voluntary, children and young peoples’ organisation. Our innovative, diverse and multi-award winning programmes include criminal justice diversion, family mediation and non-formal education. We deliver projects in partnership with a number of statutory organisations, including Police, Local Authorities and Welsh Government. Our mission is “working restoratively through media and creative approaches, delivering localised solutions that engage and empower individuals with the skills and self-esteem to succeed and make a positive contribution to Welsh society”.  

MAC is committed to safeguarding privacy and will, at all times, when handling personal information, comply with the rights of privacy and respect for personal and family life as set out in Article 8 of the Human Rights Act 1998 unless there is a lawful, necessary and proportionate need to interfere with these rights. 

MAC is registered with the ICO as an organisation that processes personal information. The data controller at MAC is Nick Corrigan (Director), who has overall responsibility and accountability for data protection and its implementation.  

MAC is also Cyber Essentials certified, demonstrating our commitment to IT data security. 

Contact Us

If you have any questions about this privacy information, or wish to exercise your data protection rights, please contact us: 


Post: Media Academy Cymru, 12 Coopers Yard, Curran Road, Cardiff, CF10 5NB 

Tel:  02920 667 668 


What information we collect and why we process it 

MAC may process your personal data for a number of reasons, including (but not limited to): 

  • Providing our services and communicating with individuals accessing our services 
  • Subscriptions for promotional email notifications and/or newsletters 
  • During the recruitment process and employment relationship 
  • Dealing with communications sent to us
  • For the establishment, exercise or defence of legal claims 
  • Compliance with legal obligations 
  • In order to protect the vital interests of any person

The majority of information we collect is via completion of MAC prescribed forms, including referrals, application forms, employment documentation, children and young people assessments, project feedback and project participation agreements. This is normally done through face-to-face interviews, where the reason for data collection is clearly explained and explicit consent obtained whenever necessary. 

In some cases, personal data is collected from third parties (e.g. Youth Offending Service or Police, references and DBS checks). Information will be treated confidentially and with data sharing agreements in place as necessary. 

MAC will, whenever it is the most appropriate legal basis, seek clear and concise consent from individuals to process their data by positive opt-in. MAC will ensure it keeps consent under review and make it easy for individuals to withdraw consent. If consent is not the most appropriate lawful basis for processing, another lawful basis will be considered. This is likely to be in order to comply with legal obligations (e.g. HMRC or Health & Safety records), to perform a contract or through an identified legitimate interest (e.g. seeking legal advice on an employment issue).

MAC will obtain consent to legitimise the collection and/or processing of special category data (e.g. race, religion, political views and health data). MAC also processes criminal offence data in an official capacity, in order to meet the obligations of its criminal justice project contracts (e.g. Youth Offending Service and Police). 

MAC Website

Our website uses cookies. Cookies are text files with small pieces of data primarily used to identify users and improve the web browsing experience.   

The below table illustrates all cookies which are used when a user accesses the MAC website. 

Cookie DescriptionDurationType
YSCThis cookie is set by Youtube and is used to track the views of embedded videos.SessionPerformance
langThis cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.SessionFunctional
IDEUsed by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.1 year 24 daysAdvertisement
test_cookieThis cookie is set by The purpose of the cookie is to determine if the user’s browser supports cookies.15 minutesAdvertisement
VISITOR_INFO1_LIVEThis cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.5 months 27 daysAdvertisement
cookielawinfo-checkbox-advertisementThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category “Advertisement”.1 yearNecessary
BIGipCookieRegisters which server-cluster is serving the visitor. This is used in context with load balancing, in order to optimise user experience.3 minutesNecessary
DcLcidThis is used to store the language preference of the user 3 monthsFunctional
PIE1-ARRAffinityUsed to distribute traffic to the website on several servers in order to optimise response times.SessionNecessary
PNL1-ARRAffinityUsed to distribute traffic to the website on several servers in order to optimise response times.SessionNecessary
cookielawinfo-checkbox-otherscookielawinfo-checkbox-othersThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category “Other.11 monthsNecessary
cookielawinfo-checkbox-analyticsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category “Analytics”.11 monthsNecessary
cookielawinfo-checkbox-performanceThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category “Performance”.11 monthsNecessary
cookielawinfo-checkbox-functionalThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category “Functional”.11 monthsNecessary
cookielawinfo-checkbox-necessaryThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category “Necessary”.11 monthsNecessary
viewed_cookie_policyThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.11 monthsNecessary

Information sharing

For sharing of information in all its criminal justice project, where we gain and share information with third parties MAC will ensure that data sharing procedures are understood by each stakeholder and that individuals (or their parent/guardian) sign to state they have understood and agree to share with such partners.  Some of this information sharing is statutory and covered by the requirements under the Crime and Disorder Act (1998).

Any contracts with third parties will stipulate that any breach of Data Protection by an individual company partner processing personal data on behalf of MAC will be deemed to be a breach of contract.

MAC will gain explicit consent from individuals, via an information sharing agreement, in order to share personal information with universal support services. This will either be directly with MAC or agencies we work closely with.

MAC will only share personal information without explicit consent in exceptional circumstances and with the Director’s prior authorisation (e.g. where a child is potentially at immediate risk of significant harm). Limited confidentiality will always be clearly explained to all participants on their introduction to MAC and its services.

MAC shares some data with third parties that process data on our behalf. For example, in connection with the MAC workplace pension. Data submission in this instance is via a secure connection that encrypts data during the connection. MAC will ensure there are adequate security measures in place whenever asking third parties to process data on our behalf.

All statistical, analytical and research work is carried out in a way that ensures individuals cannot be identified.

MAC does not transfer any data to countries outside the European Economic Area.

How long we keep information

MAC will only keep personal data that we process for any purpose for as long as it is necessary for that purpose. This will vary depending on the reason for processing (e.g. to deliver a service or during the course of an employment relationship). We may also retain personal data where such retention is necessary for compliance with a legal obligation. Wherever possible, MAC will, as far as possible, be transparent with its retention periods at the initial point of collection/processing.  MAC’s data retention schedule outlines retention periods and disposal procedures.

Keeping Information Safe

MAC takes the security of personal data seriously and has processes and controls in place to try to ensure data is not lost, accidently destroyed, misused or disclosed.

Data within MAC is stored in a range of places, including hard copy personnel files, IT systems, case files, case management systems and HR management systems. 

HR personnel files and all archived information is stored in lockable cabinets, with access limited to the HR Manager or other authorised staff. 

All IT systems are adequately password protected, with access limited to authorised personnel. All employees and volunteers are given reasonable instruction to understand their responsibilities in complying with security measures in place (e.g. passwords and locking devices when leaving desk.)

Any other paper files, records or documents containing personal information are kept in a secure environment (e.g. lockable cabinets).

Your rights

All data subjects, including MAC employees and service users, have a number of rights. They are:

  • The right to be informed – individuals must be informed about the collection and use of their personal information (‘privacy information’)
  • The right of access – individuals can request, verbally or in writing, to access their own information free of charge within one month of the request
  • The right to rectification – individuals can request that any incorrect personal date is rectified or completed if it is incomplete
  • The right to erasure – individuals have the right ‘to be forgotten’ This only applies in certain circumstances. For example, the right would not apply if there were a need to comply with a legal obligation.
  • The right to restrict processing – individuals can exercise this right if, for example, there are issues over the accuracy of their data, or the data was unlawfully processed.
  • The right to data portability – individuals have the right to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way without affecting its usability.
  • The right to object – individuals have the right to object to the processing of their data in certain circumstances (e.g. direct marketing)
  • Rights related to automated decision-making, including profiling (making a decision solely by automated means without any human involvement) – MAC does not undertake any automated decision-making. 

Individuals can access their rights in relation to their personal data by notice to MAC’s data controller.

Further policies relating to this privacy notice (available on request) include MAC’s Data Protection Policy and Storage and Retention Schedule.


If any individual believes that MAC has not complied with their data protection rights, a compliant can be raised with MAC’s Director and data controller, Nick Corrigan via email:

If you have any further concerns please contact the Information Commissioner’s Office:

Information Commissioner’s Office – Wales
2nd Floor, Churchill House
Churchill Way
CF10 2HH

Tel: 0330 414 6421