Skip to main content

Privacy Policy

West Midlands Combined Authority (WMCA) is committed to protecting the privacy and security of those with whom we interact. We recognise the need to respect and protect information that is collected or disclosed to us. This notice is intended to tell you how we use any personal information you may provide as part of our Thrive at Work Programme, and related research or studies we may undertake.

Who we are

WMCA is a data controller. This means that we have to look after all the personal information we hold and make sure that we do this appropriately, correctly and safely.

We promise to respect the confidentiality and sensitivity of the personal information that you, provide to us; that we get from other organisations; and that we share with other collaborating organisations. We will be clear with you when we collect your information how we intend to use it, and we will not do anything with your personal information that you wouldn’t reasonably expect.

We are committed to handling data fairly and lawfully and take our data protection obligations seriously. We will only process information in compliance with applicable laws including the Data Protection Act 2018 and General Data Protection Regulation 2016/679 (“GDPR”).

What personal data we will collect

For the purposes of this Privacy Notice "Personal Information" consists of any information that relates to you and/or information from which you can be identified, directly or indirectly.

The type of personal information collected and used will be restricted to fulfilling the objectives of the Thrive at Work Programme and any related research. We will only collect information proportionate to achieving those objectives. Details that are not necessary will not be asked for or collected.

We may process some information about you that is considered to be ‘sensitive’, this is called ‘special category’ personal data. It includes information concerning your ethnicity; sexual orientation; gender identity, your religious beliefs; or details about your health. These types of personal information require additional protections. Access to, and the sharing of, this more sensitive personal data is subject to strict security, and controlled very carefully.

Basis of processing data

Processing information (data) includes collecting the information from you, or a third party and everything else we may use it for, or do with it. We will only process information if we have a legal ground to do so. For our work on the Thrive at Work Programme and any related research this will be:

  • for the performance of a contract we have entered into with you or,
  • because we have obtained your express consent to take part in this Programme

How we collect your personal data

We may collect information through our Thrive at Work website, by surveys or questionnaires provided to you, and during face-to-face meetings.

Other information may be collected from third parties, such as your employer.

Use of Cookies

We also obtain information through the use of technology, such as Cookies, when you use our website, and to allow you to access restricted areas of the website without entering your personal details each time.

A 'cookie' is a small text file that's stored on your computer, smartphone, tablet, or other device when you visit a website or use an app.

Some of the cookies are necessary for the functionality of the website and they are deleted from your device once you close your browser. These are known as session cookies. Others remain on your device until they expire or you delete them from your cache. These are known as persistent cookies and enable us to remember things about you as a returning visitor.

We use session and persistent cookies to distinguish you from other users. This information helps us to provide you with a good experience when you browse our website and it also allows us to improve our website accordingly.

We also use analytical cookies. They allow us to recognise and count the number of visitors and to see how visitors move around the website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.

If you want to restrict or block the cookies we set, you can do this through your browser settings. The ‘help’ function within your browser should tell you how.

If you delete cookies relating to this website we will not remember things about you, including your cookie preferences, and you will be treated as a first-time visitor the next time you visit the site.

We use cookies (and other similar technologies) to:

  • Provide services that you request and to provide a secure online environment
  • Manage our relationship with you
  • Give you a better online experience and track website performance
  • Help us make our website more relevant to you

Essential cookies we use include:

  • NET_SessionId

This cookie is deleted when you close your browser. Session ID explanation

  • Performance Cookies: tracking website performance

These cookies collect aggregated information and are not used to identify you.

We use this type of cookie to understand and analyse how visitors use our online services and look for ways to improve them. For example, a cookie might tell us that lots of people give up on an application process at a particular step – so we can try to make that step easier to complete.

The analytics cookies we use include:

  • Google Analytics, which uses cookies to help us analyse how our visitors use the site. Find out more about how these cookies are used on the Google privacy site.
  • Adobe Analytics, to improve our websites and services. This service and the cookies it uses help us understand the popularity of our content and make better consumer experiences
  • Functionality cookies: giving you a better online experience

These cookies remember your preferences and tailor the website to provide enhanced features. Without these cookies, we cannot remember your choices or personalise your online experience.

We use this type of cookie to:

  • Make your online experience faster by remembering you between visits on your personal devices
  • Remembering relevant information as you browse from page to page to save you re-entering the same information repeatedly
  • Provide enhanced features, such as playing videos or allowing you to post a comment.

We will not use cookies to collect personal identifiable information about you and we recommend that you allow the use of cookies. However, if you wish to restrict or block the cookies which are set on the Thrive at Work website, or indeed any other WMCA website, you can do this through your browser settings. The Help function within your browser should tell you how.

For more information about ‘cookies’ and how to reject them, please see the Interactive Advertising Bureau’s website.

How we will use your personal information

We may use the Personal Information we collect for the following purposes:

  • To administer and manage the Thrive at Work Programme
  • To maintain records the Thrive at Work Programme
  • For research and analysis
  • To deliver the Thrive at Work Programme

What safeguards do we have in place to protect your personal information?

In order to protect your rights and freedoms when using your personal information for research and, to process special category information we have special safeguards in place to help protect your information, including:

  • Policies and procedures that tell our staff and partner organisations how to collect and use your information safely.
  • Training which ensures our staff and partner organisations understand the importance of data protection and how to protect your data.
  • Security standards and technical measures that ensure your information is stored safely and securely.
  • All research projects involving personal data are scrutinised and approved to ensure the highest standards of research ethics.
  • Contracts with any partner organisations assisting WMCA in the delivery of our Thrive at Work have confidentiality and data protraction clauses to set out each party’s responsibilities for protecting your information.
  • We carry out data protection impact assessments on high risk projects to ensure that your privacy, rights as an individual or freedoms are not affected.
  • If you’re personal information is transferred outside the European Economic Area (EEA) WMCA we will ensure that safeguards are in place to protect it to the same standard we apply. We will ensure that any transfer only takes place if:
    1. The European Commission has decided that the country or the organisation we are sharing your information with will protect your information adequately
    2. The transfer has been authorised by the relevant data protection authority; and/or
    3. We have entered into a contract with the organisation with which we are sharing (on terms approved by the European Commission), to ensure your information is adequately protected.
  • We will ensure that any research does not cause damage or distress (e.g., physical harm, financial loss or psychological pain).
  • We will ensure that any research is not carried out in order to do or decide something in relation to an individual person.

Who will my personal information be shared with?

WMCA will under contractual agreements partner with specialist partners to deliver the Thrive at Work Programme. These third parties are known as data processors and when we use them we have contractual terms, policies and procedures to ensure confidentiality is respected. WMCA remains responsible for your personal information as the Data Controller, and we will ensure partner organisations meet strict data protection standards and your information and privacy is protected.

Your information is likely to be shared within the project team, primarily in a way that we can identify you as a participant. However wherever possible, and including between partner organisations, most personal information will be de-identified before sharing to ensure you cannot be identified.

Any research or outcomes published more widely will be anonymised and not identify any person.

How long is my information kept?

We will retain personal information for as long as necessary to fulfil the purposes for which it has been collected. When your personal information is no longer required for the purpose it was collected or as required by applicable law, it will be securely and confidentially deleted.

Marketing communications

We will only use your personal information to send marketing communications if you have provided your explicit consent to receive such communications.

Your rights

We will collect, store and process your personal information in accordance with your rights under Data Protection Laws. Under certain circumstances, you have the following rights in relation to your Personal Information:

  • Subject Access – you have the right to request details of the personal information which we hold about you and copies of such personal information.
  • Right to Withdraw Consent – where our use of your personal information is based upon your consent, you have the right to withdraw such consent at any time.
  • Data Portability – you may, in certain circumstances, request us to transmit your personal information directly to another organisation or provide it in a format which supports data portability.
  • Rectification – we want to ensure that the personal information about you that we hold is accurate and up to date. If you think that any information we have about you is incorrect or incomplete, please let us know. To the extent required by applicable laws, we will rectify or update any incorrect or inaccurate personal information about you.
  • Erasure (‘right to be forgotten’) – you have the right to have your personal information ‘erased’ in certain specified situations.
  • Restriction of processing – you have the right in certain specified situations to require us to stop processing your personal information and to only store such personal information.
  • Object to processing – You have the right to object to specific types of processing of your personal information, such as, where we are processing your personal information for the purposes of direct marketing.

We will not use your personal data to make any automated decisions.

If you wish to enforce any of your rights under Data Protection Act, then please contact us at:


Address: Data Protection Officer.16 Summer Lane, Birmingham, B19 3SD


If you wish to raise a complaint on how we have handled your personal information, you can contact our Data Protection Officer who will investigate the matter. Contact details are:


Address: Data Protection Officer. 16 Summer Lane, Birmingham, B19 3SD

We hope that we can address any concerns you may have, but if you remain unhappy you can you can contact the Information Commissioner’s Office (ICO).

Questions regarding our Privacy Policy should be addressed to the Data Protection Officer at The West Midlands Combined Authority, 16 Summer Lane, Birmingham B19 3SD. Or