The Scottish COVID-19 Inquiry
1.1 This Privacy Notice explains how the Scottish COVID-19 Inquiry (the ‘Inquiry’) will collect and handle your personal information.
Personal information is information that relates to a living person who can be identified either directly or indirectly from the information held.
Special category information is information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics or biometrics, health, an individual’s sex life or sexual orientation.
Criminal offence data is personal information relating to criminal actions, accusations, investigations, and legal action or related security measures.
When information is accidentally or deliberately destroyed, changed, lost or looked at by someone who shouldn’t see it, it is called a personal data breach.
2. Who are we?
2.1 The Inquiry is an independent statutory public inquiry set up by Scottish Ministers under the Inquiries Act 2005 to examine the handling of the COVID-19 pandemic in Scotland. Our Terms of Reference https://www.covid19inquiry.scot/terms-reference set out what we can investigate.
2.2 We are registered as a Controller with the Information Commissioner’s Office (registration number ZB298759) and must comply with data protection law.
2.3 We have appointed a Data Protection Officer (‘DPO’):
Harper Macleod LLP
45 Gordon Street
2.4 You can contact the Inquiry by emailing email@example.com or writing to us at Freepost SCOTTISH COVID-19 INQUIRY.
3. What personal information will we collect about you?
3.1 We will collect and use the personal information that you provide to us:
3.1.1 In relation to evidence for the Inquiry: name, date of birth, postal address, email address, other contact details, employment details, opinions, health information, criminal offence data, audio recordings and video footage. We will also collect other special categories of personal information, if these are provided.
3.1.2 In relation to our website: analytics on how our site is used. In most cases this information will not be personal because we will not be able to identify individual site users.
3.1.3 In relation to correspondence: name, postal address, email address, details of any concerns raised in your correspondence, and any other information you volunteer about yourself or others. This may include special category information or criminal offence data.
3.1.4 In relation to email updates or newsletters: name and email address.
3.1.5 In relation to data protection requests: name, contact details and any documents needed to confirm your identity.
4. How do we obtain personal information?
4.1 We will request and receive personal information in various ways. These include:
4.1.1 Individuals or organisations who are able to help with our investigations may provide information to us voluntarily. We may also use our legal powers to make written requests for information or to require individuals or organisations to give evidence or produce documents that relate to our functions. Any information supplied, including that from organisations, may include personal information, including personal information about third parties.
4.1.2 When you email or write to us, including through social media or by any electronic form on our website, a record of your correspondence and contact details, and any other information you share, will be stored and processed by us.
4.1.3 We hear evidence at public hearings, which may include personal information.
5. What is our legal basis for processing your personal information?
5.1 We must have a reason, in law, to collect and use any personal information. There will be different reasons for this depending on why the information is collected.
5.1.1 In most cases, our legal basis for processing your personal information is that we need to fulfil our Terms of Reference, a task which is carried out in the public interest. If your personal information includes special category personal information, we will be using that for reasons of substantial public interest.
5.1.2 If we have a contract with you, such as an agreement to provide you with updates or newsletters or a contract with an expert witness, we can lawfully use the personal information you’ve provided to fulfil that contract.
5.1.3 In some cases, we will rely on your explicit, specific, and informed consent to process information. If we want to rely on your consent, we will make this clear to you and you may withdraw your consent at any time.
5.1.4 If you make a data protection request, when processing your personal information, we will rely on our legal obligation to deal with your request.
6. Who will we share your personal information with?
6.1 We will only share personal information with third parties when we have a legal basis to do so. Anybody with whom personal information is shared will be expected to comply with all applicable data protection law.
6.1.1 In relation to evidence: we have a duty to allow members of the public to view or obtain a record of the evidence and documents provided to us. Public hearings will be accessible by any member of the public and will be video and audio recorded for public viewing on the internet. We will publish on our website the evidence, witness statements, and hearing transcripts that are being referred to in the course of any oral public hearings. Evidence will also be shared with our core participants and their legal representatives, witnesses, experts who are assisting us, our legal advisers and the Keeper of the Records of Scotland.
6.1.2 In relation to consultations we will share the information with experts who are assisting us, our legal advisers, and the Keeper of the Records of Scotland.
6.1.3 In relation to email updates or newsletters: we will not share your personal information. However, the company we engage to process this information will be able to see the information they need to see to provide the service.
6.1.4 In relation to data protection requests and correspondence: we will only share your information with anyone we need to in order to help us answer your request. This may include our legal advisers or internal IT staff.
6.2 As your personal information will be stored on our IT infrastructure, the service providers who manage and provide our IT systems, provide web analytics services, web hosting services, consultation management services, and email and document management and storage services (such as services to provide email messages where you have signed up to receive these) will have access to your personal information, but only where they need that access to provide the services.
6.3 If we need to transfer personal information outside of the UK (for example, due to the location of a service-provider’s systems), we will ensure that we only do that if we and the third party can comply with all data protection legislation.
7. How long will we keep your personal information?
7.1 We will keep your personal information for different amounts of time, depending on why we have it.
7.1.1 In relation to evidence: we must keep all personal information gathered until the Inquiry concludes and our final report is published. We are legally required to transfer the record of the work of the Inquiry, of which personal information will form part, to the Keeper of the Records of Scotland for permanent preservation at the end of the Inquiry. Anything which is not part of the record of the Inquiry will be deleted at that stage.
7.1.2 In relation to correspondence: personal information in correspondence will be kept for the duration of the Inquiry unless you write to the Inquiry asking for this information to be deleted.
7.1.3 In relation to email updates or newsletters: personal information provided for this purpose will be held until the conclusion of the Inquiry or an individual has instructed the Inquiry to remove them from the mailing list or newsletter database, whichever occurs first.
7.1.4 In relation to data protection requests: personal information will be kept by us for the duration of the Inquiry. Documents used to confirm identity will be deleted once identity has been confirmed.
8. Your rights and how to use them
8.1 You have certain rights in relation to any personal information that we collect and use. You can ask to exercise the following rights by contacting us at firstname.lastname@example.org:
You have the right to:
- ask us to confirm if we are processing your personal information and to ask for copies of that information, if we are;
- ask us to check if the personal information we hold is accurate and complete and to ask us to correct or complete it, if appropriate;
- withdraw your consent to us using your personal information where consent has been given;
- object to us using your personal information in certain circumstances;
- ask us to erase any personal information about you or to restrict its processing in certain circumstances; and
- ask us to transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
8.2. In order to help us process these requests, you should provide your name, address and any other relevant contact details to us when you make your request. It is likely that we will need to ask you to confirm your identity before responding to your request.
8.3 In all cases, your request will be considered very carefully and will only be refused when we are legally allowed to do so.
8.4 You are not required to pay any charge for exercising your rights. If you make a request, we have one calendar month to respond to you, starting from the day we receive the request. If we need an extension to this timescale, we will let you know.
9. Keeping your personal information secure
9.1 We will operate appropriate security measures to prevent personal information from being accidentally lost or used or accessed unlawfully. Only those who have a genuine business need to access your personal information will be allowed to do so and they will keep the information confidential.
9.2 We have procedures in place to deal with any suspected personal data breach. We will notify you and the Information Commissioner of a personal data breach when we are legally required to do so.
10. Complaints about how we handled your personal information
10.1 You have the right to complain about the way that the Inquiry collects and uses your personal information. If you wish to make a complaint, please email email@example.com or write to us at Freepost SCOTTISH COVID-19 INQUIRY.
10.2 You also have the right to make a complaint to the Information Commissioner’s Office at firstname.lastname@example.org and 0303 123 1115.
11. Amendments to this Privacy Notice
11.1 The Inquiry will keep this Privacy Notice under regular review. This is the third version of this Privacy Notice and was approved by the Chair on 17 May 2023.