- This Privacy Notice explains how the Scottish COVID-19 Inquiry (the ‘Inquiry’) will collect and handle your personal data.
2. Who are we?
- The Inquiry is a statutory public inquiry set up by Scottish Ministers under the Inquiries Act 2005 to examine the strategic handling of the COVID-19 pandemic. The Inquiry’s remit is set out in Terms of Reference, which can be found at: Terms of Reference
- The Inquiry is registered as a Controller with the Information Commissioner’s Office (registration number ZB298759) and is responsible for compliance with the UK General Data Protection Regulation and the Data Protection Act 2018.
- The Inquiry is committed to handling any personal data which identifies you in compliance with all applicable data protection legislation. The Inquiry has appointed a Data Protection Officer (‘DPO’) who can be contacted regarding the Inquiry’s data management practices and any issue raised in this Notice at:
Data Protection Officer
Scottish COVID-19 Inquiry
GD Bridge Victoria Quay
3. What personal data will the Inquiry collect about you?
- To carry out our functions of investigating the strategic handling of the COVID-19 pandemic, we need to collect information. That will involve the Inquiry requesting, receiving, and processing personal data to ensure it can fulfil its Terms of Reference. This information may include names, dates of birth, postal addresses, email addresses, other contact details, statements given by participants, witnesses or potential witnesses, copy communications, audio recordings and video footage. The Inquiry will also process some special categories of personal data, such as medical records.
- When you contact the Inquiry, or if the Inquiry contacts you, we will process and store your name, contact details, your connection to the subject matter of the Inquiry, all correspondence you send us in whichever form, and any other information you supply whether orally or in writing. The Inquiry may process audio recordings and video footage about you in the course of, for example, telephone calls and hearings.
4. How does the Inquiry obtain personal data?
- The Inquiry will request and receive personal data through various routes from both individuals and organisations who are able to assist its investigations. These include:
- Production of information to the Inquiry Individuals or organisations who are able to assist the Inquiry’s investigations may provide information to the Inquiry voluntarily. In addition, the Inquiry may make written requests for information under Rule 8 of the Inquiries (Scotland) Rules 2007. Section 21 of the Inquiries Act 2005 gives the Chair powers to require individuals or organisations to give evidence or produce documents that relate to the Inquiry’s functions. Any information supplied, including that from organisations, may include personal data, including personal data about third parties.
- When you contact us When you email or write to the Inquiry, including by social media or by any electronic form on our website, a record of your correspondence and contact details, and any other information you share, will be stored and processed by the Inquiry. If you contact the Inquiry by telephone, the Inquiry may store and process your name, contact details, and details of the conversation including an audio recording of same.
- At Hearings The Inquiry will conduct a number of public hearings in the course of its investigations. The Inquiry will hear evidence at those hearings, which may refer to personal data in the oral or documentary evidence of witnesses and core participants.
- If you work or apply to work at the Inquiry The Inquiry will store and process personal data to enable it to manage relationships with its team members lawfully and effectively. This will include processing personal data to enable the Inquiry to: • manage contracts relating to Inquiry staff; • set out the organisational structure of Inquiry staff; • inform the development of recruitment and retention policies; and • allow better financial modelling and planning. Further information may be found in the Inquiry’s Protocol for Receipt and Handling of Information which will be available on the Inquiry’s website.
- When you visit the Inquiry’s website
- Information is collected to measure the use of the website when you visit it.
- Google Analytics captures visitors’ Internet Protocol (IP) addresses to capture the geolocation of visitors and protect the service and provide security. Google Maps uses anonymous cookies to determine the number of unique users of the website.
- To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit: Information Commissioner's Office website.
5. What is the Inquiry’s legal basis for processing your personal data?
- The Inquiry must have a reason, in law, to process any personal data about you: • the Inquiry requires to process personal data because it has legal obligations it must fulfil under the Inquiries Act 2005 and the Inquiries (Scotland) Rules 2007; • the Inquiry, as a statutory public Inquiry with functions and powers, also requires to address its Terms of Reference in its performance of a task in the public interest. When the Inquiry relies on this public interest legal basis you have the right to object to such process (please see the section below on (‘Your rights and how to use them’); • where the Inquiry has a contract with you, such as an employment contract or a contract with an expert witness, it may also lawfully process your personal data to fulfil that contract; • the Inquiry may also, where necessary, rely on your explicit, specific, and informed consent in processing certain data. Where the Inquiry is relying on your consent to process personal data, this will be clearly requested from you and you may withdraw your consent to the processing at any time.
- The Inquiry may process special categories of personal data if it is necessary for reasons of substantial public interest. The Inquiry has a statutory and governmental purpose pursuant to section 10(3) and paragraph 6 of Schedule 1 to the Data Protection Act 2018. The processing of special categories of personal data is required to ensure the Inquiry, with statutory functions and powers, has all of the necessary information to fulfil its Terms of Reference which is a task and function of substantial public interest.
6. Who will the Inquiry share your personal data with?
- The Inquiry has a statutory duty, in terms of section 18 of the Inquiries Act 2005, to allow members of the public to view or obtain a record of evidence and documents given, produced, or provided to the Inquiry. Hearings will be accessible by any member of the public and will be video and audio recorded for public viewing on the Internet.
- The Inquiry will also make public, via its website, and possibly by other means, the evidence, witness statements, and hearing transcripts that are being referred to in the course of any oral hearings. A Protocol on Redaction and Restriction will be published on the Inquiry’s website prior to any hearings and should any Data Subject wish to be anonymised or for their personal data to be redacted or restricted prior to publication, they should refer to this Protocol.
- The Inquiry will only share personal data with third parties when it has a legal basis to do so. Any person or organisation with whom personal data is shared will be expected to comply with any applicable data protection legislation. Such third parties may include, but will not be limited to: participants (including their legal representatives); witnesses; experts who are assisting the Inquiry team; counsel; external consultants or service providers (such as IT or document management); press agencies; the Keeper of the Records of Scotland; and the wider public. 6.4 Where it is necessary for any personal data to be transferred outside of the UK (for example, due to the location of a service-provider’s systems), we will ensure that we comply with all applicable legislation.
7. How long will the Inquiry keep your personal data?
- The Inquiry requires to retain all personal data until the Inquiry concludes and its final report is published. As required by the Inquiries (Scotland) Rules 2007, the record of the work of the Inquiry, of which personal data may form part, will be transferred to the Keeper of the Records of Scotland for permanent preservation upon the Inquiry’s conclusion.
8. Your rights and how to use them
- You may have certain rights in relation to any personal data that the Inquiry processes about you. You may seek to exercise the following rights by contacting the Inquiry’s DPO: • confirmation as to whether or not the Inquiry is processing your personal data and, where that is the case, request access to, or copies of, the data in question; • confirmation that any personal data about you is accurate and to have it corrected if appropriate; • withdrawal of your consent to the Inquiry processing your personal data where appropriate; • objecting to the Inquiry processing your personal data; • the deletion or restriction of any personal data held by the Inquiry about you. The right to deletion does not apply where processing is necessary for the performance of the Inquiry’s task in the public interest; and/or • receipt of your personal data in a structured, commonly used and machine-readable format and/or transmission to a third party, where you have provided the Inquiry with such personal data and the Inquiry is processing it with your consent or to perform a contract.
- A request regarding any of the above should be submitted to the Inquiry’s DPO. In order to assist the Inquiry with processing such requests, you should provide your name, address, valid copy ID, and any other contact details.
- In all cases your request will be considered very carefully and will only be declined where the Inquiry has a basis in law to do so. We might for example decline your request if your information falls within a legal exemption and compliance with your request would hinder the Inquiry fulfilling its Terms of Reference. 8.4 You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you, unless we are able to apply an extension where you will be informed of such extension before it is applied.
9. Keeping your personal data secure
- The Inquiry will operate appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. The Inquiry limits access to your personal data to those who have a genuine business need to access it. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.
- The Inquiry also has procedures in place to deal with any suspected data security breach. The Inquiry will notify you and any applicable regulator of a suspected data security breach where legally required to do so.
10. Complaints about how we handled your personal data
- You have the right to complain about the way that the Inquiry collects and uses your personal data. If you wish make a complaint, please contact the Inquiry’s DPO at SecretarySCI@covid19inquiry.scot
- You also have the right to make a complaint to the Information Commissioner’s Office at firstname.lastname@example.org and 0303 123 1115.
11. Amendments to this Privacy Notice
- The Inquiry will keep this Privacy Notice under regular review. This is the first version of this Privacy Notice.