Privacy

This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR). 

Your Data

Purpose

We process data for a range of purposes connected with UK Covid-19 Inquiry. These include: 

  • to communicate with external stakeholders or interested parties, including officials, journalists, witnesses, and members of the public
  • to obtain the opinions of members of the public, parliamentarians and representatives of organisations and companies about the UK Covid-19 Public Inquiry, including in relation to the Inquiry’s Terms of Reference
  • to operate the Inquiry’s website
  • to deal with public correspondence
  • to respond to data protection requests from individuals
  • to provide the public with information about the Inquiry through social media channels

The data

We will process the following personal data: 

In relation to external communications: name, address, email address, job title (where given), and employer (where given). 

In relation to consultations: name, address, email address, job title (where given), and employer (where given), as well as opinions. We will also process additional biographical information about respondents or third parties where it is volunteered.  

In relation to our website: analytics on how our site is used. In most cases this data will not be personal data because we will not be able to identify individual site users.

In relation to public correspondence: name, address, email address, details of any concerns raised in your correspondence, and any other information you volunteer about yourself or others. We may also process special category data or data about criminal convictions, if you volunteer such information.

In relation to data protection requests from individuals: name, address, email address, your request, documents needed to verify your identity, and any data on you held by the Inquiry.

In relation to social media channels: names, email addresses, photographs, videos, social media handles, opinions, and any other data volunteered, including sensitive personal data.

For the majority of personal data we process, our legal basis for processing your personal data is that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller (Article 6(1)(e) UK GDPR). In this case that is the Inquiry’s work to fulfil its Terms of Reference.

In relation to social media channels: Where we post personal data relating to government activity, our legal basis is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller (Article 6(1)(e) UK GDPR). Where we process personal data generated by social media users, the legal basis for processing that personal data is because the user consents to us doing so (Article 6(1)(a) UK GDPR).

In relation to data protection requests from individuals: the legal basis for processing your personal data is that it is necessary to comply with a legal obligation placed on us as the data controller (Article 6(1)(c) UK GDPR).

Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. 

The legal basis for processing any sensitive personal data, or data about criminal convictions, where we receive it, is that it is necessary for reasons of substantial public interest for the exercise of a function conferred on a person by an enactment, or the exercise of a function of a Minister of the Crown (para 6, schedule 1, Data Protection Act 2018). The function is the Inquiry’s work to fulfil its Terms of Reference.

Recipients

As your personal data will be stored on our IT infrastructure it will be shared with our data processors who provide web analytics services, web hosting service, consultation management services, and email and document management and storage services. 

In relation to consultation: Where individuals submit responses, we will publish their responses, but not publicly identify them.  We will endeavour to remove any information that may lead to them being identified.  Responses submitted by organisations or representatives of organisations will be published. Where information about responses is not published, it may be shared with officials within other public bodies in order to help develop policy. 

In relation to public correspondence: Your information may be shared with other public bodies, or the devolved administrations, where it is necessary and in order to provide a full answer to you. Your information may be shared with other public bodies, the devolved administrations, constituency offices or political parties, where it is necessary to transfer correspondence to a more appropriate body for an answer. Your information may be shared with your MP, where they are writing on your behalf.

In relation to social media channels: Any personal data shared on social media platforms will be shared with those social media providers. Any personal data shared on social media platforms is made public, unless privacy settings have been used.

Retention 

In relation to communications: Your personal data will be kept by us for the purposes of contacting individuals in particular roles, and once they leave those roles the information will be updated and or deleted. This should take place at least annually.

In relation to consultation: published information will generally be retained indefinitely on the basis that the information is of historic value. This would include, for example, personal data about representatives of organisations. Responses from individuals will be retained in identifiable form for three calendar years after the consultation has concluded.

In relation to the website: analytics data will be retained for 2 years, which auto-renews on re-acceptance of cookies.

In relation to public correspondence: personal information in correspondence will usually be deleted 3 calendar years after the correspondence, or the case is closed or concluded. However, public correspondence may be kept if it is sufficiently significant that it should be retained for the historical record.

In relation to data protection requests from individuals: personal data held in relation to data protection requests will be kept by the Inquiry for up to two years from the date of last contact. Documents used to verify identity will be deleted once identity has been verified. 

In relation to social media channels: Our social media posts will be retained indefinitely as part of the historical record. Data published on social media platforms by end users will remain until it is deleted by the social media user.

Where personal data have not been obtained from you

Your personal data may have been obtained by us from a respondent to a consultation or a correspondent. 

Contact details for external stakeholders or interested parties may have been obtained from public sources including the internet or their employers. 

Your Rights 

You have the right to request information about how your personal data are processed, and to request a copy of that personal data. 

You have the right to request that any inaccuracies in your personal data are rectified without delay. 

You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement. 

You have the right to request that your personal data are erased if there is no longer a justification for them to be processed. 

You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted. 

You have the right to object to the processing of your personal data.

International Transfers

As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision, or the use of Standard Contractual Clauses. 

Contact Details

The data controller for your personal data is the Covid-19 Inquiry Office. The contact details for the data controller are: contact@covid19.public-inquiry.uk

The contact details for the data controller’s Data Protection Officer are: dpo@cabinetoffice.gov.uk.  The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

Complaints 

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator.  The Information Commissioner can be contacted at:  Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or 0303 123 1113, or icocasework@ico.org.uk.  Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts. 

Delib Privacy Information

Delib's software (this website) enables organisations to set up and operate activities, through which they can engage with you.

This site is managed by the controlling organisation, UK Covid-19 Public Inquiry. When you access and use this site, the personal information you have submitted to these activities will go to the organisation. Delib will not access your personal information unless requested to do so by the organisation, and only for the purposes of assisting them with the administration of this site.

Accessing your Personal Information

If you have any questions or requests about your personal information, for example to request a copy of it, or to ask for it to be corrected if you think it is wrong, please contact the organisation (as stated in their Privacy Notice / Privacy Statement / Privacy Policy). It is the controlling organisation's responsibility to answer any questions or requests about your personal information.

Collection of Browser Information

The information provided by your computer when you use this website is collected by Delib. For example, your browser type, IP address, language preference, referring site and the date and time. The purpose for collecting this information is to maintain the security of the website and for operating and improving the software.