This Privacy Notice explains how the Scottish Hospitals Inquiry will handle any Personal Data (including Sensitive Personal Data) about you as a Data Subject.
The Inquiry also has a separate Data Protection Policy which provides further information about its data protection and security measures and will be available on its website.
Who are we?
The Scottish Hospitals Inquiry (the Inquiry) is a statutory public inquiry set up by Scottish Ministers under the Inquiries Act 2005 to examine issues regarding the Queen Elizabeth University Hospital Campus (QEUH), Glasgow and the Royal Hospital for Children and Young People and Department of Clinical Neurosciences (RHCYP/DCN), Edinburgh. The Inquiry’s remit and Terms of Reference, which set out its functions, can be found here: Remit & Terms of Reference | Hospitals Inquiry.
The Inquiry is registered as a Data Controller with the Information Commissioner’s Office (registration number ZA775906) and is responsible for compliance with the UK General Data Protection Regulation and the Data Protection Act 2018.
The Inquiry is committed to handling any Personal Data which identifies you in compliance with all applicable data protection legislation. The Inquiry has appointed a Data Protection Officer (DPO), Sam Anderson, who can be contacted at sam.anderson@hospitalsinquiry.scot regarding the Inquiry’s data management practices and any issue raised in this Notice.
What Personal Data will the Inquiry collect about you?
The Inquiry will require to request, receive, and process Personal Data about various Data Subjects to ensure it has all necessary information to fulfil its Terms of Reference and investigate the issues within. This information may include names, dates of birth, postal addresses, email addresses, statements given by witnesses or potential witnesses, and copy communications. The Inquiry will also process Sensitive Personal Data such as medical records or trade union membership information.
When you contact the Inquiry, or if the Inquiry contacts you, we will process and store your name, contact details, your connection to the subject matter of the Inquiry, all correspondence you send us in whichever form, and any other information you supply whether orally or in writing.
If you are a core participant, or applying to be a core participant, the Inquiry will process and store your core participant application, any application for legal costs and expenses, details of your legal representative, and all communication with your legal representative.
The Inquiry may also store and process audio recordings and video footage about you in the course of, for example, telephone calls and hearings.
How does the Inquiry obtain Personal Data?
The Inquiry will request and receive Personal Data through various routes from both individuals and organisations who are able to assist its investigations. These include:
a) Production of information to the Inquiry
Individuals or organisations who are able to assist the Inquiry’s investigations may provide information to the Inquiry voluntarily. In addition, the Inquiry may make written requests for information under Rule 8 of the Inquiries (Scotland) Rules 2007. Section 21 of the Inquiries Act 2005 also gives the Chair powers to require individuals or organisations to give evidence or produce documents that relate to the Inquiry’s functions. Any information supplied, including that from organisations, may include Personal Data, including Personal Data about third parties.
b) When you contact us
When you email or write to the Inquiry, including by social media or by any electronic form on our website, a record of your correspondence and contact details, and any other information you share, will be stored and processed by the Inquiry.
If you contact the Inquiry by telephone, the Inquiry may store and process your name, contact details, and details of the conversation including an audio recording of same.
c) At Hearings
The Inquiry will conduct a number of public hearings in the course of its investigations. The Inquiry will hear evidence at those hearings, which may refer to Personal Data in the oral or documentary evidence of witnesses and core participants.
d) If you work or apply to work at the Inquiry
The Inquiry will store and process Personal Data to enable it to manage relationships with its team members lawfully and effectively. This will include processing Personal Data to enable the Inquiry to:
-
Manage contracts relating to Inquiry staff;
-
Set out the organisational structure of Inquiry staff;
-
Inform the development of recruitment and retention policies; and
-
Allow better financial modelling and planning.
Further information may be found in the Inquiry’s Protocol on the Receipt and Handling of Information which will become available on the Inquiry’s website.
e) When you visit the Inquiry’s website
Information is collected to measure the use of the website when you visit it.
The Inquiry website uses cookies, small text files that are placed on your machine, to help the site provide a better user experience. The Inquiry website has cookies for two purposes:
-
To allow users to change the screen contrast and font-size for accessibility purposes; and
-
To provide anonymised tracking data to Google Analytics and Google Maps to allow the Inquiry to adapt and improve the website.
Google Analytics captures visitors’ Internet Protocol (IP) addresses to capture the geolocation of visitors and protect the service and provide security. Google Maps uses anonymous cookies to determine the number of unique users of the website.
To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit https://ico.org.uk/your-data-matters/online/cookies/.
What is the Inquiry’s legal basis for processing your Personal Data?
The Inquiry must have a reason, in law, to process any Personal Data about you.
The Inquiry requires to process Personal Data because it is has legal obligations it must fulfil under the Inquiries Act 2005 and the Inquiries (Scotland) Rules 2007. The Inquiry, as a statutory public inquiry with functions and powers, also requires to address its Terms of Reference in its performance of a task in the public interest. Where the Inquiry has a contract with you, such as an employment contract or a contract with an expert witness, it may also lawfully process your Personal Data to fulfil that contract. The Inquiry may also, where necessary, rely on your explicit, specific, and informed consent in processing certain data. Where the Inquiry is relying on your consent to process data, you may withdraw your consent to the processing at any time. Where appropriate, the Inquiry may rely on a legitimate interest in processing your Personal Data.
The Inquiry may process your Sensitive Personal Data as it is necessary for reasons of substantial public interest. The Inquiry has a statutory and governmental purpose pursuant to section 10(3) and paragraph 6 of Schedule 1 to the Data Protection Act 2018. The processing of Sensitive Personal Data is required to ensure the Inquiry, with statutory functions and powers, has all the necessary information to fulfil its Terms of Reference which is a task and function of substantial public interest
Who will the Inquiry share your Personal Data with?
The Inquiry has a statutory duty, in terms of section 18 of the Inquiries Act 2005, to allow members of the public to view or obtain a record of evidence and documents given, produced, or provided to the Inquiry. Hearings will be accessible by any member of the public and will be video and audio recorded for public viewing on the internet. The Inquiry will also make public, via its website, in the course of hearings, and possibly by other means, the evidence, witness statements, and hearing transcripts that are being referred to in the course of its investigations. Should any Data Subject wish to be anonymised or for their Personal Data to be redacted or restricted prior to publication, they should refer to the Inquiry’s Protocols on Redaction and Restriction which will become available on the Inquiry’s website.
The Inquiry will only share Personal Data with third parties when it has a legal basis to do so. Any person or organisation with whom Personal Data is shared will be expected to comply with any applicable data protection legislation . Such third parties may include, but will not be limited to: core participants (including their legal representatives); witnesses; experts who are assisting the Inquiry team; counsel; external consultants or service providers (such as IT or document management); press agencies; the Scottish Government; the Keeper of the Records of Scotland; and the wider public.
Where it is necessary for any Personal Data to be transferred outside of the UK (for example, due to the location of a service-provider’s systems), we will ensure that we comply with all applicable legislation.
How long will the Inquiry keep your Personal Data?
The Inquiry requires to retain all Personal Data until the Inquiry concludes and its final report is published. As required by the Inquiries (Scotland) Rules 2007, the record of the work of the Inquiry, of which Personal Data may form part, will be transferred to the Keeper of the Records of Scotland for permanent preservation upon the Inquiry’s conclusion.
Your rights and how to use them
You may have certain rights in relation to any Personal Data that the Inquiry processes about you. You may seek to exercise the following rights by contacting the Inquiry’s DPO:
-
Confirmation as to whether or not the Inquiry is processing your Personal Data and, where that is the case, request access to, or copies of, the data in question.
-
Confirmation that any Personal Data about you is accurate and to have same corrected if appropriate.
-
Withdrawal of your consent to the Inquiry processing your Personal Data where appropriate.
-
Objecting to the Inquiry processing your Personal Data.
-
The deletion or restriction of any Personal Data held by the Inquiry about you. The right to deletion does not apply where processing is necessary for the performance of the Inquiry’s task in the public interest.
A request regarding any of the above should be submitted to the Inquiry’s DPO. In order to assist the Inquiry with processing such requests, you should provide your name, address, valid copy ID, and any other contact details.
In all cases your request will be considered very carefully and will only be declined where the Inquiry has a basis in law to do so.
Complaints about how we handled your information
You have the right to complain about the way that the Inquiry collects and uses your Personal Data. If you wish make a complaint, please contact the Inquiry’s DPO at sam.anderson@hospitalsinquiry.scot.
You also have the right to make a complaint to the Information Commissioners Office at scotland@ico.org.uk and 0303 123 1115 .
Amendments to this Privacy Notice
This Inquiry keeps this privacy information notice under regular review. This version of the privacy information notice was last updated on 17 September 2021.