Privacy Information Notice
This privacy information notice explains how the Scottish Hospitals Inquiry (the Inquiry) handles personal information.
The Inquiry into the construction of the Queen Elizabeth University Hospital (QEUH) Campus, Glasgow and the Royal Hospital for Children and Young People and Department of Clinical Neurosciences (RHCYP/ DCN), Edinburgh (the Scottish Hospitals Inquiry) is a statutory Inquiry set up by Scottish Ministers under the Inquiries Act 2005.
The Inquiry is committed to handling personal information in compliance with data protection legislation.
The Data Controller for the Inquiry is responsible in law for all our information including how it is held and how it is used or destroyed.
The Chairman of the Inquiry is the Data Controller of personal information. The Data Protection Officer is Sam Anderson whose contact details can be found at the end of this notice.
Personal information collected and used by the Inquiry
The Inquiry’s purpose is to investigate and report on the construction of the Queen Elizabeth University Hospital Campus, Glasgow and the Royal Hospital for Children and Young People/ Department of Clinical Neurosciences, Edinburgh. The remit and terms of reference of the Inquiry are set out on our website (www.hospitalsinquiry.scot). In order to fulfil its purpose, the Inquiry will process personal information about individuals.
Definition of Personal Data
The Information Commissioner states that “personal data is information that relates to an identified or identifiable individual”. More information can be found at www.ico.org.uk
If it is possible to identify an individual directly from the information the Inquiry is processing, such as a name or a number; medical records; identifiers such as an IP address or a cookie; or other factors, then this information will be regarded as personal data.
Personal information used to conduct the Inquiry
The work of the Inquiry requires it to take possession, store and process various forms of material containing personal information. Some of this material comes from individuals and some will come from third parties, such as health authorities. The information can be personal data such as names and addresses, and other information can be sensitive personal data such as political opinions or sexual relationships.
How do we obtain personal information?
The Inquiry requests information from individuals and organisations with some connection to the subject matter of the Inquiry. Information will collected through various routes. These include:
a) Production of evidence to the Inquiry
Those with an interest in the subject matter of the Inquiry may provide evidence to the Inquiry voluntarily. In addition, the Inquiry may make written requests for evidence under Rule 8 of the Inquiry Rules (Scotland) Act 2007 to anyone believed to hold information of relevance to the Inquiry. Under Section 21 of the Inquiries Act 2005 the Chairman can, by notice, require individuals or organisations to give evidence or produce documents etc. that relate to a matter in question at the Inquiry. As a result of this evidence gathering work, the Inquiry will receive evidence containing personal information, some of which may be sensitive personal data. Such personal information will be stored and may be used by the Inquiry to advance the work of the Inquiry.
b) Visiting the website
When someone visits our website information is collected to measure the use of the website. No information is collected that identifies a particular individual.
To allow users to change the screen contrast and font-size for accessibility purposes; and
To provide anonymised tracking data to Google Analytics and Google Maps to allow the Inquiry to adapt and improve the website.
Google Analytics captures visitors’ Internet Protocol (IP) addresses to capture the geolocation of visitors and protect the service and provide security. Google Maps uses anonymous cookies to determine the number of unique users of the website.
To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit https://ico.org.uk/your-data-matters/online/cookies/.
c) When you contact us
When you email or write to the Inquiry, a record of your email and postal address and any other information you chose to share will be held. Any personal information you have chosen to share with us may be stored and used by the Inquiry solely to advance the work of the Inquiry.
If you contact the Inquiry by phone, any personal information provided to the Inquiry may be recorded and stored, unless you specifically ask not to. Please note that if your engagement with the Inquiry is to proceed, the Inquiry will need to take and retain some details so that, for example, it can contact you at a later date.
The Inquiry has a Twitter account @scothospinquiry where it tweets to provide direct links to certain pieces of information or documents. The Inquiry policy is not to respond to comments or retweets. If you provide personal information to the Inquiry by Twitter, those details may be stored and may be used by the Inquiry team to advance the work of the Inquiry.
Should you contact the Inquiry to make a complaint, the Inquiry will record and store any personal information that is received when the complaint is submitted in order to process the complaint.
d) At Hearings
The Inquiry will hold various hearings, in accordance with its obligation under Section 18 of the Inquiries Act 2005. The Inquiry receives evidence from participants of those hearings, which may contain personal information.
The presumption is that hearings will be held in public, however, certain individuals participating in the hearings may have their identities anonymised if a Restriction Order has been granted. The Chairman to the Inquiry decides if evidence is provided in private or closed session and such decisions will be made in accordance with Section 19 of the Inquiries Act 2005.
Lists of the names of witnesses due to appear at public hearings will, subject to the above, be posted on the website in advance of each hearing. The Inquiry will only post lists of witnesses due to appear at public hearings. Members of the public will be able to attend the public hearings. Members of the public will not be permitted to attend any hearings held in private or closed session.
e) If you work or apply to work at the Inquiry
The Inquiry will store and process personal information to enable it to manage relationships with its team members lawfully and effectively. This will include using personal information to enable the Inquiry to:
Improve the management of the workforce of the Inquiry;
Enable development of a comprehensive picture of the Inquiry workforce and how it is deployed;
Inform the development of recruitment and retention policies;
Allow better financial modelling and planning;
Enable monitoring of selected protected characteristics; and
Manage employment contracts and to protect the legal position of the Inquiry.
Protecting your personal information
The Inquiry keeps your information secure and only shares it with those who need to see it. There are both physical security and processes in place to ensure that all personal data is handled fairly and lawfully in line with data protection legislation and is stored in systems that meet government security standards.
All Inquiry team members are security vetted and complete annual information handling training to ensure that they understand their responsibilities in handling your personal data.
Sharing your information
The Chairman accepts responsibility for the protection of personal information the Inquiry holds as a controller of that information. In order to advance the work of the Inquiry, it is sometimes necessary to share personal information with third parties. The Inquiry will only share personal information with third parties when it is legally permitted to do so or it has the individual’s consent to do so. Any person with whom information is shared will be instructed to comply with any instructions given by the Inquiry in relation to that information.
The Inquiry may share personal information with its suppliers and other third parties. The Inquiry will only share personal information with third parties when it can do so lawfully or it has consent. This can include transferring personal information outside of the United Kingdom.
In order to transfer personal information outside of the UK, the Inquiry will comply with the General Data Protection Regulation and Data Protection Act 2018. In particular, the Inquiry will have regard to the following:
The lawful processing requirements;
The security provisions;
International transfer provisions; and
Record keeping requirements.
If the personal information is being transferred outside the European Union or the European Economic Area and to a country in respect of which there is no applicable adequacy decision the Inquiry will rely on Article 49(1)(d) of the General Data Protection Regulations, namely the transfer is necessary for important reasons of public interest. This is because the transfer will be necessary to enable the Inquiry to fulfil its functions under the Inquiries Act 2005.
Any transfer of personal information outside of the United Kingdom must be pre-authorised by the Solicitor to the Inquiry.
Publication of evidence
The manner and timing of release of evidence into the public domain will be decided by the Chairman. The Inquiry intends to make all evidence that is relevant to the Inquiry’s investigations available to the public, unless publication has been restricted by a Restriction Order under Section 19 Inquiries Act 2005.
Irrelevant and/or unnecessary personal information will be redacted (by removing or obscuring it) by the Inquiry legal team in accordance with the Restriction Protocol.
Core participants and witnesses will have the opportunity to consider references to themselves in documents that the Inquiry proposes to use and if they wish, to apply for that information to be restricted. Any application will be considered by the Chairman under Section 19 of the Inquiries Act 2005. Any such documents will be provided to core participants and witnesses when they are asked to make a witness statement. Wherever possible, new potential core participants or witnesses will also be contacted by the Inquiry, and given the opportunity to make an application for a Restriction Order. Where it is considered disproportionate to do so, the information will be considered for redaction by the Inquiry. The Inquiry will decide whether to provisionally redact references to such persons applying the relevant legal principles and be mindful of the fact that the person affected will not have had an opportunity to apply for a restriction order.
Transcripts of all public hearings will be published on the Inquiry’s website. Transcripts of private or closed hearings will be sent only to the parties attending such hearings and not released into the public domain, although the Inquiry will make available as much information about closed and private hearings as can be provided without compromising them.
Once released the information will be hosted on the Inquiry website, which will ultimately be archived by the National Record of Scotland on completion of the Inquiry.
Retention of personal information
At the end of the Inquiry, and as required by law, the record of the work of the Inquiry, of which personal information may form part, will be transferred to the National Records of Scotland for permanent preservation.
The legal basis for processing personal data.
The Inquiry processes personal data lawfully in compliance with the General Data Protection Regulation (‘GDPR’) and the Data Protection Act 2018.
The ‘Lawful Basis’ as defined by the GDPR is that the Inquiry is carrying out a Public Task; fulfilling the function of an Inquiry and pursuing legitimate interest in fulfilling the published Terms of Reference.
The relevant Articles of GDPR therefore apply:
Personal data: Article 6 (1)(e)
“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”; and
Special personal data: Article 9 (2)(g)
“processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”;
Paragraphs 5 & 6 of Part 1 of Schedule 2 of the Data Protection Act 2018
“Requirement for an appropriate policy document when relying on conditions in this Part
5 (1) Except as otherwise provided, a condition in this Part of this Schedule is met only if, when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).
(2) See also the additional safeguards in Part 4 of this Schedule. Statutory etc. and government purposes
6 (1) This condition is met if the processing—
is necessary for a purpose listed in sub-paragraph (2), and
is necessary for reasons of substantial public interest.
(2) Those purposes are—
the exercise of a function conferred on a person by an enactment or rule of law;
the exercise of a function of the Crown, a Minister of the Crown or a government department”
Carrying out a Public Task means that the processing carried out is necessary for the performance of a specific function carried out in the public interest or in the exercise of official authority vested in the Inquiry.
The entire purpose of this Inquiry is to benefit the public, by understanding what has happened in the past and to recommend improvements for the future. Complying with our legal obligation means: we process your personal data because it is necessary for our legitimate interests in fully carrying out our investigations, creating a public record or records of the events, findings and recommendations. We can rely upon this lawful basis only when we believe our interest is not overridden by your fundamental rights and freedoms.
Your rights and how to use them
a) Freedom of Information Scotland Act 2002
The Freedom of Information Scotland Act 2002 does not apply to Inquiries set up under the Inquiries Act 2005, this includes this Inquiry. However, in keeping with the spirit of the freedom of information, the Inquiry will operate in as transparent and open a manner as possible in accordance with the interests of justice. The Inquiry publishes regular update notes on the progress of its work as well as costs.
b) Data Protection Legislation
The Inquiry adheres to the relevant provisions of the data protection legislation and is registered with the Information Commissioner’s Office (registration number ZA775906). The Inquiry has appointed a Data Protection Officer who is responsible for monitoring compliance with the data protection legislation. The Inquiry ensures that appropriate data security policies are in place and that the Chairman, and all those engaged in support receive the necessary training.
The Inquiry’s approach to data protection follows the data protection principles as follows:
That processing be lawful and fair;
That purposes of processing be specified, explicit and legitimate;
That personal data be adequate relevant and not excessive;
That personal data be accurate and kept up to date; and
That personal data be kept for no longer than is necessary.
Access to your personal information and correction
You have certain rights in relation to the personal information that the Inquiry holds about you. You are entitled to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed and, where that is the case, access to the personal data.
Where a request would make it more difficult for us to fulfil our Terms of Reference or puts another person’s personal data at risk of being revealed, we may rely on one or more of the exemptions set out in the Data Protection Act 2018 to refuse your request to assert your rights under the GDPR. However, sometimes it will be correct to comply with your request even if there is an exemption that we can rely upon.
You have the right to confirm that any personal information about you is accurate. If you believe that the Inquiry holds inaccurate personal information about you, you may ask for it to be corrected or remove any inaccurate personal information.
Where the Inquiry collects and processes your personal information based on your consent, you have a right to withdraw such consent at any time.
Any request for personal information should be submitted to the Inquiry’s Data Protection Officer. In order to assist the Inquiry with processing such requests, you should provide the following as a minimum:
An explanation of your request;
Your date of birth; and
You will be asked to provide the Inquiry with proof of your identity before any request is processed.
In all cases your request will be considered very carefully. Should we believe that your information falls within one of the exemptions set down in the Data Protection Act 2018 and that compliance with your request may hinder our ability to fulfil our Terms of Reference your request may be declined.
Complaints about how we handled your information
You have the right to complain about the way that the Inquiry collects and uses your personal information. If you wish make a complaint, please provide details to the Data Protection Officer.
All complaints shall be handled in a timely manner by the Inquiry’s Data Protection Officer.
You also have the right to make a complaint to the Information Commissioners Office.
Contacting the Data Protection Officer
If you wish to know what data is held on you or to make a Subject Access Request please do so in writing by contacting the Data Protection Officer by email at:
Please ensure you mark the email “For the attention of the Data Protection Officer” in the subject header.
Amendments to this privacy information notice
This Inquiry keeps this privacy information notice under regular review. This version of the privacy information notice was last updated on 6 November 2020.
You can download the Privacy Notice using the link below.