The UK Covid-19 Inquiry is an independent public inquiry set up to examine the UK’s response to and impact of the Covid-19 pandemic, and learn lessons for the future.

This notice sets out how we will use your personal data and your rights.

Who we are

We are an independent inquiry team, sponsored by the Cabinet Office. We are a data controller.

We also use suppliers, who act as processors of personal data on behalf of the UK Covid-19 Inquiry.

What do we use your data for?

We process data for a range of purposes connected with the UK Covid-19 Inquiry (the Inquiry). These include:

  • to build evidence for the Inquiry
  • i gyfathrebu â rhanddeiliaid allanol neu bartïon â diddordeb, gan gynnwys swyddogion, newyddiadurwyr, tystion, ac aelodau o'r cyhoedd
  • to obtain the opinions of members of the public, parliamentarians and representatives of organisations and companies about the Inquiry, including in relation to the Inquiry’s Terms of Reference
  • i weithredu gwefan yr Ymchwiliad
  • i ddelio â gohebiaeth gyhoeddus
  • ymateb i geisiadau diogelu data gan unigolion
  • rhoi gwybodaeth i'r cyhoedd am yr Ymchwiliad drwy sianeli cyfryngau cymdeithasol
  • to provide further information to you about the Inquiry via email if you sign up to receive these emails (email updates)

What personal data will be collected and processed?

We will process the following personal data that you may provide to us in relation to the Inquiry: 

  • In relation to evidence for the Inquiry: name, address, email address, job title, employer, opinions, health information, criminal convictions and any other sensitive information you volunteer about yourself or others.
  • In relation to external communications: name, address, email address, job title (where these are provided by you), and employer (where provided by you).
  • In relation to consultations (including the listening exercise): name, address, email address, job title (where these are provided by you), and employer (where provided by you), as well as opinions. We may also process sensitive data such as health information, ethnic origin, criminal convictions and any other information you volunteer about yourself or others. We may also process additional biographical information about respondents or third parties where it is volunteered.
  • Mewn perthynas â'n gwefan: dadansoddeg ar sut mae ein gwefan yn cael ei defnyddio. Yn y rhan fwyaf o achosion ni fydd y data hwn yn ddata personol oherwydd ni fyddwn yn gallu adnabod defnyddwyr safleoedd unigol.
  • Mewn perthynas â gohebiaeth gyhoeddus: enw, cyfeiriad, cyfeiriad e-bost, manylion unrhyw bryderon a godwyd yn eich gohebiaeth, ac unrhyw wybodaeth arall yr ydych yn gwirfoddoli amdanoch eich hun neu eraill. Efallai y byddwn hefyd yn prosesu data categori arbennig neu ddata am euogfarnau troseddol, os byddwch yn gwirfoddoli gwybodaeth o'r fath.
  • In relation to email updates: name and email address.
  • In relation to data protection requests from individuals: name, address, email address, your request, documents needed to verify your identity.
  • Mewn perthynas â sianelau cyfryngau cymdeithasol: enwau, cyfeiriadau e-bost, ffotograffau, fideos, dolenni cyfryngau cymdeithasol, barn, ac unrhyw ddata arall a wirfoddolwyd, gan gynnwys data personol sensitif.

What is our lawful basis to use your information?

Ar gyfer y rhan fwyaf o'r data personol rydym yn ei brosesu, ein sail gyfreithiol dros brosesu eich data personol yw ei bod yn angenrheidiol ar gyfer cyflawni tasg a gyflawnir er budd y cyhoedd neu wrth arfer awdurdod swyddogol a freiniwyd yn y rheolydd data (Erthygl 6(1)(e) GDPR y DU). Yn yr achos hwn, gwaith yr Ymchwiliad yw cyflawni ei Gylch Gorchwyl.

Mewn perthynas â sianelau cyfryngau cymdeithasol: Pan fyddwn yn postio data personol sy'n ymwneud â gweithgarwch y llywodraeth, ein sail gyfreithiol yw bod prosesu yn angenrheidiol er mwyn cyflawni tasg a gyflawnir er budd y cyhoedd neu wrth arfer awdurdod swyddogol a freiniwyd yn y rheolydd data (Erthygl 6(1)(e) GDPR y DU). Pan fyddwn yn prosesu data personol a gynhyrchir gan ddefnyddwyr cyfryngau cymdeithasol, y sail gyfreithiol dros brosesu'r data personol hwnnw yw oherwydd bod y defnyddiwr yn cydsynio i ni wneud hynny (Erthygl 6(1)(a) GDPR y DU).

In relation to email updates: the legal basis for processing your personal data is based on the Inquiry’s legitimate interests, namely to fulfil its Terms of Reference (Article 6(1)(f) UK GDPR), and your consent to receiving those Email Updates (Article 6(1)(a) UK GDPR).  

Mewn perthynas â cheisiadau diogelu data gan unigolion: y sail gyfreithiol dros brosesu eich data personol yw ei bod yn angenrheidiol cydymffurfio â rhwymedigaeth gyfreithiol a osodir arnom fel y rheolydd data (Erthygl 6(1)(c) GDPR y DU).

Sensitive personal data (also known as special category data)  is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. 

Y sail gyfreithiol dros brosesu unrhyw ddata personol sensitif, neu ddata am euogfarnau troseddol, lle y byddwn yn ei dderbyn, yw ei bod yn angenrheidiol am resymau o fudd sylweddol i'r cyhoedd ar gyfer arfer swyddogaeth a roddir i berson gan ddeddfiad, neu arfer swyddogaeth un o Weinidogion y Goron (para 6, atodlen 1, Deddf Diogelu Data 2018). Y swyddogaeth yw gwaith yr Ymchwiliad i gyflawni ei Gylch Gorchwyl.

Who do we share your information with?

As your personal data will be stored on our IT infrastructure, it will be shared with our data processors who manage and provide the web form where you volunteer information for the Inquiry to use, provide web analytics services (including analytics in relation to our web form, for example aggregating data and providing insights / trends), web hosting service, consultation management services, and email and document management and storage services (such as services to facilitate email messages where you have signed up to receive these). 

In relation to evidence: any evidence gathered for the inquiry will be shared with Counsel to the Inquiry, Recognised legal representatives of Individuals and corporate bodies designated as Core Participants in the Inquiry, Members of the Inquiry Panel, The Cabinet Office, through their provision of IT services, Third party data processors (such as providers of IT infrastructure or services), The public via the Inquiry website or via published reports under s.25 of the 2005 Act (where applicable).

In relation to consultations(including the listening exercise): Where individuals submit responses, our research and analytics provider will analyse the responses we receive to inform the Inquiry and help us fulfil our Terms of Reference. We will also publish such individuals’ responses, but not publicly identify them. We will endeavour to remove any information that may lead to them being identified. Responses submitted by organisations or representatives of organisations will be published. Individuals’ responses may also be shared with other Covid-19 inquiries held under statute (to inform that inquiry), government departments, public sector organisations and relevant third parties within other public bodies across the United Kingdom in order to help develop policy. We may also share data with the appropriate agencies/authorities if we have any safeguarding concerns.

Mewn perthynas â gohebiaeth gyhoeddus: Gellir rhannu eich gwybodaeth â chyrff cyhoeddus eraill, neu'r gweinyddiaethau datganoledig, lle bo angen ac er mwyn rhoi ateb llawn i chi. Gall eich gwybodaeth gael ei rhannu â chyrff cyhoeddus eraill, y gweinyddiaethau datganoledig, swyddfeydd etholaethol neu bleidiau gwleidyddol, lle mae angen trosglwyddo gohebiaeth i gorff mwy priodol i gael ateb. Efallai y bydd eich gwybodaeth yn cael ei rhannu gyda'ch AS, lle maent yn ysgrifennu ar eich rhan.

Mewn perthynas â sianeli cyfryngau cymdeithasol: Bydd unrhyw ddata personol a rennir ar lwyfannau cyfryngau cymdeithasol yn cael ei rannu â'r darparwyr cyfryngau cymdeithasol hynny. Mae unrhyw ddata personol a rennir ar lwyfannau cyfryngau cymdeithasol yn cael ei gyhoeddi, oni bai bod gosodiadau preifatrwydd wedi'u defnyddio.

How long do we keep your data?

In relation to evidence: Personal data collected as part of evidence will be held by the Inquiry until the conclusion of the Inquiry. At the end of the Inquiry, some of the personal data held by the Inquiry will – where it is considered to form part of the historic record – be transferred for the purposes of indefinite retention of Inquiry records by the National Archives in accordance with the Public Records Act 1958. Personal data that is not required for archiving purposes will be destroyed.  

Mewn perthynas â chyfathrebu: Bydd eich data personol yn cael ei gadw gennym at ddibenion cysylltu ag unigolion mewn rolau penodol, ac unwaith y byddant yn gadael y rolau hynny bydd y wybodaeth yn cael ei diweddaru a neu ei dileu. Dylai hyn ddigwydd o leiaf bob blwyddyn.

In relation to consultation(including the listening exercise): published information will generally be retained indefinitely on the basis that the information is of historic value. This would include, for example, personal data about representatives of organisations. Responses from individuals will be retained in identifiable form for three calendar years after the consultation has concluded. 

Mewn perthynas â'r wefan: cedwir data dadansoddeg am 2 flynedd, sy'n adnewyddu'n awtomatig ar dderbyn cwcis.

Mewn perthynas â gohebiaeth gyhoeddus: bydd gwybodaeth bersonol mewn gohebiaeth fel arfer yn cael ei dileu 3 blynedd galendr ar ôl yr ohebiaeth, neu os yw'r achos wedi'i gau neu ei gwblhau. Fodd bynnag, gellir cadw gohebiaeth gyhoeddus os yw'n ddigon arwyddocaol y dylid ei chadw ar gyfer y cofnod hanesyddol.

Mewn perthynas â cheisiadau diogelu data gan unigolion: bydd data personol a gedwir mewn perthynas â cheisiadau diogelu data yn cael ei gadw gan yr Ymchwiliad am hyd at ddwy flynedd o ddyddiad y cyswllt diwethaf. Bydd dogfennau a ddefnyddir i ddilysu hunaniaeth yn cael eu dileu unwaith y bydd hunaniaeth wedi'i dilysu. 

Mewn perthynas â sianeli cyfryngau cymdeithasol: Bydd ein negeseuon cyfryngau cymdeithasol yn cael eu cadw am gyfnod amhenodol fel rhan o'r cofnod hanesyddol. Bydd data a gyhoeddir ar lwyfannau cyfryngau cymdeithasol gan ddefnyddwyr yn parhau nes iddo gael ei ddileu gan y defnyddiwr cyfryngau cymdeithasol.

In relation to email updates: No longer than 2 years after closure of the Inquiry.

Where personal data has not been obtained from you

Your personal data may have been obtained by us from a respondent to a consultation or a correspondent, or shared with us by another Covid-19 Inquiry.

Mae'n bosibl bod manylion cyswllt rhanddeiliaid allanol neu bartïon â diddordeb wedi'u cael o ffynonellau cyhoeddus gan gynnwys y rhyngrwyd neu eu cyflogwyr.

What are my rights?

  • Mae gennych yr hawl i ofyn am wybodaeth am sut y caiff eich data personol ei brosesu, ac i ofyn am gopi o'r data personol hwnnw.
  • Mae gennych yr hawl i ofyn i unrhyw anghywirdebau yn eich data personol gael eu cywiro'n ddi-oed.
  • Mae gennych yr hawl i ofyn i unrhyw ddata personol anghyflawn gael ei gwblhau, gan gynnwys drwy ddatganiad atodol.
  • Mae gennych yr hawl i ofyn i'ch data personol gael ei ddileu os nad oes cyfiawnhad dros eu prosesu mwyach.
  • Mae gennych yr hawl mewn rhai amgylchiadau (er enghraifft, lle mae cywirdeb yn cael ei herio) i ofyn am gyfyngu ar brosesu eich data personol.
  • Mae gennych yr hawl i wrthwynebu prosesu eich data personol.

Your rights may be subject to exemptions or limitations. Requests are dealt with on a case-by-case basis.

Where is my personal data stored?

As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision, or the use of appropriate contractual documents, such as the International Data Transfer Agreement.

How to contact us

The data controller for your personal data is the UK Covid-19 Inquiry Office. The contact details for the data controller are: contact@covid19.public-inquiry.uk

You can raise any privacy and data protection concerns with the UK Covid-19 Inquiry Data Protection Officer. The Data Protection Officer provides independent advice and monitoring of the Inquiry’s use of personal information.

The contact details of the UK Covid-19 Inquiry DPO: dpo@covid19.public-inquiry.cabinetoffice.gov.uk

Complaints and appeals

If you have already made a complaint to us and are not happy with the outcome, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). The ICO is the supervisory authority responsible for data protection in the UK.

The Information Commissioner can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

0303 123 1113 or icocasework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Review

This privacy notice was last reviewed November 2022.