The UK Covid-19 Inquiry is an independent public inquiry set up to examine the UK’s response to and impact of the Covid-19 pandemic, and learn lessons for the future.
This notice sets out how we will use your personal data and your rights.
Who we are
We are an independent inquiry team, sponsored by the Cabinet Office. We are a data controller.
We also use suppliers, who act as processors of personal data on behalf of the UK Covid-19 Inquiry.
What do we use your data for?
We process data for a range of purposes connected with the UK Covid-19 Inquiry (the Inquiry). These include:
- to build evidence for the Inquiry
- to communicate with external stakeholders or interested parties, including officials, journalists, witnesses, and members of the public
- to obtain the opinions of members of the public, parliamentarians and representatives of organisations and companies about the Inquiry, including in relation to the Inquiry’s Terms of Reference
- to operate the Inquiry’s website
- to deal with public correspondence
- to respond to data protection requests from individuals
- to provide the public with information about the Inquiry through social media channels
- to provide further information to you about the Inquiry via email if you sign up to receive these emails (email updates)
What personal data will be collected and processed?
We will process the following personal data that you may provide to us in relation to the Inquiry:
- In relation to evidence for the Inquiry: name, address, email address, job title, employer, opinions, health information, criminal convictions and any other sensitive information you volunteer about yourself or others.
- In relation to external communications: name, address, email address, job title (where these are provided by you), and employer (where provided by you).
- In relation to consultations (including the listening exercise): name, address, email address, job title (where these are provided by you), and employer (where provided by you), as well as opinions. We may also process sensitive data such as health information, ethnic origin, criminal convictions and any other information you volunteer about yourself or others. We may also process additional biographical information about respondents or third parties where it is volunteered.
- In relation to our website: analytics on how our site is used. In most cases this data will not be personal data because we will not be able to identify individual site users.
- In relation to public correspondence: name, address, email address, details of any concerns raised in your correspondence, and any other information you volunteer about yourself or others. We may also process special category data or data about criminal convictions, if you volunteer such information.
- In relation to email updates: name and email address.
- In relation to data protection requests from individuals: name, address, email address, your request, documents needed to verify your identity.
- In relation to social media channels: names, email addresses, photographs, videos, social media handles, opinions, and any other data volunteered, including sensitive personal data.
What is our lawful basis to use your information?
For the majority of personal data we process, our legal basis for processing your personal data is that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller (Article 6(1)(e) UK GDPR). In this case that is the Inquiry’s work to fulfil its Terms of Reference.
In relation to social media channels: Where we post personal data relating to government activity, our legal basis is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller (Article 6(1)(e) UK GDPR). Where we process personal data generated by social media users, the legal basis for processing that personal data is because the user consents to us doing so (Article 6(1)(a) UK GDPR).
In relation to email updates: the legal basis for processing your personal data is based on the Inquiry’s legitimate interests, namely to fulfil its Terms of Reference (Article 6(1)(f) UK GDPR), and your consent to receiving those Email Updates (Article 6(1)(a) UK GDPR).
In relation to data protection requests from individuals: the legal basis for processing your personal data is that it is necessary to comply with a legal obligation placed on us as the data controller (Article 6(1)(c) UK GDPR).
Sensitive personal data (also known as special category data) is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The legal basis for processing any sensitive personal data, or data about criminal convictions, where we receive it, is that it is necessary for reasons of substantial public interest for the exercise of a function conferred on a person by an enactment, or the exercise of a function of a Minister of the Crown (para 6, schedule 1, Data Protection Act 2018). The function is the Inquiry’s work to fulfil its Terms of Reference.
Who do we share your information with?
As your personal data will be stored on our IT infrastructure, it will be shared with our data processors who manage and provide the web form where you volunteer information for the Inquiry to use, provide web analytics services (including analytics in relation to our web form, for example aggregating data and providing insights / trends), web hosting service, consultation management services, and email and document management and storage services (such as services to facilitate email messages where you have signed up to receive these).
In relation to evidence: any evidence gathered for the inquiry will be shared with Counsel to the Inquiry, Recognised legal representatives of Individuals and corporate bodies designated as Core Participants in the Inquiry, Members of the Inquiry Panel, The Cabinet Office, through their provision of IT services, Third party data processors (such as providers of IT infrastructure or services), The public via the Inquiry website or via published reports under s.25 of the 2005 Act (where applicable).
In relation to consultations(including the listening exercise): Where individuals submit responses, our research and analytics provider will analyse the responses we receive to inform the Inquiry and help us fulfil our Terms of Reference. We will also publish such individuals’ responses, but not publicly identify them. We will endeavour to remove any information that may lead to them being identified. Responses submitted by organisations or representatives of organisations will be published. Individuals’ responses may also be shared with other Covid-19 inquiries held under statute (to inform that inquiry), government departments, public sector organisations and relevant third parties within other public bodies across the United Kingdom in order to help develop policy. We may also share data with the appropriate agencies/authorities if we have any safeguarding concerns.
In relation to public correspondence: Your information may be shared with other public bodies, or the devolved administrations, where it is necessary and in order to provide a full answer to you. Your information may be shared with other public bodies, the devolved administrations, constituency offices or political parties, where it is necessary to transfer correspondence to a more appropriate body for an answer. Your information may be shared with your MP, where they are writing on your behalf.
In relation to social media channels: Any personal data shared on social media platforms will be shared with those social media providers. Any personal data shared on social media platforms is made public, unless privacy settings have been used.
How long do we keep your data?
In relation to evidence: Personal data collected as part of evidence will be held by the Inquiry until the conclusion of the Inquiry. At the end of the Inquiry, some of the personal data held by the Inquiry will – where it is considered to form part of the historic record – be transferred for the purposes of indefinite retention of Inquiry records by the National Archives in accordance with the Public Records Act 1958. Personal data that is not required for archiving purposes will be destroyed.
In relation to communications: Your personal data will be kept by us for the purposes of contacting individuals in particular roles, and once they leave those roles the information will be updated and or deleted. This should take place at least annually.
In relation to consultation(including the listening exercise): published information will generally be retained indefinitely on the basis that the information is of historic value. This would include, for example, personal data about representatives of organisations. Responses from individuals will be retained in identifiable form for three calendar years after the consultation has concluded.
In relation to the website: analytics data will be retained for 2 years, which auto-renews on re-acceptance of cookies.
In relation to public correspondence: personal information in correspondence will usually be deleted 3 calendar years after the correspondence, or the case is closed or concluded. However, public correspondence may be kept if it is sufficiently significant that it should be retained for the historical record.
In relation to data protection requests from individuals: personal data held in relation to data protection requests will be kept by the Inquiry for up to two years from the date of last contact. Documents used to verify identity will be deleted once identity has been verified.
In relation to social media channels: Our social media posts will be retained indefinitely as part of the historical record. Data published on social media platforms by end users will remain until it is deleted by the social media user.
In relation to email updates: No longer than 2 years after closure of the Inquiry.
Where personal data has not been obtained from you
Your personal data may have been obtained by us from a respondent to a consultation or a correspondent, or shared with us by another Covid-19 Inquiry.
Contact details for external stakeholders or interested parties may have been obtained from public sources including the internet or their employers.
What are my rights?
- You have the right to request information about how your personal data are processed, and to request a copy of that personal data.
- You have the right to request that any inaccuracies in your personal data are rectified without delay.
- You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.
- You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.
- You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
- You have the right to object to the processing of your personal data.
Your rights may be subject to exemptions or limitations. Requests are dealt with on a case-by-case basis.
Where is my personal data stored?
As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision, or the use of appropriate contractual documents, such as the International Data Transfer Agreement.
How to contact us
The data controller for your personal data is the UK Covid-19 Inquiry Office. The contact details for the data controller are: firstname.lastname@example.org
You can raise any privacy and data protection concerns with the UK Covid-19 Inquiry Data Protection Officer. The Data Protection Officer provides independent advice and monitoring of the Inquiry’s use of personal information.
The contact details of the UK Covid-19 Inquiry DPO: email@example.com
Complaints and appeals
If you have already made a complaint to us and are not happy with the outcome, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). The ICO is the supervisory authority responsible for data protection in the UK.
The Information Commissioner can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
0303 123 1113 or firstname.lastname@example.org
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
This privacy notice was last reviewed November 2022.