Disclosure Scotland’s privacy notice for the Scottish COVID-19 Inquiry
The Scottish COVID-19 Inquiry is investigating the coronavirus response in Scotland. Disclosure Scotland needs to share information with this inquiry. This includes personal information of its current and past employees.
Disclosure Scotland is working with the Covid Inquiry Information Governance Division (CIIGD). This privacy notice explains how Disclosure Scotland applies data protection principles when processing personal data.
The notice sets out your privacy rights. It also sets out how Disclosure Scotland gathers, uses and shares personal data when providing information to the inquiry. It is in line with current data protection legislation.
About the inquiry
The CIIGD is co-ordinating the Scottish Government and Executive Agencies’ participation in the inquiry. It gathers information held by the Scottish Government and the Executive Agencies that the inquiry has asked for. It reviews and prepares the information so it can share it securely with the inquiry.
Lawful bases
The lawful basis for sharing data with the inquiry is Article 6(1)c of the UK General Data Protection Regulation (GDPR): “processing is necessary for compliance with a legal obligation to which the Ministers are subject”.
The lawful basis for gathering, reviewing and collating data to respond to the inquiry is Article 6(1)e of the UK GDPR: “processing is necessary for the performance of a task carried out in the public interest”.
Data collection and processing
Disclosure Scotland only collects and transfers personal data held by the organisation that it needs to provide to the inquiry. During its working relationship with you and the inquiry, Disclosure Scotland may collect, store, and use:
- information in your email signature, such as your name, job title, Disclosure Scotland telephone numbers and Disclosure Scotland email addresses
- names and contact details of contractors or consultants
- information about your involvement in the coronavirus response as an employee of Disclosure Scotland and the Scottish Government
Where your data is collected from
Your data is collected from the Scottish Government document storage system (eRDM) and other storage systems used in Disclosure Scotland.
Who your data is shared with
Disclosure Scotland will share your data with the inquiry to comply with any section 21 Inquiries Act 2005 notices. These notices are served by the inquiry through the Scottish Government. There are processes in place to protect your personal data. Data is shared with the inquiry through Objective Connect. This is a secure platform on eRDM.
Information about inquiry notices
When the inquiry serves a section 21 notice on Scottish Ministers to provide relevant information, this creates a legal obligation on Scottish Ministers. Relevant information may include personal data. This obligation on Disclosure Scotland and the Scottish Government allows the lawful processing of personal data under UK GDPR.
Disclosure Scotland and the Scottish Government must provide the relevant personal data to the inquiry to comply with the section 21 notice. If they do not comply, this may be contempt of court by the Scottish Government.
Under the Inquiries Act 2005, the inquiry cannot make any determination as a matter of civil or criminal law, but it will make findings about facts and recommendations. There's more information about what the the inquiry can do in its terms of reference.
How your data is stored
Disclosure Scotland stores your data on their corporate system on eRDM and Objective Connect.
How long your data is kept
The data that is shared with the inquiry is kept in line with the Scottish Government’s records management policy. It is kept on eRDM for as long as it's needed to support the Scottish Government in its legal obligations.
The Scottish Government retention schedules set out how long types of records are kept, in line with legal, audit and operational requirements. Disclosure Scotland and the CIIGD follow these schedules.
Your rights
When Disclosure Scotland is processing personal data due to a legal obligation, you:
- have the right to obtain confirmation that your data is being processed and access to your personal data
- are entitled to have personal data rectified if it’s inaccurate or incomplete
In some cases you have:
- the right to have personal data erased and to prevent processing
- the right to block or suppress processing of personal data
- the right to object to the processing
These rights do not always apply. When there are legal requirements for Disclosure Scotland to process personal data, it may not be able to complete an erasure request.
There’s more information on the rights you have over how your personal data is handled on the Information Commissioner’s Office website.
How to make a complaint
If you’re unhappy with the way Disclosure Scotland handles your personal data, you can contact its Data Protection Officer. Email dsdpo@gov.scot or write to:
Data Protection Officer
1 Pacific Quay
Glasgow
G51 1YU
If you feel Disclosure Scotland has been unable or unwilling to resolve your complaint, you can make a complaint to the Information Commissioner’s Office.
There is a problem
Thanks for your feedback