You appear to be using an unsupported browser, and it may not be able to display this site properly. You may wish to upgrade your browser.

Disclosure Scotland’s privacy notice for the Scottish COVID-19 Inquiry

The Scottish COVID-19 Inquiry is investigating the coronavirus response in Scotland. Disclosure Scotland needs to share information with this inquiry. This includes personal information of its current and past employees.

Disclosure Scotland is working with the Covid Inquiry Information Governance Division (CIIGD). This privacy notice explains how Disclosure Scotland applies data protection principles when processing personal data. 

The notice sets out your privacy rights. It also sets out how Disclosure Scotland gathers, uses and shares personal data when providing information to the inquiry. It is in line with current data protection legislation. 

About the inquiry

The CIIGD is co-ordinating the Scottish Government and Executive Agencies’ participation in the inquiry. It gathers information held by the Scottish Government and the Executive Agencies that the inquiry has asked for. It reviews and prepares the information so it can share it securely with the inquiry. 

Lawful bases 

The lawful basis for sharing data with the inquiry is Article 6(1)c of the UK General Data Protection Regulation (GDPR): “processing is necessary for compliance with a legal obligation to which the Ministers are subject”.

The lawful basis for gathering, reviewing and collating data to respond to the inquiry is Article 6(1)e of the UK GDPR: “processing is necessary for the performance of a task carried out in the public interest”.

Data collection and processing

Disclosure Scotland only collects and transfers personal data held by the organisation that it needs to provide to the inquiry. During its working relationship with you and the inquiry, Disclosure Scotland may collect, store, and use:

  • information in your email signature, such as your name, job title, Disclosure Scotland telephone numbers and Disclosure Scotland email addresses
  • names and contact details of contractors or consultants
  • information about your involvement in the coronavirus response as an employee of Disclosure Scotland and the Scottish Government 

Where your data is collected from

Your data is collected from the Scottish Government document storage system (eRDM) and other storage systems used in Disclosure Scotland. 

Who your data is shared with 

Disclosure Scotland will share your data with the inquiry to comply with any section 21 Inquiries Act 2005 notices. These notices are served by the inquiry through the Scottish Government. There are processes in place to protect your personal data. Data is shared with the inquiry through Objective Connect. This is a secure platform on eRDM.

Information about inquiry notices

When the inquiry serves a section 21 notice on Scottish Ministers to provide relevant information, this creates a legal obligation on Scottish Ministers. Relevant information may include personal data. This obligation on Disclosure Scotland and the Scottish Government allows the lawful processing of personal data under UK GDPR.

Disclosure Scotland and the Scottish Government must provide the relevant personal data to the inquiry to comply with the section 21 notice. If they do not comply, this may be contempt of court by the Scottish Government.  

Under the Inquiries Act 2005, the inquiry cannot make any determination as a matter of civil or criminal law, but it will make findings about facts and recommendations. There's more information about what the the inquiry can do in its terms of reference

How your data is stored

Disclosure Scotland stores your data on their corporate system on eRDM and Objective Connect. 

How long your data is kept

The data that is shared with the inquiry is kept in line with the Scottish Government’s records management policy. It is kept on eRDM for as long as it's needed to support the Scottish Government in its legal obligations. 

The Scottish Government retention schedules set out how long types of records are kept, in line with legal, audit and operational requirements. Disclosure Scotland and the CIIGD follow these schedules.

Your rights 

When Disclosure Scotland is processing personal data due to a legal obligation, you: 

In some cases you have:

These rights do not always apply. When there are legal requirements for Disclosure Scotland to process personal data, it may not be able to complete an erasure request. 

There’s more information on the rights you have over how your personal data is handled on the Information Commissioner’s Office website. 

How to make a complaint

If you’re unhappy with the way Disclosure Scotland handles your personal data, you can contact its Data Protection Officer. Email or write to: 

Data Protection Officer
1 Pacific Quay 
G51 1YU

If you feel Disclosure Scotland has been unable or unwilling to resolve your complaint, you can make a complaint to the Information Commissioner’s Office

Back to top