Data Protection Policy
1. Summary
The use of personal data is covered by the Data Protection Act 1998 ("DPA"). The work carried out by the Inquiry may involve the collection of personal data about individuals who: (a) suffered abuse; or (b) were witnesses to abuse; or (c) worked at, attended or had contact with the Kerelaw Residential School in the period of time during which the abuse occurred. It is therefore important that all individuals involved in helping the Inquiry understand: (i) how the DPA will apply to the Inquiry; and (ii) the Inquiry's obligations under the DPA.
2. Data Controller
A "data controller" is the person who in terms of the DPA is responsible for the use of the personal data. Whilst the Inquiry was jointly commissioned by the Scottish Government and Glasgow City Council, the Inquiry is to be carried out independently of these public authorities and therefore is a separate data controller for the purposes of the DPA. The Inquiry has registered itself as a data controller with the Information Commissioner's Office.
3. The Inquiry's Responsibilities under the DPA
The DPA requires the Inquiry, as a data controller, to comply with eight "principles" and, therefore, the individuals involved in conducting the Inquiry must be aware of these principles. The principles are set out in the Appendix to this policy. The practical implication of these eight principles for the Inquiry are as follows:
- if the Inquiry involves the gathering and use of sensitive personal data, that includes data relating to: (i) physical or mental health or condition; (ii) sexual life; (iii) commission or alleged commission of any offence; and (iv) proceedings for any offence or disposal of proceedings or court sentence, the specific consent of the individuals who are questioned or otherwise communicated with in connection with the Inquiry will be sought. A Consent Form, which can be obtained from Evelyn McKenna, at the Inquiry address is available for this purpose.
- If an individual has provided personal data about him or herself for the purposes of the Inquiry, that individual has effectively given consent to the use of the personal data for that purpose only. The personal data cannot be used for any purpose unrelated to the inquiry;
- data will not be collected simply because it would be nice to have. The Inquiry will only ask for data relevant to its investigations;
- The Inquiry will keep information it holds up to date and accurate. For example the Inquiry's database of names and addresses of all individuals who have been communicated with in connection with the Inquiry will be updated if we are informed that someone on that database has moved house;
- information will need to be held for the life of the Inquiry and for a period after that in case of enquiries. The Inquiry will hold the information gathered for one year after completion of the final report. The information will then be destroyed or deleted, or where appropriate returned to the originator.
- there are a number of rights granted to individuals in terms of the DPA and any processing which is carried out must take these rights into account. The most important right to be aware of is the subject access right, i.e. the right of an individual to be given a copy of any personal data held about them. In providing an individual with a copy of their personal data the Inquiry will consider whether it can avoid disclosing third party personal data. If there is likely to be disclosure of third party data, consideration will be given as to whether it is in fact appropriate to disclose the data; and
- to ensure the security of data all individuals involved in conducting the Inquiry will ensure that: (a) computers are password protected and locked when not in use; (b) passwords are not disclosed to any third party; (c) any information that is stored on laptops or downloaded to portable and mobile devices, such as USB sticks, will be appropriately protected, (d) filing cabinets will be kept locked at all times; (e) no one outside of the Inquiry team will be given access to the Inquiry's computer database or system (for the avoidance of doubt, the Inquiry's IT support is to be provided by a third party, however, arrangements have been put in place by the Inquiry team to ensure continued compliance with the DPA); and (f) papers are locked away securely when not in use or when left unattended.
4. Any Queries
The Inquiry takes its responsibilities under the DPA very seriously. If an individual involved in conducting the Inquiry has any questions regarding the DPA they should refer such questions to Katie Lamb at the address below in the first instance.
5. Inquiry address
Kerelaw Independent Inquiry
PO Box 23871
Edinburgh
EH3 7WD
Tel: 0131 260 5368
The Data Protection Principles
- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless a) at least one of the conditions in Schedule 2 is met, and b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.