Privacy Notice

17 April 2023

Introduction

The Commissioner for Survivors of Institutional Childhood Abuse is committed to protecting your privacy. This Privacy Notice explains how the Office of the Commissioner uses information about you and the ways in which we will safeguard your personal information. It is designed to meet the requirements of the United Kingdom General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018, in terms of your individual right to be kept informed about how and why we collect, and use information, about you.

Who we are

The Office of the Commissioner is an independent office established under the Historical Institutional Abuse (Northern Ireland) Act 2019 (the Act). The principal aim of The Office of the Commissioner in exercising functions under the Act is to fulfil one of the recommendations of the Historical Institutional Abuse Inquiry through promoting the interests of any person who suffered abuse while a child and while resident in an institution at some time between 1922 and 1995. Any information that you provide to us will be used to assist us in discharging our functions under the Act.

The type of personal information we process

We currently collect and process some or all of the following information:

Your contact details (name, postal address, telephone number, email address); Occasionally, we may collect and process the following types of information;
Details of the institutions you had a connection with;
Third party contact details, for example, with your consent, the contact details of your family, friends or legal representatives to enable us to assist you;
Additional information provided voluntarily by you which may include special category (sensitive) personal information, for example information relating to an individual’s physical or mental health, religion or sexuality;
Records from public and targeted events at which you were present;
Records from meetings (including virtual meetings) with victims and survivors at which you were present, or being represented;
Personal information belonging to you held by other public sector organisations, in PRONI records and/or Inquiry recordings/transcripts, which may include special category (sensitive) personal information, for example information relating to an individual’s physical or mental health, religion or sexuality.
Criminal records data including allegations of criminal offences.

It is important to note, that when communicating with The Office of the Commissioner, an individual does not have to provide the information we may ask for. However, where an individual does not provide the information requested, The Office of the Commissioner may be unable to complete the particular task for which the information was requested.

How we get your personal information

Most of the personal information we process is either provided directly by you, from our meetings with you, by organisations representing or connected to you, or has come from government records (including from The Historical Institutional Abuse Inquiry).

We may also receive personal information indirectly, from third parties including from another public sector organisation.

Who the information may be shared with

Any personal information we process will not be shared outside of The Office of the Commissioner unless with your consent, or if the law permits, or places an obligation on The Office of the Commissioner to do so, or that sharing is necessary to safeguard the interests of you, the data subject. Where it is appropriate we will keep you informed.

Our lawful basis for processing personal information

To comply with data protection legislation, we must have a lawful basis for processing any personal information.

The processing that The Office of the Commissioner carries out in this case is on a ‘public task’ basis under Article 6(1)(e) of the UK GDPR. This means the processing is necessary for The Office of the Commissioner to perform a task in the public interest, or in order to discharge its official functions, including those under the Historical Institutional Abuse (Northern Ireland) Act 2019.

As noted above, some of the personal information we process may be special category personal information. Special category personal information needs more protection as it is particularly sensitive. To lawfully process special category information, in addition to the lawful basis under Article 6 of the UK GDPR outlined above, we rely on the condition under Article 9(2)(g) of the UK GDPR – where “processing is necessary for substantial public interest purposes”. Furthermore, provision for the processing of special categories of personal information relies on the requirement that a condition in Part 2 of Schedule 1 of the Data Protection Act 2018 is met. In this regard the condition in paragraph 6 is applicable – that processing is necessary in the exercise of a function conferred by an enactment, or rule of law and for reasons of substantial public interest, and in the exercise of a function of a government department.

In compliance with Article 10, processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1)(e), shall be carried out under the official authority vested in The Office of the Commissioner as an Arm’s-length body of The Executive Office (TEO) as a Northern Ireland department. Furthermore, s10(5) of the Data Protection Act 2018 provides that the processing of personal data relating to criminal offences is authorised if it meets one of the derogations in Schedule 1 of that Act. In this context the following derogations at Part 2 of that Schedule are relevant:

- Paragraph 6: the processing is necessary for reasons of substantial public interest;

- Paragraph 10: the processing is necessary in preventing and detecting unlawful acts;

- Paragraph 30: the processing is necessary in protecting an individual’s vital interests.

The Office of the Commissioner is a statutory body under the Act and is therefore subject to the rules under the Act for processing.

How we store your personal information

Your personal information will be managed in accordance with the UK GDPR and DPA 2018 legislation.

Where personal information is received by:

hard copy format - it is scanned to create an electronic copy, and saved and retained securely within Advice Pro a secure web-based case management system. Group information is saved and retained securely with Content Manager, the standard system for records management in the Northern Ireland Civil Service. If requested, the original is then returned or placed in the confidential waste bin.
electronic format - it is saved and retained securely within Advice Pro and Content Manager;
telecommunication format - it is recorded on a telephone call log document within Advice Pro.

Access to all personal information processed by The Office of the Commissioner is restricted to those assigned a user licenses for Advice Pro and Content Manager in The Office of the Commissioner.

The Office of the Commissioner will safeguard the security of any personal information supplied by ensuring:

It will not be shared outside of The Office of the Commissioner except for reasons mentioned above;
It will not be transferred to other individuals or organisations, unless documents are password protected; and the password is communicated in a separate email to the receiving individual or organisation
The use of a secure encrypted IT system, services, or an application (commonly known as an “app”) and where necessary, further encrypting documents before being shared
Staff will be provided with data protection training and guidance.

How long we keep personal information

Personal information will be kept for no longer than is necessary for the purposes for which it has been obtained, in line with The Office of the Commissioner's Retention and Disposal Schedule (hereafter referred to as ‘the Schedule’).

Under the Schedule, records will be reviewed seven years after the last record is received by The Office of the Commissioner. Following the review the record will either be retained by The Office of the Commissioner (if the office is still in place) or by TEO; disposed of securely; or transferred to the Public Record Office of Northern Ireland (PRONI) for permanent preservation.

The Office of the Commissioner will conduct regular reviews of personal information held, ensuring it is accurate and kept up to date, and will engage with you (the ‘data subject’) on the purposes for which your personal information is held.

In certain circumstances you may request that your personal information be removed from our records by contacting The Office of the Commissioner's Data Protection Officer using the contact details provided at the end of this notice.

It is important to note that if you request your personal information to be removed, The Office of the Commissioner will no longer be able to communicate with you about matters that may be of interest.

What are your rights?

You have the right to be informed and you can also obtain confirmation that your personal information is being processed; more detail is provided here.
You have the right to access your personal information; more detail is provided here.
You are entitled to have personal information rectified if it is inaccurate or incomplete. You can find out more here.
You have a right to have personal information erased and to prevent processing in specific circumstances. You can find out more here.
You have the right to restrict processing of personal information in specific circumstances. You can find out more here.
You have the right to data portability in specific circumstances. You can find out more here.
You have the right to object to the processing of personal information in specific circumstances. You can find out more here.
You have rights in relation to automated decision making and profiling. You can find out more here but please be advised that no personal information supplied by you will be used for the purpose of automated decision making and profiling.

Alternative Formats or General Enquiries

This Office of the Commissioner Privacy Notice document is available online at:

Privacy notice | The Commissioner for Survivors of Institutional Childhood Abuse

If you have any other queries about this Privacy Notice, or require it in an alternative format or language, including hard copy, please contact the Commissioner for Survivors of Institutional Childhood Abuse at the address above.

Complaints

If you wish to discuss the processing of your personal information, or are dissatisfied with how your personal information is being processed, please contact The Office of the Commissioner's Data Protection Officer using the details provided below.

Joanne McComb
Data Protection Officer
The Commissioner for Survivors of Institutional Childhood Abuse
5th Floor South
56-66 Queens Street
BELFAST
BT1 6FD
Northern Ireland

Tel: (+44) 28 9054 4985
Email: info@cosica-ni.org

If you are still dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House Water Lane Wilmslow CHESHIRE SK9 5AF
UNITED KINGDOM
Tel: (+44) 0303 123 1113
Email: casework@ico.org.uk

https://ico.org.uk/make-a-complaint/your-personal-information-concerns/

Changes to this Privacy Notice

We keep this Privacy Notice under regular review and we will place any updates on The Office of the Commissioner's website.

This Privacy Notice was last updated on 03 March 2023.

Documents

Privacy Notice 2023 Microsoft Word (112.77 KB)

Help viewing documents