Privacy notice

Introduction

1. The Post Office Horizon IT Inquiry (the Inquiry) is a Statutory Inquiry under the Inquiries Act 2005 exercising functions in the public interest. The Inquiry is the data controller for your personal information.

2. The Inquiry is investigating the implementation and failings associated with Post Office Ltd’s Horizon IT system. The terms of reference of the Inquiry are set out on our website: https://www.postofficehorizoninquiry.org.uk/key-documents/terms-reference.

3. The purpose of this privacy notice is to set out how the Inquiry will use your personal data; who it may be shared with; and your rights. It is made under Articles 13 and/or 14 and Article 30 of the United Kingdom General Data Protection Regulation (UK-GDPR).

What data the Inquiry needs to collect and the legal basis for processing it

Purposes of data collection

4. The purposes for which the Inquiry collects and processes your personal data are the effective conduct of the Inquiry and discharging the Terms of Reference.

5. The Inquiry is investigating the matters set out in its Terms of Reference, supported by a List of Issues, and in accordance with its Protocols.

6. In order to carry out its investigation and conduct its hearings the Inquiry will need to collect and process personal information.

7. Personal information is used by the Inquiry in a number of ways – for example, to gather evidence as part of the Inquiry’s investigation, to facilitate access to the Inquiry, to enable witnesses to give evidence and to communicate with you and keep you updated on the progress of the Inquiry.

8. The hearings, except in exceptional circumstances and as required by law, will be held in public and evidence referred to at hearings will become publicly available. Other evidence and information may be available on the Inquiry’s website.

9. Personal information may also be contained in the Report of the Inquiry, which will be published after the conclusion of the Inquiry investigations and hearings. Personal information may also be used by the Inquiry to comply with the law and with contracts that the Inquiry has entered into.

10. The Inquiry also collects and uses personal data as part of our standard corporate functions. For example, we will collect personal data relating to our staff, visitor sign in data, security data, data relating to our website, and data relating to the management of our social media.

Data collected

11. Personal data is collected, recorded and organised by the Inquiry. Typically, data will be requested by the Inquiry from relevant individuals or organisations or submitted voluntarily, for example in a witness statement. The Inquiry also has powers to compel an individual or organisation to provide requested information.

12. Personal data processed by the Inquiry can therefore comprise the personal data of:

Members of the public who contact the Inquiry
Core Participants in the Inquiry
Other witnesses providing evidence to the Inquiry
Contracted parties to the Inquiry
Persons referred to in information received by the Inquiry from any of the above.

13. The following is a non-exhaustive list of categories of personal data that will be processed in relation to the Inquiry’s core function:

Personal data – typically biographical data such as name, date of birth, personal description, contact details, images and voice recordings.
Special category data – this will typically include data relating to health, data relating to race/ethnicity, religious beliefs and Trade Union membership. Some special category data may relate to children.
Personal data relating to criminal convictions and offences – the processing of data in relation to criminal convictions is subject to strict controls.

14. The Inquiry keeps your data secure and only shares it with those who are required to see it as part of the process of the Inquiry. All personal information we receive is handled fairly and lawfully in accordance with data protection legislation.

15. Typically, personal data is held in digital format in IT systems which meet government security standards. The details of the security arrangements are not set out in this Notice to avoid compromising the effectiveness of those arrangements.

Legal basis for processing

(i) Non-special category personal data

16. For data which does not fall within the definition of special category data (see below), the Inquiry will rely on the legal basis described below for processing. When processing your personal data, the Inquiry will, at all times, consider whether the processing or disclosure of such data is necessary for the Inquiry proceedings and functioning.

In respect of the core functions of the Inquiry:

the primary legal basis relied on for lawful processing by the Inquiry of personal data is Article 6 (1)(e) UK-GDPR: processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The Chair has official authority to perform the core function of the Inquiry in order to investigate the matters falling within the Inquiry’s terms of reference.
In respect of material provided to the Inquiry (in particular, by witnesses) where you as the data subject have given consent to the processing, Article 6 (1) (a) UK-GDPR will also apply.
The processing of evidentiary material is necessary for compliance with legal obligations, which is provided for under Article 6(1)(c) of the UK-GDPR. This includes section 18 (1) of the 2005 Act that provides, subject to restrictions notices, that the public are to have access to inquiry proceedings and information.

In respect of contracts:

For providers of services to the Inquiry, the primary legal basis for processing your personal data will be that it is necessary for the performance of a contract to which you are a party.

(ii) Special category personal data

17. Special category, or sensitive, data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data (where used for identification purposes), data concerning health or data concerning an individual’s sex life or sexual orientation.

18. Processing by the Inquiry potentially extends to all types of special category personal data, but most typically will involve information relating to health, race/ethnicity, religious beliefs and trade union membership.

19. In addition to the legal bases for processing personal data generally, outlined above, the legal bases for processing sensitive personal data pursuant to Article 9 UK-GDPR, read together with s. 10 of the Data Protection Act 2018, are:

that processing is necessary for reasons of substantial public interest, including the exercise of a function conferred by an enactment/rule of law (the Inquiries Act 2005 and the Inquiry Rules 2006), to the extent that it is necessary, or
that the consent of the data subject (where applicable) has been obtained.

(iii) Criminal conviction personal data

20. Where data relating to criminal convictions/offences is concerned, the lawful purpose will be dealt with by article 10 UK-GDPR/s.10(5) DPA 2018, including where the processing is necessary for the exercise of a function conferred on the Chair by the Inquiries Act 2005 and the Inquiry Rules 2006 and/or where it is necessary for the purpose of or in connection with legal proceedings.

Who we share your data with and why

21. As the Inquiry is publicly accessible, your personal data may be shared with anyone following the proceedings, including the press, when given in evidence (or on the Inquiry’s website). There are clear processes, including robust redactions processes, in place which govern the protection of your personal data. Save where consent is provided by you, as a data subject - only data necessary for the Inquiry’s performance of its functions will be disclosed outside the Inquiry or to those instructed by the Inquiry.

22. During the course of undertaking the duties of the Inquiry, your data may be shared by the Inquiry with the following main groups:

The Solicitor and Lead Counsel to the Inquiry
Other Solicitors and Counsel who are instructed by the Inquiry
Recognised legal representatives of individuals and corporate bodies recognised as Core Participants in the Inquiry
Interested parties in the Inquiry
Expert witnesses appointed by the Inquiry
Assessors appointed by the Inquiry
Third party data processors (such as providers of IT infrastructure or electronic disclosure platforms/services)
The public, via the Inquiry website or via the Inquiry’s published report(s).
External witness Tracing firms utilised by the Inquiry
Current and/or previous employers to obtain current or last known addresses for the purpose of obtaining current contact details of potential witnesses.

23. The majority of personal data submitted to the Inquiry is transferred to IT systems operated by 3rd party Data Processors for the purposes of storing, reviewing and analysing documents and information.

24. The Inquiry has appropriate technical and organisational measures in place with its data processors, which means they cannot do anything with your personal information unless the Inquiry has instructed them to do it. They will not share your personal information with any organisation apart from the Inquiry, or as directed by the Inquiry. They will hold your data securely and retain it for the period the Inquiry requires. At the conclusion of the Inquiry, data that is to be retained as part of the historic record will be transferred to the National Archives, although any personal data included will continue to be protected. We may also share data where we are under a legal obligation to do so, or where it is necessary to assist with a criminal investigation.

How long will the Inquiry keep your data for?

25. Personal data will be held by the Inquiry until the conclusion of the Inquiry. At the end of the Inquiry, some of the personal data held by the Inquiry will – where it is considered to form part of the historic record – be transferred for the purposes of indefinite retention of Inquiry records by the National Archives in accordance with the Public Records Act 1958. Personal data that is not required for archiving purposes will be destroyed.

Your rights

All individuals have a number of rights under the UK-GDPR.

You have the right to request information about how your personal data is processed, and to request a copy of that personal data. (This is also known as a Subject Access Request).
You have the right to request that any inaccuracies in your personal data are rectified without delay.
You have the right to request that any incomplete personal data is completed, including by means of a supplementary statement.
You have the right to request that your personal data is erased if there is no longer a justification for them to be processed.
You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
Where we are relying on your consent, you have the right to withdraw consent to the processing of your personal data at any time.
If we are not relying on your consent, you may have the right to object to the processing of your personal data. Any objections will be considered in the context of the Inquiry’s statutory duties and the necessity of processing personal data for that purpose.
Where we are relying on your consent, or a contract with you, you have the right to request a copy of any personal data you have provided, and for this to be provided in a structured, commonly used and machine-readable format.

26. The rights and obligations set out in this Notice may be subject to exemptions or limitations, to the extent authorised by the UK-GDPR and the Data Protection Act 2018 (including paragraph 14 of Part 2, Schedule 2), to be applied on a case-by-case basis.

International transfers

27. As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the European Union. Where that is the case, all appropriate technical and legal safeguards will be put in place to ensure you are afforded with same level of protection.

Contacts details/more information

The Inquiry Data Protection Officer

The data controller determines the purposes and means of processing personal data. The Data Protection Officer provides independent advice and monitoring of the Inquiry’s use of personal information. The Inquiry’s Data Protection Office can be contacted at dp@postofficehorizoninquiry.org.uk
and also at:

The Post Office Horizon IT Inquiry (Data Protection)
5th Floor, Aldwych House
71-91 Aldwych
London
WC2B 4HN

Complaints

28. If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner's Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF
Tel: 0303 123 1113
Email: casework@ico.org.uk

29. Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Review of this notice

This notice will be regularly reviewed and may be subject to revision. This version of the Privacy Notice was last updated 29 July 2022.

The Post Office Horizon IT Inquiry - Privacy Notice

For Phase 7 Participants

1. Overview

The Post Office Horizon IT Inquiry (Inquiry) is an independent public statutory Inquiry established to gather a clear account of the implementation and failings of the Horizon IT system at the Post Office over its lifetime.

The Inquiry has seven phases. Phase 7 is an investigation into the current practice and procedures of the Post Office Limited and will be used to identify recommendations for the future.

The Inquiry has invited all current Sub-Postmasters and all Horizon Shortfall Scheme applicants to give evidence in Phase 7. These individuals have been invited to voluntarily complete a survey.

2. What is this document?

This document is a Privacy Notice. As a UK based organisation, the Inquiry has a legal responsibility to comply with the UK version of the General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018). One of the requirements of the UK GDPR is to provide individuals with information on how the Inquiryuses personal data. This privacy notice aims to meet that legal requirement.

This Privacy Notice provides information for individuals who have been invited to complete the Inquiry’s Phase 7 survey. It is intended for all current Sub-Postmasters and all Horizon Shortfall Scheme applicants (HSS applicants) only.

3. Terminology

This privacy notice uses terminology that is defined in the UK GDPR. Examples include ‘personal data’, ‘processing’, ‘data subject’, etc.

‘We’ or ‘us’ refers to the Inquiry. ‘You’ or ‘your’ refers to the reader, the intended audience of this privacy notice (i.e. the Inquiry Phase 7 participants).

4. The Purpose of This Processing

You will be invited to voluntarily complete a survey. The results of this survey will be aggregated and analysed. The aggregated findings will be presented in the Phase 7 hearings to be used as evidence.

Your data will strictly be used as part of the Inquiry’s Phase 7 investigation. Your data will not be used for any marketing activities by the Inquiry or by any other third parties.

If you are unhappy with this processing activity, you are able to exercise your GDPR Right to Object. Please see the ‘Your UK GDPR Rights’ section towards the end of this privacy notice.

5. Our UK GDPR Lawful Basis for Processing

Our GDPR lawful basis for processing is ‘Public Task’; the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

This processing activity will also process special category data. Our UK GDPR article 9 exemption for this is ‘Substantial Public Interest’.

6. What Personal Data Will We Use?

The Post Office Limited has provided the Inquiry with your name and your email address. For some individuals, we have also been provided with your home address or your Post Office branch address.

If you choose to complete the Phase 7 survey, we will also process your survey responses. The survey will include questions about the current management practices of the Post Office Limited. It will also include optional demographics questions (age, gender, and ethnicity). Your response to the demographic questions will be used to analyse the survey responses.

7. Transfers of Personal Data

In order to ensure that the survey is fair and unbiased, the Inquiry has engaged the services of YouGov. YouGov is a global public opinion and data company. YouGov will issue the survey and will also aggregate and process the survey results.

In addition, your contact data will be stored in a third-party, secure document management and file sharing system.

Your personal data will remain in the UK or EU. The Inquiry will ensure that UK GDPR compliant contracts exist for all transfers of your personal data.

8. How long will your data be kept for?

The Inquiry will keep/delete your data in accordance with the below criteria. However, as the Inquiry progresses, the Chair of the Inquiry may deem it necessary to keep data longer than the below stated retention schedules. This will only be done in order to adhere to the Inquiry’s Terms of Reference and will be avoided wherever possible.

Your contact data will be kept for the duration of the Inquiry. At which point this data will be deleted.

Your individual survey responses will be kept by YouGov until 31^st March 2026, at which point they will be deleted. The Inquiry will not receive your individual responses at any point. The Inquiry will receive the aggregated survey responses. The aggregated survey responses will be placed into The National Archives for permanent storage, as they are considered to be of national interest.

9. How Have We Obtained Your Data?

Public inquiries are governed by the Inquiries Act (2005) and the Inquiry Rules (2006). Section 21 of the Inquiries Act (2005) provides a power to the Chair of a public inquiry to issue a notice directing any individual or organisation to deliver up to the Inquiry any material which is relevant to its terms of reference.

The Inquiry has issued a Section 21 notice to Post Office Limited in order to obtain your data. This data was acquired in order to ensure that you have the opportunity to complete the Phase 7 survey. This has been done in accordance with the Inquiry’s Terms of Reference.

10. General Information

Your UK GDPR Rights

Under the UK GDPR, you have rights that you may exercise at any time. Whilst you may exercise these rights at any time, the Inquiryis not always obliged to comply with your requests. Each right has requirements and exemptions that are associated with them. For further information on these requirements and exemptions, please visit the Information Commissioner's Office (ICO) website:

https://ico.org.uk

To exercise your rights, please send an email to the following address:

dp@postofficehorizoninquiry.org.uk

The Right to be Informed – You have the right to be informed about how the Inquiry uses your personal data. We are required to provide you with details of our data processing activities (where they involve your personal data). Typically, the Inquirywill provide this information to you in privacy notices such as this one.
The Right of Access – You have the right to request a copy of the personal data that the Inquiry holds about you.
The Right to Rectification – If the Inquiryholds personal data about you that is inaccurate or outdated, you have the right to request that this information is changed.
The Right to Erasure – You have the right to request that the Inquiry deletes personal data that relates to you.
The Right to Restrict Processing – You have the right to request that the Inquiry restricts or suppresses the further processing of your personal data.
The Right to Object – You have the right to object to specific processing activities that the Inquiry undertakes. Specifically, you may object if the Inquiry is using your data for a task carried out in the public interest, or for an exercise of official authority.

Right to lodge a complaint

You have the right to complain to the Information Commissioners Office (ICO) if you are concerned about the way we have processed your personal information. They can be contacted via:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Tel: 0303 123 1113