1. The Post Office Horizon IT Inquiry (the Inquiry) is a Statutory Inquiry under the Inquiries Act 2005 exercising functions in the public interest. The Inquiry is the data controller for your personal information.
2. The Inquiry is investigating the implementation and failings associated with Post Office Ltd’s Horizon IT system. The terms of reference of the Inquiry are set out on our website: https://www.postofficehorizoninquiry.org.uk/key-documents/terms-reference.
3. The purpose of this privacy notice is to set out how the Inquiry will use your personal data; who it may be shared with; and your rights. It is made under Articles 13 and/or 14 and Article 30 of the General Data Protection Regulation (GDPR).
What data the Inquiry needs to collect and the legal basis for processing it
Purposes of data collection
4. The purposes for which the Inquiry collects and processes your personal data are the effective conduct of the Inquiry and discharging the Terms of Reference.
5. The Inquiry is investigating the matters set out in its Terms of Reference, supported by a List of Issues, and in accordance with its Protocols.
6. In order to carry out its investigation and conduct its hearings the Inquiry will need to collect and process personal information.
7. Personal information is used by the Inquiry in a number of ways – for example, to gather evidence as part of the Inquiry’s investigation, to facilitate access to the Inquiry, to enable witnesses to give evidence and to communicate with you and keep you updated on the progress of the Inquiry.
8. The hearings, except in exceptional circumstances and as required by law, will be held in public and evidence referred to at hearings will become publicly available. Other evidence and information may be available on the Inquiry’s website.
9. Personal information may also be contained in the Report of the Inquiry, which will be published after the conclusion of the Inquiry investigations and hearings. Personal information may also be used by the Inquiry to comply with the law and with contracts that the Inquiry has entered into.
10. Personal data is collected, recorded and organised by the Inquiry. Typically, data will be requested by the Inquiry from relevant individuals or organisations or submitted voluntarily, for example in a witness statement. The Inquiry also has powers to compel an individual or organisation to provide requested information.
11. Personal data processed by the Inquiry can therefore comprise the personal data of:
- Members of the public who contact the Inquiry
- Core Participants in the Inquiry
- Other witnesses providing evidence to the Inquiry
- Contracted parties to the Inquiry
- Persons referred to in information received by the Inquiry from any of the above.
12. The following is a non-exhaustive list of categories of personal data that will be processed in relation to the Inquiry’s core function:
- Personal data – typically biographical data such as name, date of birth, personal description, contact details, images and voice recordings.
- Special category data – this will typically include data relating to health, data relating to race/ethnicity, religious beliefs and Trade Union membership. Some special category data may relate to children.
- Personal data relating to criminal convictions and offences – the processing of data in relation to criminal convictions is subject to strict controls.
13. The Inquiry keeps your data secure and only shares it with those who are required to see it as part of the process of the Inquiry. All personal information we receive is handled fairly and lawfully in accordance with data protection legislation.
14. Typically, personal data is held in digital format in IT systems which meet government security standards. The details of the security arrangements are not set out in this Notice to avoid compromising the effectiveness of those arrangements.
Legal basis for processing
(i) Non-special category personal data
15. For data which does not fall within the definition of special category data (see below), the Inquiry will rely on the legal basis described below for processing. When processing your personal data, the Inquiry will, at all times, consider whether the processing or disclosure of such data is necessary for the Inquiry proceedings and functioning.
In respect of the core functions of the Inquiry:
- the primary legal basis relied on for lawful processing by the Inquiry of personal data is Article 6 (1)(e) GDPR: processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The Chair has official authority to perform the core function of the Inquiry in order to investigate the matters falling within the Inquiry’s terms of reference.
- In respect of material provided to the Inquiry (in particular, by witnesses) where you as the data subject have given consent to the processing, Article 6 (1) (a) GDPR will also apply.
- The processing of evidentiary material is necessary for compliance with legal obligations, which is provided for under Article 6(1)(c) of the GDPR. This includes section 18 (1) of the 2005 Act that provides, subject to restrictions notices, that the public are to have access to inquiry proceedings and information.
In respect of contracts:
- For providers of services to the Inquiry, the primary legal basis for processing your personal data will be that it is necessary for the performance of a contract to which you are a party.
(ii) Special category personal data
16. Special category, or sensitive, data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data (where used for identification purposes), data concerning health or data concerning an individual’s sex life or sexual orientation.
17. Processing by the Inquiry potentially extends to all types of special category personal data, but most typically will involve information relating to health, race/ethnicity, religious beliefs and trade union membership.
18. In addition to the legal bases for processing personal data generally, outlined above, the legal bases for processing sensitive personal data pursuant to Article 9 GDPR, read together with s. 10 of the Data Protection Act 2018, are:
- that processing is necessary for reasons of substantial public interest, including the exercise of a function conferred by an enactment/rule of law (the Inquiries Act 2005 and the Inquiry Rules 2006), to the extent that it is necessary, or
- that the consent of the data subject (where applicable) has been obtained.
(iii) Criminal conviction personal data
19. Where data relating to criminal convictions/offences is concerned, the lawful purpose will be dealt with by article 10 GDPR/s.10(5) DPA 2018, including where the processing is necessary for the exercise of a function conferred on the Chair by the Inquiries Act 2005 and the Inquiry Rules 2006 and/or where it is necessary for the purpose of or in connection with legal proceedings.
Who we share your data with and why
20. As the Inquiry is publicly accessible, your personal data may be shared with anyone following the proceedings, including the press, when given in evidence (or on the Inquiry’s website). There are clear processes, including robust redactions processes, in place which govern the protection of your personal data. Save where consent is provided by you, as a data subject - only data necessary for the Inquiry’s performance of its functions will be disclosed outside the Inquiry or to those instructed by the Inquiry.
21. During the course of undertaking the duties of the Inquiry, your data may be shared by the Inquiry with the following main groups:
- The Solicitor and Lead Counsel to the Inquiry
- Other Solicitors and Counsel who are instructed by the Inquiry
- Recognised legal representatives of individuals and corporate bodies recognised as Core Participants in the Inquiry
- Interested parties in the Inquiry
- Expert witnesses appointed by the Inquiry
- Assessors appointed by the Inquiry
- Third party data processors (such as providers of IT infrastructure or electronic disclosure platforms/services)
- The public, via the Inquiry website or via the Inquiry’s published report(s).
- External witness Tracing firms utilised by the Inquiry
- Current and/or previous employers to obtain current or last known addresses for the purpose of obtaining current contact details of potential witnesses.
22. The majority of personal data submitted to the Inquiry is transferred to IT systems operated by 3rd party Data Processors for the purposes of storing, reviewing and analysing documents and information.
23. The Inquiry has appropriate technical and organisational measures in place with its data processors, which means they cannot do anything with your personal information unless the Inquiry has instructed them to do it. They will not share your personal information with any organisation apart from the Inquiry, or as directed by the Inquiry. They will hold your data securely and retain it for the period the Inquiry requires. At the conclusion of the Inquiry, data that is to be retained as part of the historic record will be transferred to the National Archives, although any personal data included will continue to be protected. We may also share data where we are under a legal obligation to do so, or where it is necessary to assist with a criminal investigation.
How long will the Inquiry keep your data for?
24. Personal data will be held by the Inquiry until the conclusion of the Inquiry. At the end of the Inquiry, some of the personal data held by the Inquiry will – where it is considered to form part of the historic record – be transferred for the purposes of indefinite retention of Inquiry records by the National Archives in accordance with the Public Records Act 1958. Personal data that is not required for archiving purposes will be destroyed.
All individuals have a number of rights under the GDPR.
- You have the right to request information about how your personal data is processed, and to request a copy of that personal data. (This is also known as a Subject Access Request).
- You have the right to request that any inaccuracies in your personal data are rectified without delay.
- You have the right to request that any incomplete personal data is completed, including by means of a supplementary statement.
- You have the right to request that your personal data is erased if there is no longer a justification for them to be processed.
- You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
- Where we are relying on your consent, you have the right to withdraw consent to the processing of your personal data at any time.
- If we are not relying on your consent, you may have the right to object to the processing of your personal data. Any objections will be considered in the context of the Inquiry’s statutory duties and the necessity of processing personal data for that purpose.
- Where we are relying on your consent, or a contract with you, you have the right to request a copy of any personal data you have provided, and for this to be provided in a structured, commonly used and machine-readable format.
25. The rights and obligations set out in this Notice may be subject to exemptions or limitations, to the extent authorised by the GDPR and the Data Protection Act 2018 (including paragraph 14 of Part 2, Schedule 2), to be applied on a case-by-case basis.
26. As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the European Union. Where that is the case, all appropriate technical and legal safeguards will be put in place to ensure you are afforded with same level of protection.
Contacts details/more information
The Inquiry Data Protection Officer
The data controller determines the purposes and means of processing personal data. The Data Protection Officer provides independent advice and monitoring of the Inquiry’s use of personal information. The Inquiry’s Data Protection Office can be contacted at email@example.com
and also at:
The Post Office Horizon IT Inquiry (Data Protection)
PO Box: PO Horizon IT Inquiry
1 Victoria Street
27. If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:
28. Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
Review of this notice
This notice will be regularly reviewed and may be subject to revision. This version of the Privacy Notice was last updated 29 July 2022.