Kate Brunner KC has been appointed as the Chair of the independent review into the Isle of Man Government’s handling of the Coronavirus pandemic (the Review). The Chair is registered as a data controller with the Isle of Man Information Commissioner and is the data controller in respect of data processed by the Chair and her team (collectively the Review Team) in respect of the Review.
This statement is designed to help you, as someone who participates in the Review, understand how your personal data is processed by the Review Team and why.
Personal data is data which relates to you when you can be identified from that data or from that data when combined with other information which is in the possession of or is likely to come into the possession of the Review Team. The definition of personal data includes any expression of opinion about you and any indication of the intentions of the Review Team or any other person in respect of you.
If you feel that for any reason you might not understand what information we might ask you for, why we need it and what we might do with it, please contact counsel to the Review, Alex West, at firstname.lastname@example.org and we will be happy to discuss this document with you in person.
What personal data is processed and how is it used?
The Review Team will be gathering documentation and information from various Government departments and statutory boards, from people who have left Government, from Members of the House of Keys, and from members of the public, businesses, charities and other groups in order to fulfil the Terms of Reference for the Review. The documentation is likely to include a wide range of personal data in relation to current and former civil servants, ministers, advisors, agency members and members of the public including those receiving education, health and social care services. The personal data within the documentation is likely to include names, contact details, job roles, attendance at meetings and views expressed in those meetings, data within submissions made by individuals and groups whether in person or in writing, data within queries and any other interactions with the Review. The documentation and information will include documents already in existence which fall within the scope of the Review as well as documents which will be created by the Review Team for correspondence, recording and analysis purposes.
The Review Team will seek to avoid collecting and, therefore, processing special category data such as data relating to a specific person’s health. If such data is volunteered, for example by someone including such data in their written submission, the Review Team will rely on the fact that the person volunteering the information is consenting to it being processed for the purposes of the Review. Consent can be revoked at any time by emailing email@example.com.
Where a submission is made to the Review Team via the portal, the person making the submission will be asked whether they consent to their name (if they wish to provide it) and the content of the submission being used in the final report at the Chair’s discretion. Not providing a name and/or not giving consent will not prevent nor in any way impact the content of the submission being considered for the purposes of the Review. Consent to your name being used in the final report can be revoked at any time, prior to the publication of the final report, by emailing firstname.lastname@example.org.
In the event that a person sends or hand-delivers hardcopy documents to DQ Advocates Limited (DQ) for the purposes of having those documents submitted to the portal on their behalf, DQ will scan the hardcopy documents provided so that they are in electronic form and will submit those to the portal.
It is important to note that meetings held for the purposes of the Review may be recorded through the use of voice recordings or audio-visual recordings. Attendees at any such meeting will be reminded that the meeting is to be recorded.
It is also important to note that personal data may be used in the publication of the Review’s final report and supporting evidence. Inclusion of the personal data within the final report will be at the Chair’s discretion and will only be published where it is necessary for the understanding of the report.
Other purposes for which personal data may be processed are:
- Taking legal advice in respect of the Review;
- Dealing with any queries or complaints in relation to the conduct of the Review;
- Protecting the vital interests of a data subject;
- Reporting suspected or actual criminal activity;
- Making or responding to a legal complaint, claim or other application; and
- Complying with a legal obligation including a court order.
Where is the data stored?
An internet-based document-management platform has been created for the purposes of the Review.
There are two parts to the platform – a part accessed only by the Review Team which will hold the Review Team’s working papers, copies of documents provided by Government Departments and Statutory Boards, documents provided by anyone outside Government, meeting recordings, analysis of documentation etc and a part accessed by Government to upload documentation from Government Departments and Statutory Boards to be used by the Review Team.
The platform is provided by Manx Business Solutions Ltd who have been procured by the Isle of Man Government for this purpose. The platform uses the services of Laserfiche to hold the documentation and information in the cloud. The cloud server is located in Ireland.
The Review Team may correspond with you, with other parties and with each other by email. Review Team emails are held on a server hosted by NamesCo in the UK.
Hard copy documents sent or hand delivered to DQ will be stored temporarily in their offices. Electronic versions of those documents, when scanned, will be stored temporarily on DQ’s systems.
On completion of the Review, documentation and information held on the Review Team’s part of the platform will be moved to a new securely hosted electronic system which will remain under the control of the Chair. Any hard copy material not held on the platform will be scanned and saved onto this system and the hard copy document destroyed.
 This privacy statement only relates to the part of the portal used by the Review Team.
Who can see the information?
In addition to the Review Team, the following are parties who may have sight of the personal data processed by the Review Team:
|The Review Team’s legal advisors||To enable the Review Team to take legal advice
1. on any particular point, as provided for in the Terms of Reference
2. on making or responding to a legal complaint, claim or other application
|An appropriate authority such as the IoM constabulary or IoM social services||To enable the Review Team:
1. to protect the vital interests of a data subject in the event that the Review identifies actual or suspected ill treatment
2. to report actual or suspected criminal activity in the event that this is identified by the Review Team
3. to comply with any legal obligation including a court order
|Insurers and/or the Bar Standards Board||In the case of allegations of negligence or gross misconduct, the Review Team’s insurers would have to be informed.
In the case of allegations of gross misconduct, the Bar Standards Board would have to be informed.
|DQ||If a person wishes DQ to facilitate a submission to the online portal|
In addition to the above, personal data could technically be accessed by MBS, Laserfiche or NamesCo but the appropriate agreements are in place to limit their processing to the storage of data.
Do we use your data for marketing purposes?
We do not use your data for marketing purposes and we will not provide your data to any third party so that they can market their products or services to you.
How long is the data kept for?
The published report and supporting published materials may be retained indefinitely. All other material will be retained for seven years from the date of the report’s publication. At the end of the seven-year period and in accordance with agreement reached with the Isle of Man Public Record Office, unless the Chair otherwise directs:
- Evidential material will be archived as public records and subject to the closure periods in the Public Records Order 2015 Schedule 3, save for evidential material which the Chair determines will not be archived; and
- Evidential material which the Chair determines will not be archived and other categories of material will be permanently destroyed.
Hardcopy documents submitted or delivered to DQ will be held by them for seven days from receipt before being destroyed unless the submitter has requested the return of the hardcopy documents. An electronic version of the hardcopy documentation will be held by DQ for seven days from the date it is submitted to the portal.
If you wish to see the data processed about you by the Review Team, please contact counsel to the Review, Alex West, at email@example.com.
You have additional rights under the Isle of Man’s data-protection legislation such as the right to rectification of incomplete data and the right of erasure of data. An important right that you have is the right to object to processing. This right applies where, after careful consideration, it has been decided that is in the legitimate interests of the Review Team to process data about you. The Review Team processes data for its legitimate interests for the purposes of investigating complaints about the conduct of the Review and for reporting those complaints to its insurers and/or the Bar Standards Board, where necessary. If you wish to exercise any of these rights, please contact counsel to the Review, Alex West at firstname.lastname@example.org.
If you wish to make a complaint about how the Review Team has processed your data, please contact email@example.com. You can also contact the Information Commissioner on 01624 693260 or by emailing firstname.lastname@example.org
03 May 2023
Earlier Versions of this Notice
The original version of this Privacy Notice was issued on 09 January 2023. The Privacy Notice was updated on 10 February 2023. Copies of those Privacy Notices are available from email@example.com