COVID-19 Public Inquiry: Privacy Notice for NHS England staff

The UK COVID-19 Inquiry (the Inquiry) has been set up to examine the UK’s response to and impact of the COVID-19 pandemic. NHS England played a vital role in responding to the pandemic and will need to respond to questions and requests received from the Inquiry.

Our activity relating to the Inquiry will broadly fall into two categories:

  • Preparation: We need to prepare for the questions and requests which the Inquiry may potentially ask us.
  • Response: We will need to respond to the questions and requests which we receive from the Inquiry.

The below information only relates to NHS England’s use of personal data for purposes relating to the Inquiry.

Further information about the terms of reference and scope of activity of the Inquiry can be found here:

Purposes for processing

In responding to the Inquiry, NHS England will:

  • help support colleagues and former colleagues
  • ensure information (including personal data) is collected, shared and used in line with our internal policies and legal requirements
  • manage our relationship with the Inquiry
  • ensure we submit high quality evidence and
  • respond to findings and lessons identified

The purposes for using and sharing your data will be:

  • Preparing for the Inquiry: As the scope and terms of reference scope of the Inquiry are publicly available, and as NHS England’s role in responding to the pandemic are known, NHS England are able to prepare for the questions which the Inquiry may ask us in advance.  Such preparatory work may include accessing and reviewing personal data relating to our colleagues in relation to their role in responding to the pandemic.
  • Responding to the Inquiry: When NHS England receive questions from the Inquiry, it is likely that NHS England will need to access and review the personal data of its colleagues in relation to their role in responding to the pandemic. NHS England may also need to share personal data relating to colleagues and former colleagues with the Inquiry where necessary to answer questions raised by the Inquiry. NHS England will typically only share personal data relating to senior NHS England colleagues with the Inquiry unless the sharing of junior colleagues’ personal data is essential to answer a question.

Categories of personal data

The information we will process for these purposes includes:

  • information which identifies you (eg your name)
  • your work-related contact information (eg your work email address)
  • your current contact information (eg if you no longer work for NHS England – this could include your home address, personal phone number)
  • information about your role with NHS England (eg your job title, contract start date and end date)
  • personal information contained in communications and official documents (eg your name, communications you may have sent or received).

Sources of the data

For the purpose of the Inquiry, we will mainly use personal data from the following sources:

  • Information NHS England already holds: NHS England will review and share communications and documents created for the purpose of responding to the COIVD-19 pandemic which may contain your personal data relating to your role with NHS England.
  • Information which you provide for the purpose of the Inquiry: You may provide NHS England with further personal information if NHS England engage with you in relation to the Inquiry

Categories of recipients

NHS England will disclose personal data to the Inquiry and where NHS England is instructing other parties, such as external lawyers, to support its Inquiry related activities. NHS England may share your personal data with such parties and these organisations only where it is required to complete the tasks assigned to them by NHS England.

Retention period

Your data is already being processed in line with NHS England’s existing retention policies. More information is available here: NHS England » NHS England as a data controller

For personal data that is disclosed to, and subsequently processed by the Inquiry, please see the Inquiry website for more details:

Legal basis for processing

Under the UK General Data Protection Regulation (UK GDPR) NHS England’s legal basis to use your information for purposes related to the Inquiry are:

  • Public task: As a public authority, NHS England can use your information to perform its public tasks where that use is in the public interest. Those tasks extend to the activities NHS England need to perform to prepare and respond to the requests NHS England receive from the Inquiry (Article 6(1)(e) of UK GDPR).
  • Legal obligation: NHS England can use your personal data to meet its legal obligations. Under the Inquiries Act 2005, the Inquiry may require NHS England to provide evidence, which may include your personal data, which relates to a matter in question at the inquiry. (Article 6(1)(c) of UK GDPR).

NHS England also need an additional legal basis in the UK GDPR and the Data Protection Act 2018 (DPA 2018) to use data which is particularly sensitive such as information about a person’s health, ethnicity, religion, trade union membership. These types of data are called ‘special category data’.

NHS England will not typically be required to use or share your sensitive information for the purposes of the Inquiry but it could potentially be relevant, depending on the specific questions NHS England receive from the Inquiry. For example, NHS England may be required to confirm that a senior member of staff was unable to make a decision because they were not working at the relevant time due to illness.

If it is necessary to use or share your sensitive information for the purpose of the Inquiry, NHS England will rely on the following additional legal basis:

  • Substantial public interest: NHS England’s use of your information is necessary for reasons of substantial public interest based on UK law which is proportionate to the purposes (set out above). (Article 9(2)(g) of UK GDPR). NHS England have a statutory obligation under the Inquiries Act 2005 to fulfil the purpose and that statutory obligation is NHS England’s condition for relying on substantial public interest as its legal basis (the condition is set out in paragraph 6 of Schedule 1 to the Data Protection Act 2018).
  • Legal advice: NHS England may use your sensitive personal data for the purpose of obtaining legal advice. (Article 9(2)(f) of UK GDPR). NHS England can rely on this legal basis when it is necessary to share your personal data with its legal advisors for the purposes of preparing for and responding to the Inquiry.