The Commissioner for Survivors of Institutional Childhood Abuse (COSICA) is committed to protecting your privacy. This Privacy Notice explains how COSICA uses information about you and the ways in which we will safeguard your personal information. It is designed to meet the requirements of the United Kingdom General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018, in terms of your individual right to be kept informed about how and why we collect, and use information, about you.
Who we are
COSICA is an independent office established under the Historical Institutional Abuse (Northern Ireland) Act 2019 (the Act). The principal aim of COSICA in exercising functions under the Act is to fulfil one of the recommendations of the Historical Institutional Abuse Inquiry through promoting the interests of any person who suffered abuse while a child and while resident in an institution at some time between 1922 and 1995. Any information that you provide to us will be used to assist us in discharging our functions under the Act.
The type of personal information we process
We currently collect and process some or all of the following information:
- Your contact details (name, postal address, telephone number, email address);
Occasionally, we may collect and process the following types of information;
- Details of the institutions you had a connection with;
- Third party contact details, for example, with your consent, the contact details of your family, friends or legal representatives to enable us to assist you;
- Additional information provided voluntarily by you which may include special category (sensitive) personal information, for example information relating to an individual’s physical or mental health, religion or sexuality;
- Records from public and targeted events at which you were present;
- Records from meetings (including virtual meetings) with victims and survivors at which you were present, or being represented;
- Personal information belonging to you held by other public sector organisations, in PRONI records and/or Inquiry recordings/transcripts, which may include special category (sensitive) personal information, for example information relating to an individual’s physical or mental health, religion or sexuality.
It is important to note, that when communicating with COSICA, an individual does not have to provide the information we may ask for. However, where an individual does not provide the information requested, COSICA may be unable to complete the particular task for which the information was requested.
How we get your personal information
Most of the personal information we process is either provided directly by you, from our meetings with you, by organisations representing or connected to you, or has come from government records (including from The Historical Institution Abuse Inquiry).
We may also receive personal information indirectly, from third parties including from another public sector organisation.
Who the information may be shared with
Any personal information we process will not be shared outside of COSICA unless with your consent, or if the law permits, or places an obligation on COSICA to do so, or that sharing is necessary to safeguard the interests of you, the data subject. Where it is appropriate we will keep you informed.
Our lawful basis for processing personal information
To comply with data protection legislation, we must have a lawful basis for processing any personal information.
The processing that COSICA carries out in this case is on a ‘public task’ basis under Article 6(1)(e) of the UK GDPR. This means the processing is necessary for COSICA to perform a task in the public interest, or in order to discharge its official functions, including those under the Historical Institutional Abuse (Northern Ireland) Act 2019.
As noted above, some of the personal information we process may be special category personal information. Special category personal information needs more protection as it is particularly sensitive. To lawfully process special category information, in addition to the lawful basis under Article 6 of the UK GDPR outlined above, we rely on the condition under Article 9(2)(g) of the UK GDPR – where “processing is necessary for substantial public interest purposes”. Furthermore, provision for the processing of special categories of personal information relies on the requirement that a condition in Part 2 of Schedule 1 of the Data Protection Act 2018 is met. In this regard the condition in paragraph 6 is applicable – that processing is necessary in the exercise of a function conferred by an enactment, or rule of law and for reasons of substantial public interest, and in the exercise of a function of a government department.
How we store your personal information
Your personal information will be managed in accordance with the UK GDPR and DPA 2018 legislation.
Where personal information is received by:
- hard copy format - it is scanned to create an electronic copy, and saved and retained securely within Content Manager, the standard system for records management in the Northern Ireland Civil Service;
- electronic format - it is saved and retained securely within Content Manager;
- telecommunication format - it is recorded on a telephone call log document, and saved securely within Content Manager.
Access to all personal information processed by COSICA is restricted to those persons working in COSICA, to The Executive Office (TEO) records management administrators who are responsible for Content Manager.
COSICA will safeguard the security of any personal information supplied by ensuring:
- It will not be shared outside of COSICA except for reasons mentioned above;
- It will not be transferred to other individuals or organisations, unless documents are password protected; and the password is communicated in a separate email to the receiving individual or organisation
- The use of a secure encrypted IT system, services, or an application (commonly known as an “app”) and where necessary, further encrypting documents before being shared.
- Staff will be provided with data protection training and guidance.
How long we keep personal information
Personal information will be kept for no longer than is necessary for the purposes for which it has been obtained, in line with COSICA’s Retention and Disposal Schedule (hereafter referred to as ‘the Schedule’).
Under the Schedule, records will be reviewed seven years after the last record is received by COSICA. Following the review the record will either be retained by COSICA (if the office is still in place) or by TEO; disposed of securely; or transferred to the Public Record Office of Northern Ireland (PRONI) for permanent preservation.
COSICA will conduct regular reviews of personal information held, ensuring it is accurate and kept up to date, and will engage with you (the ‘data subject’) on the purposes for which your personal information is held.
In certain circumstances you may request that your personal information be removed from our records by contacting the COSICA Data Protection Officer using the contact details provided at the end of this notice.
It is important to note that if you request your personal information to be removed COSICA will no longer be able to communicate with them about matters that may be of interest.
What are your rights?
- You have the right to be informed and you can also obtain confirmation that your personal information is being processed;
- You have the right to access your personal information;
- You are entitled to have personal information rectified if it is inaccurate or incomplete;
- You have a right to have personal information erased and to prevent processing in specific circumstances;.
- You have the right to restrict processing of personal information in specific circumstances;
- You have the right to data portability in specific circumstances;
- You have the right to object to the processing of personal information in specific circumstances;
- You have rights in relation to automated decision making and profiling. Please be advised that no personal information supplied by you will be used for the purpose of automated decision making and profiling.
Alternative Formats or General Enquiries
If you have any other queries about this Privacy Notice, or require it in an alternative format or language, including hard copy, please contact the Commissioner for Survivors of Institutional Childhood Abuse at the address above.
If you wish to discuss the processing of your personal information, or are dissatisfied with how your personal information is being processed, please contact the COSICA’s Data Protection Officer using the details provided below.
Data Protection Officer
The Commissioner for Survivors of Institutional Childhood Abuse
5th Floor South
56-66 Queens Street
Tel: (+44) 28 9054 4985
If you are still dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Tel: (+44) 0303 123 1113
Changes to this Privacy Notice
We keep this Privacy Notice under regular review and we will place any updates on the COSICA website.
This Privacy Notice was last updated on 26 May 2021.