Privacy notice


The Commissioner for Survivors of Institutional Childhood Abuse is committed to protecting your privacy.  This Privacy Notice explains how the Commissioner's Office uses information about you and the ways in which we will safeguard your personal information. It is designed to meet the requirements of the United Kingdom General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018, in terms of your individual right to be kept informed about how and why we collect, and use information, about you.

Who we are

The Office of the Commissioner is an independent office established under the Historical Institutional Abuse (Northern Ireland) Act 2019 (the Act). The principal aim of the Commissioner for Survivors of Institutional Childhood Abuse in exercising functions under the Act is to fulfil one of the recommendations of the Historical Institutional Abuse Inquiry through promoting the interests of any person who suffered abuse while a child and while resident in an institution at some time between 1922 and 1995. Any information that you provide to us will be used to assist us in discharging our functions under the Act.

The type of personal information we process

We currently collect and process some or all of the following information:

  • Your contact details (name, postal address, telephone number, email address);

Occasionally, we may collect and process the following types of information;

  • Details of the institutions you had a connection with;
  • Third party contact details, for example, with your consent, the contact details of your family, friends or legal representatives to enable us to assist you;
  • Additional information provided voluntarily by you which may include special category (sensitive) personal information, for example information relating to an individual’s physical or mental health, religion or sexuality;
  • Records from public and targeted events at which you were present;
  • Records from meetings (including virtual meetings) with victims and survivors at which you were present, or being represented;
  • Personal information belonging to you held by other public sector organisations, in PRONI records and/or Inquiry recordings/transcripts, which may include special category (sensitive) personal information, for example information relating to an individual’s physical or mental health, religion or sexuality.

It is important to note, that when communicating with the Office of the Commissioner for Survivors of Institutional Childhood Abuse, an individual does not have to provide the information we may ask for.  However, where an individual does not provide the information requested, the Commissioner may be unable to complete the particular task for which the information was requested.

How we get your personal information

Most of the personal information we process is either provided directly by you, from our meetings with you, by organisations representing or connected to you, or has come from government records (including from The Historical Institution Abuse Inquiry).

We may also receive personal information indirectly, from third parties including from another public sector organisation.

Who the information may be shared with

Any personal information we process will not be shared outside of Commissioner's office unless with your consent, or if the law permits, or places an obligation on the Commissioner to do so, or that sharing is necessary to safeguard the interests of you, the data subject. Where it is appropriate we will keep you informed.

Our lawful basis for processing personal information

To comply with data protection legislation, we must have a lawful basis for processing any personal information.

The processing that the Commissioner's office carries out in this case is on a ‘public task’ basis under Article 6(1)(e) of the UK GDPR. This means the processing is necessary forthe Commissioner to perform a task in the public interest, or in order to discharge its official functions, including those under the Historical Institutional Abuse (Northern Ireland) Act 2019.

As noted above, some of the personal information we process may be special category personal information. Special category personal information needs more protection as it is particularly sensitive. To lawfully process special category information, in addition to the lawful basis under Article 6 of the UK GDPR outlined above, we rely on the condition under Article 9(2)(g) of the UK GDPR – where “processing is necessary for substantial public interest purposes”. Furthermore, provision for the processing of special categories of personal information relies on the requirement that a condition in Part 2 of Schedule 1 of the Data Protection Act 2018 is met. In this regard the condition in paragraph 6 is applicable – that processing is necessary in the exercise of a function conferred by an enactment, or rule of law and for reasons of substantial public interest, and in the exercise of a function of a government department.

How we store your personal information

Your personal information will be managed in accordance with the UK GDPR and DPA 2018 legislation. 

Where personal information is received by:

  • hard copy format -  it is scanned to create an electronic copy, and saved and retained securely within Content Manager, the standard system for records management in the Northern Ireland Civil Service;
  • electronic format -  it is saved and retained securely within Content Manager;
  • telecommunication format -  it is recorded on a telephone call log document, and saved securely within Content Manager.

Access to all personal information processed by the Commissioner is restricted to those persons working in the Commissioner's office, to The Executive Office (TEO) records management administrators who are responsible for Content Manager.

The Commissioner will safeguard the security of any personal information supplied by ensuring:

  • It will not be shared outside of the Commissioner's office except for reasons mentioned above;
  • It will not be transferred to other individuals or organisations, unless documents are password protected; and the password is communicated in a separate email to the receiving individual or organisation
  • The use of a secure encrypted IT system, services, or an application (commonly known as an “app”) and where necessary, further encrypting documents before being shared.
  • Staff will be provided with data protection training and guidance.

How long we keep personal information

Personal information will be kept for no longer than is necessary for the purposes for which it has been obtained, in line with the Commissioner’s Retention and Disposal Schedule (hereafter referred to as ‘the Schedule’).

Under the Schedule, records will be reviewed seven years after the last record is received by the Commissioner. Following the review the record will either be retained by the Commissioner (if the office is still in place) or by TEO; disposed of securely; or transferred to the Public Record Office of Northern Ireland (PRONI) for permanent preservation.

The COmmissioner's office will conduct regular reviews of personal information held, ensuring it is accurate and kept up to date, and will engage with you (the ‘data subject’) on the purposes for which your personal information is held.

In certain circumstances you may request that your personal information be removed from our records by contacting the Data Protection Officer using the contact details provided at the end of this notice. 

It is important to note that if you request your personal information to be removed the Commissioner's office will no longer be able to communicate with them about matters that may be of interest.

What are your rights?

Alternative Formats or General Enquiries

If you have any other queries about this Privacy Notice, or require it in an alternative format or language, including hard copy, please contact the Commissioner for Survivors of Institutional Childhood Abuse at the address above.


If you wish to discuss the processing of your personal information, or are dissatisfied with how your personal information is being processed, please contact the Data Protection Officer using the details provided below.

Joanne McComb
Data Protection Officer
The Commissioner for Survivors of Institutional Childhood Abuse
5th Floor South
56-66 Queens Street
Northern Ireland

Tel: (+44) 28 9054 4985


If you are still dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House
Water Lane


Tel: (+44) 0303 123 1113


Changes to this Privacy Notice

We keep this Privacy Notice under regular review and we will place any updates on the Commissioner's website.

This Privacy Notice was last updated on 26 May 2021.