Privacy Information Notice

This privacy information notice explains how the Undercover Policing Inquiry (the Inquiry) handles personal information. The Inquiry is committed to handling personal information in compliance with data protection legislation.

The Chairman is a data controller

The Chairman to the Inquiry is the data controller of your personal information.  The Data Protection Officer is David Martindale whose contact details can be found at the end of this notice.

Personal information collected and used by the Inquiry

The Inquiry’s purpose is to investigate and report on undercover police operations conducted by English and Welsh police forces in England and Wales since 1968.  The Inquiry will examine the contribution undercover policing has made to tackling crime, how it was and is supervised and regulated, and its effect on individuals involved – both police officers and others who came into contact with them. In order to fulfil this purpose, the Inquiry will process personal information about individuals. The scope and terms of reference[1] of the Inquiry are set out on our website. It is also in our legitimate interest to capture users’ names and email addresses as part of the hearings registration system.  In this way the Inquiry can make contact with individuals as necessary.

Personal information used to conduct the Inquiry

The day-to-day work of the Inquiry requires it to take possession, store and process various forms of material containing personal information.  Some of this material comes from the individuals themselves and some will come to us from third parties, such as police forces.  The information we receive can be personal data such as names and addresses, and other information can be sensitive personal data such as political opinions or sexual relationships.

To protect individual’s identities, cyphers or code names are used to preserve anonymity of individuals where a restriction order[2] has been granted.

How do we obtain personal information?

The following comprises a non-exhaustive list of the circumstances in which we obtain and use personal data in accordance with the Inquiry’s terms of reference:

Production of evidence to the Inquiry

The Inquiry requests information from individuals and organisations with some connection to the subject matter of the Inquiry. They are normally, but are not limited to, those listed as Core Participants[3] of the Inquiry.

The Inquiry makes written requests for evidence under Rule 9 of the Inquiry Rules 2006 to anyone believed to hold information of relevance to the Inquiry. In addition, under Section 21 of the Inquiries Act 2005 the Chairman can, by notice, require individuals to give evidence or produce documents etc. that relate to a matter in question at the Inquiry. Organisations and individuals have also provided unsolicited disclosure of evidence to the Inquiry. As a result of this evidence gathering work, the Inquiry has received and expects to continue to receive evidence containing personal information, some of which may be sensitive personal data. Such personal information will be stored and may be used by the Inquiry team as evidence to advance the work of the Inquiry.

When you contact us

When you email or write to us, we will record your email and postal address and any other information you have chosen to share with us.  Any personal information you have chosen to share with us may be stored and used by the Inquiry team to advance the work of the Inquiry.

If you contact the Inquiry by phone, any personal information provided to the Inquiry may be recorded and stored, unless you specifically ask us not to; however, if your engagement with the Inquiry is to proceed, the Inquiry will need to take and retain some details.

The Inquiry has an X, formerly known as Twitter account (@ucpinquiry) where it posts to provide direct links to certain pieces of information or documents. The Inquiry takes notice of the comments made in respect of its posts; however, its policy is not to respond.  If you provide personal information to the Inquiry by X, formerly known as Twitter, those details may be stored and may be used by the Inquiry team as evidence to advance the work of the Inquiry.

If you have contacted the Inquiry to make a complaint[4], in order to process that complaint, the Inquiry will need to record and store any personal information that is received when the complaint is submitted.

At Hearings

The Inquiry has and will continue to hold various hearings, in accordance with its obligation under Section 18 of the Inquiries Act 2005. The Inquiry receives evidence from participants of those hearings, which may consist of personal information.

The presumption is that hearings will be held in public, however, certain individuals participating in the hearings may have their identities anonymised if a Restriction Order has been granted. The Chairman to the Inquiry decides if evidence is provided in private or closed session and such decisions will be made in accordance with Section 19 of the Inquiries Act 2005.

Lists of witnesses due to appear at public hearings will be posted on the website in advance of each hearing with any witnesses granted with a restriction order having their identities anonymised. The Inquiry will only post lists of witnesses due to appear at public hearings. Members of the public will be able to attend the public hearings (but see below). Members of the public will not be permitted to attend any hearings held in private or closed session.

To record registration requests to attend hearings in-person the Inquiry records names and email addresses. These will only be used to send confirmation or update emails related to those hearings.

In light of the recent Covid-19 pandemic, some hearings were accessible to the public via a Zoom webinar. Zoom, which is a web conferencing platform, will capture and store personal data about viewers and participants. Zoom’s privacy policy covers how they handle, process and share personal data. Users of the Zoom webinar service must agree to this as part of the Inquiry’s registration process.

The Inquiry has no control over Zoom’s processing of personal data. However, the Inquiry will be in a position to access personal data captured and retained by Zoom and may do so to monitor and enforce compliance with the Chairman’s directions and restriction orders, including but not limited to any follow-up action. This might include sharing personal data with third parties and retention and storage of the same.

If you work or apply to work at the Inquiry

The Inquiry will store and process personal information to enable it to manage relationships with its team members lawfully and effectively. This will include using personal information to enable the Inquiry to:

  • improve the management of the workforce of the Inquiry;
  • enable development of a comprehensive picture of the Inquiry workforce and how it is deployed;
  • inform the development of recruitment and retention policies;
  • allow better financial modelling and planning;
  • enable monitoring of selected protected characteristics; and
  • manage employment contracts and to protect the legal position of the Inquiry.

Using the Inquiry website

Cookies are small files saved on your phone, tablet or computer when you visit a website.

The Inquiry use cookies to make ucpi.org.uk work effectively, understand how you use ucpi.org.uk and enable us to deliver content from other sites.

You can find details on the cookies we use and manage your cookie consent settings in the Inquiry’s cookie policy.

We use Google Analytics software to collect information about how you use ucpi.org.uk. This information includes IP addresses. The data is anonymised before being used for analytics processing.

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit https://ico.org.uk/your-data-matters/online/cookies/.

Protecting your personal information

The Inquiry keeps your information secure and only shares it with those who need to see it.  We have both physical security and processes in place to ensure that all personal data is handled fairly and lawfully in line with data protection legislation and is stored in systems that meet government security standards.

Inquiry team members are security vetted[5] and complete annual information handling training to ensure that they understand their responsibilities in handling your personal data.

Sharing your information

The Inquiry Chairman accepts responsibility for the protection of personal information the Inquiry holds as a controller of that information. In order to advance the work of the Inquiry, it is sometimes necessary to share personal information with third parties. The Inquiry will only share personal information with third parties when it is legally permitted to do so or it has the individual’s consent to do so. Such third parties engaged by the Inquiry will be required to handle personal information on behalf of the Inquiry and to the Inquiry’s instructions, for instance counsel representing core participants of the Inquiry.

Publication of evidence

The Inquiry intends to make all information that is relevant and necessary available to the public, unless publication has been restricted by a Restriction Order under Section 19 Inquiries Act 2005.

Irrelevant and/or unnecessary personal information will be redacted (by removing or obscuring it) by the Inquiry legal team in accordance with the Restriction Protocol[6].

Core participants and witnesses will have the opportunity to consider references to themselves in documents that the Inquiry proposes to use and if they wish, to apply for that information to be restricted. Any application will be considered by the Inquiry Chairman using his powers under Section 19 of the Inquiries Act 2005 and as set out in the Inquiry Ruling on restriction orders (legal approach)[7].  Any such documents will be provided to core participants and witnesses when they are asked to make a witness statement.  Wherever possible, new potential core participants or witnesses will also be contacted by the Inquiry, and given the opportunity to make an application for a Restriction Order. Where it is considered disproportionate to do so, the information will be considered for redaction by the Inquiry legal team. The Inquiry legal team will decide whether to provisionally redact references to such persons applying the relevant legal principles and be mindful of the fact that the person affected will not have had an opportunity to apply for a restriction order.

The manner and timing of release of evidence into the public domain will be decided by the Chairman.

Transcripts of all public hearings will be published on the Inquiry’s website. Transcripts of private or closed hearings will be sent only to the parties attending such hearings and not released into the public domain, although the Inquiry will make available as much information about closed and private hearings as can be provided without compromising them.

Once released the information will be hosted on the Inquiry website, which is archived by The National Archives.

Retention of personal information

At the end of the Inquiry, and as required by law, records of the work of the Inquiry, of which your personal information may form part, will be transferred to the National Archives for permanent preservation.

The legal basis for processing personal data.

The Inquiry processes personal information in accordance with the General Data Protection Regulation and the Data Protection Act 2018:

Personal data: Article 6 (1)(e)

“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”; and

Special personal data: Article 9 (2)(g)

 “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”;

Paragraphs 5 & 6 of Part 1 of Schedule 2 of the Data Protection Act 2018

“Requirement for an appropriate policy document when relying on conditions in this Part

5 (1) Except as otherwise provided, a condition in this Part of this Schedule is met only if, when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).

(2) See also the additional safeguards in Part 4 of this Schedule. Statutory etc. and government purposes

6 (1) This condition is met if the processing—

(a) is necessary for a purpose listed in sub-paragraph (2), and

(b) is necessary for reasons of substantial public interest.

(2) Those purposes are—

(a) the exercise of a function conferred on a person by an enactment or rule of law;

(b) the exercise of a function of the Crown, a Minister of the Crown or a government department”

Your rights and how to use them

Freedom of Information Act 2000

The Freedom of Information Act 2000 does not apply to inquiries set up under the Inquiries Act 2005, including the Undercover Policing Inquiry. However, in keeping with the spirit of the freedom of information, the Inquiry will operate in as transparent and open a manner as possible in accordance with the interests of justice. The Inquiry publishes regular update notes on the progress of its work as well as quarterly costs.

Data Protection Legislation

The Inquiry ensures that it adheres to the relevant provisions of the data protection legislation[8] and is registered with the Information Commissioner’s Office. The Inquiry has appointed a Data Protection Officer who is responsible for monitoring compliance with the data protection legislation. The Inquiry ensures that appropriate data security policies are in place and that the Chairman, and all those engaged in support receive the necessary training.

The Inquiry’s approach to data protection follows the data protection principles as follows:

  • that processing be lawful and fair;
  • that purposes of processing be specified, explicit and legitimate;
  • that personal data be adequate relevant and not excessive;
  • that personal data be accurate and kept up to date;
  • that personal data be kept for no longer than is necessary;
  • that personal data be processed in a secure manner.

Access to your personal information and correction

You have certain rights in relation to the personal information that the Inquiry holds about you. A data subject is entitled to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed and, where that is the case, access to the personal data, subject to any applicable exemptions under the Data Protection Act 2018.  The manner in which the Inquiry will comply with its obligations is set out in the Chairman’s Statement on Data Protection and Privacy dated 11 April 2019, including how it intends to rely on relevant exemptions contained in the Act.

You also have the right to make sure that any personal information about you is accurate. If you believe that the Inquiry holds inaccurate personal information about you, you may ask us to correct or remove any such personal information.

Where the Inquiry collects and processes your personal information based on your consent, you have a right to withdraw such consent at any time.

Please submit any such personal information requests to the Inquiry’s Data Protection Officer by one of the contact methods listed at the end of this privacy information notice. In order to assist the Inquiry with processing such requests, please provide sufficient information to help locate your records. This should include, as a minimum:

  • an explanation of your request;
  • your name;
  • your date of birth; and
  • your address.

You will be asked to provide the Inquiry with proof of your identity before any request can be processed.

Sharing of personal information

The Inquiry may share personal information with its suppliers and other third parties. The Inquiry will only share your personal information with third parties when it can do so lawfully or it has your consent.  This can include transferring personal information outside of the United Kingdom.

In order to transfer personal information outside of the UK, the Inquiry will comply with the General Data Protection Regulation and Data Protection Act 2018. In particular, the Inquiry will have regard to the following:

  • the lawful processing requirements;
  • the security provisions;
  • international transfer provisions; and
  • record keeping requirements.

If the personal information is being transferred outside the European Union or the European Economic Area and to a country in respect of which there is no applicable adequacy decision[9] the Inquiry will rely on Article 49(1)(d) of the General Data Protection Regulation, namely the transfer is necessary for important reasons of public interest. This is because the transfer will be necessary to enable the Inquiry to fulfil its functions under the Inquiries Act 2005.

Any transfer of personal information outside of the United Kingdom must be pre authorised by the Inquiry Solicitor or the Solicitor to the Inquiry.

Complaints about how we handled your information

You have the right to complain about the way that the Inquiry collects and uses your personal information. If you wish make a complaint, please provide details to the Data Protection Officer using one of the contact methods listed at the end of this privacy information notice.

All complaints shall be handled in a timely manner by the Inquiry’s Data Protection Officer.

You also have the right to make a complaint to the Information Commissioners Office[10].

Inquiry Policies

More information can be found in the Inquiry’s Data Protection Policy and Processing Special Category and Criminal Convictions Data policy.

Contacting the Data Protection Officer

If you wish to know what data is held on you or to make a Subject Access Request please contact the Data Protection Officer.

Call: 0203 7876 4750 (Office hours are Monday to Friday 09:00-17:00)

Email: [email protected]; or

Write: Undercover Policing Inquiry, PO Box 71230, London, NW1W 7QH, for the attention of the Data Protection Officer

Amendments to this privacy information notice

This Inquiry keeps this privacy information notice under regular review. This version of the privacy information notice was last updated on 29 January 2024.

Footnotes

[1] Terms of Reference can be found at https://www.ucpi.org.uk/wp-content/uploads/2016/06/Terms-of-Reference.pdf

[2]  See the Protocol for the Imposition of Restrictions to the Publication of Documents and other Evidence Produced by the Inquiry by the Metropolitan Police Service on the Inquiry website at the following web address: https://www.ucpi.org.uk/wp-content/uploads/2017/05/20170530-restriction-protocol-v1.0.pdf.

[3]  Please see the List of Core Participants published on the Inquiry website at the following web address: https://www.ucpi.org.uk/core-participants-list/

[4] Please see the External Complaints Procedure published on the Inquiry website at the following web address: https://www.ucpi.org.uk/wp-content/uploads/2017/09/UCPI-complaints-procedure.pdf.

[5] For more information on security vetting and clearing, please visit the United Kingdom Government website at the following web address: https://www.gov.uk/guidance/security-vetting-and-clearance. Accessed 11 May 2018.

[6] See the Protocol for the Imposition of Restrictions to the Publication of Documents and other Evidence Produced by the Inquiry by the Metropolitan Police Service on the Inquiry website at the following web address: https://www.ucpi.org.uk/wp-content/uploads/2017/05/20170530-restriction-protocol-v1.0.pdf. Accessed 11 May 2018.

[7] https://www.ucpi.org.uk/wp-content/uploads/2016/05/160503-ruling-legal-approach-to-restriction-orders.pdf

[8] Data protection legislation means the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)), and the Data Protection Act 2018, regulations made under the Act, and regulations made under section 2(2) of the European Communities Act 1972 which relate to the GDPR or the Law Enforcement Directive (EU).

[9] An adequacy decision is where the European Commission has assessed that a country outside of the European Union has an adequate level of data protection.

[10] For more information on how to file a complaint with the Information Commissioners Office, please visit the Raising a Concern page of the Information Commissioners Office’s website at the following address: https://ico.org.uk/for-the-public/raising-concerns/