Privacy Notice for the BVI Commission of Inquiry
Date last modified: 03/06/2021
The BVI Commission of Inquiry (the COI) is an independent Commission of Inquiry established by the Governor of the British Virgin Islands (BVI) under the Commissions of Inquiry Act 1880. The Right Honourable Sir Gary Hickinbottom (“the Commissioner”) has been appointed as sole Commissioner. The UK Government has constitutional responsibility for the security and good governance of the British Overseas Territories including the BVI, which it fulfils in large part through the Foreign, Commonwealth and Development Office (FCDO).
Personal data provided to the COI, including through its website, will be held in the UK. This Privacy Notice explains how the COI will use your personal data, who it may be shared with and your rights under UK law. The COI is committed to handling personal information in compliance with applicable data protection legislation. For the purpose of that legislation, the COI is a data controller and can be contacted as follows:
BVI Commission of Inquiry
RB 1.11 22
What data does the COI need to collect and why?
The COI’s Terms of Reference have been published on its website. To carry out its work effectively and fulfil its Terms of Reference, the COI will gather information including by obtaining documents and witness evidence. That information will include personal data and will come to the COI in different ways. It may be volunteered by members of the BVI public through the COI’s website. It may come from direct requests made by the COI of individuals and organisations and, where directed by the Commissioner, through the conduct of public hearings. The Commissioner also has the statutory power to compel individuals and organisations to provide information.
The COI will process different categories of personal data including:
- Personal data (typically biographical data such as names and contact details).
- Special category data (this will typically include data relating to health and political opinions).
- Personal data relating to criminal convictions and offences.
Legal basis for processing data
The COI’s legal basis for processing personal and special category data is:
- The processing is necessary for the purposes of the legitimate interests being pursued by the COI, that is to investigate and report upon the matters set out in its Terms of Reference.
- The processing is necessary in order to comply with a legal obligation to which the COI is subject.
- For providers of services to the COI, the legal basis for processing your personal information will normally be that it is necessary for the performance of a contract to which you are a party.
- As to special category data and personal data relating to criminal convictions and offences, such processing is necessary for reasons of substantial public interest, including for the provision of a function conferred on the COI by law and for the administration of justice. In some limited cases, we may also ask for the consent of the data subject. Where special category data have been manifestly made public by the data subject this provides a further lawful basis for the processing of such data.
In addition, where a member of the public has voluntarily provided information via the COI’s website and there consented to their personal data being referred to in the COI’s report then the legal basis for processing that data by including it in the report will be consent.
What happens to the personal data?
The COI is committed to protecting the personal data it receives, keeping it secure and only sharing the information with those that are required to see it. The COI website has undergone significant penetration testing and safeguarding to ensure the security of information submitted through that website.
Any data shared with the COI through its website, gathered directly by the COI team or through hearings in the BVI will be transferred to secure IT systems in the UK either hosted by the FCDO or its sub-processors for the purpose of storage, review and analysis. These systems meet the required security standards. All personnel in data processors or sub-processors owe a duty of confidentiality to the COI.
Personal data may need be transferred from the UK to the BVI. If so, this will only be done in accordance with applicable data protection laws, and if the transfer is necessary for reasons of public interest, bearing in mind the aims and functions of the COI as set out above, and in accordance with the safeguards set out in this document.
The robust processes the COI has in place, including a redaction policy, ensure that (save where the data subject has given consent) only that personal data necessary for the fulfilling of COI’s Terms of Reference will be disclosed outside the COI. The main groups which whom personal data may be shared during the course of the COI are:
- The Commissioner and his team. All members of the COI team will have access to information provided to the COI.
- Legal representatives of individuals and organisations insofar as it is necessary as part of the legal process of the Inquiry.
- Individual or corporate witnesses invited or required to attend an oral hearing.
- The FCDO in its limited role as a data processor providing IT infrastructure (with its sub-processors) to the COI.
- The public via any public hearings or through the content of the COI’s report, which will be submitted to the Governor of the BVI at the conclusion of the COI’s work.
An important exception to the sharing of any personal data is where a member of the public, who when submitting information / documents via the COI’s website, requests that his or her name should be kept confidential and not referred to in the COI’s report or that the information /documents provided should not be used in the COI’s report. Then the request for confidentiality will be respected.
There may be circumstances in which the COI may need to share personal data with third parties where, for example, we are required to do so by law, by court order, or to prevent fraud or other crimes. Where this arises, however, we shall do so in accordance with applicable data protection laws.
How long will personal data be retained?
The data will be kept by the COI for the duration of the COI. At its conclusion, the COI’s website will be decommissioned. Acting only on the instructions of the Commissioner, the information received by the COI will be retained securely for approximately 2 years by the FCDO after which it will be destroyed. In that period access to the information will require the prior approval of the Commissioner.
In certain circumstances, you have the right to request:
- Information about how your personal data is processed and to request a copy of that personal data.
- That any inaccuracies in your personal data are corrected without delay.
- That any incomplete personal data is completed, including by means of a supplementary statement.
- That the processing of your personal data is restricted (for example, where the accuracy of the information held by the COI is contested) or to object to the processing of your personal data for certain purposes.
- That your personal data is erased if there is no longer a justification for them to be processed.
Where we are relying on your consent for the use of your personal data, you have the right to withdraw that consent at any time. You can do so by emailing the COI’s Data Protection Officer at the address below.
If you have any questions about this notice, you can contact the COI via the postal address or email set out above. Alternatively, you can raise any concerns with our Data Protection Officer who provides independent advice and monitoring of the COI’s use of personal information. The Data Protection Officer is Eleanor Stewart. The Data Protection Officer can be contacted at:
Data Protection Officer
Knowledge Management Department
Foreign, Commonwealth and Development Office
King Charles Street
Tel: 020 7008 1500
If you wish to make a complaint about the way the COI handles your personal data, you can do so to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:
Information Commissioner's Office
Tel: 0303 123 1113
Changes to this notice
We may modify or amend this privacy notice at our discretion at any time. Any modification or amendment to this privacy notice will be applied to you and your data as of that revision date. We will endeavour to notify of any material changes to this notice, but we encourage you to periodically review this privacy notice to be informed about how we are protecting your data. This notice was last updated on 3 June 2021.