Privacy policy

About this notice

This notice explains how we collect and handle your personal data.

We are an independent non-statutory public Review. We are investigating the built environment at the new build QEUH adult hospital and Royal Hospital for Children (RHC) ; whether the design, build, commissioning and maintenance of those buildings, and circumstances in which these phases took place, have had an adverse impact on optimal infection prevention and control practice. We will publish a report or reports. We need to process personal data to enable us to carry out our work.

We explain in this notice in general terms how we collect and handle personal data.

Why we process your personal data

We process (or use) your personal data for a number of reasons, but all of those reasons help us to fulfill our Terms of Reference.

How we collect personal data

When someone visits our website we collect information to measure the use of the website. We do not collect information that identifies anyone but we do track how many individuals have viewed different pages, so that we know what information is of most interest to the general public. Further information is provided on our website.

If you contact us by telephone, email or letter, or if you use the contact form on our website, we will retain the personal data which you provide to us, and we may use it to contact you about the work of the Review. We may also use it to help us with our investigations including our timetable and to help us decide where to focus our investigations. We also recover records from a range of sources, including NHS Greater Glasgow and Clyde, the Scottish Government and private contractors involved in the design, build commissioning and maintenance of QEUH/RHC.

What sort of data we collect

We collect data about the design, build, commissioning and maintenance of the QEUH, and the circumstances in which these elements took place. The records that we recover might include personal data including contact details and sensitive personal data.

How personal data is held

We keep your personal data secure and only share it with those who need to see it.

Personal data is held in secure encrypted electronic storage systems that are only accessible by members of the Review team. Any hard copy information is held in secure conditions within premises to which members of the public do not have access.

All personal data we receive is handled fairly and lawfully in line with data protection legislation.

Who will personal data be shared with?

We may have to disclose personal data, on a confidential basis, to organisations that hold records which could assist the Review with its investigations and to experts who the Review may seek to rely on to make certain findings.

In some cases your data may be made public, to allow us to fulfill our Terms of Reference. The Review is extremely careful about what data is made public and we follow a very clear set of rules to make sure that this is done correctly.

Some people are entitled to remain anonymous (i.e. their identity is kept private), and any published information will hide any details that might lead to you being identified if you are entitled to anonymity. Who we consider is entitled to anonymity is set out in the co-Chair’s “Statement of Approach: Anonymity”, which will be available on our website.

If you are concerned or unsure about whether your personal information may be made public, for example via our website or in a final report, you can ask our Review team about whether you wish to have, and are entitled to, anonymity.

Data controller

The Data controller for the review is responsible in law for all our information - how it is held and how it is used or destroyed.  

Data retention

If you contact us by telephone, email or letter during the Review, we will retain the personal data which you provide to us. We will do so solely to enable us to carry out our work. We will generally retain information for the duration of the Review.

We are required to transmit certain records, including personal and sensitive personal data, to the Keeper of the Records of Scotland at the end of the Review.

The legal basis for processing personal data

We process personal data lawfully in compliance with the General Data Protection Regulation (‘GDPR’) and all other UK data protection legislation.

Our ‘Lawful Basis’ as defined by the GDPR is we are carrying out a public task; fulfilling our function as a Review and pursuing our legitimate interest in fulfilling our Terms of Reference.

Carrying out a public task means that the processing we carry out is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us. In our case, the entire purpose of this Review is to benefit the public, by understanding what has happened in the past and to recommend improvements for the future. Complying with our legal obligation means: we process your personal data because it is necessary for our legitimate interests in fully carrying out our investigations, creating a public record or records of the events, findings and recommendations. We can rely upon this lawful basis only when we believe our interest is not overridden by your fundamental rights and freedoms.

Your rights in respect of your personal data

Sometimes the processing we carry out allows us to rely on one or more of the exemptions set down in the Data Protection Act 2018. If it does we then have to decide whether or not it remains appropriate to comply with your request to assert your rights under the GDPR. Sometimes it will be correct to comply even if there is an exemption that we can rely upon. Sometimes it will not be correct for us to comply - this will be especially the case if complying with your request would make it more difficult for us to fulfill our Terms of Reference or puts another person’s personal data at risk of being revealed

You have the right to request:

  • access to the personal data we hold about you
  • that incorrect information we hold about you, be corrected
  • that we stop or limit the processing of data we hold about you
  • that we erase the information we hold about you

In all cases we will consider your request very carefully. In some cases we might decline your request, if we believe that your information falls within one of the exemptions set down in the Data Protection Act 2018 and that compliance with your request may hinder our ability to fulfill our terms of reference.

Contact and complaints

If you wish to contact us about the terms of this privacy notice, please write to

If you wish to make a complaint about how the Review has handled your personal data, in the first instance please contact the Data Controller at

If you are unhappy with the outcome of any complaint resolution we provide you are entitled to contact the Information Commissioner’s calling their helpline on 0303 123 1113 or by writing to them at: UK Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire.