Guidance

GOV.UK Chat: privacy notice

Updated 6 November 2024

GOV.UK Chat is an experiment which is open to Private Beta users only. It is provided by the Government Digital Service (GDS), which is part of the Department for Science, Innovation and Technology. It was previously part of the Cabinet Office. 

The data controller for GDS is the Cabinet Office. A data controller determines how and why personal data can be processed. Read the Cabinet Office’s entry in the Data Protection Public Register for more information.

Mentions of ‘us’ and ‘we’ in this privacy notice refer to GDS. Cabinet Office is the independent controller for the GOV.UK Chat experiment.

1. Who this notice is for

This privacy notice is for people whose data is processed as part of providing GOV.UK Chat. 

This includes:

  • anyone who already has personal data published on GOV.UK 
  • users of GOV.UK Chat

2. What data we collect from you

GOV.UK Chat relies on GOV.UK content to answer questions users may have about government and our services. GOV.UK publishes a variety of personal data as determined by the government department publishing the content (you can check the GOV.UK privacy notice to find out how GOV.UK collects and uses your data). 

You may need to view the privacy notice for the department that is publishing your information to understand how and why they process and publish your personal data. We do not intend to use personal data to answer GOV.UK Chat queries. We process the personal data in order to filter and remove it from the database that GOV.UK Chat uses to generate answers. Filtering or removing is classed as processing.

2.1 GOV.UK Chat users

When you sign up to join the GOV.UK Chat Private Beta, we collect your email address. We use this to send unique links to access the tool. You can use the link provided in these emails to unsubscribe and cancel your access to GOV.UK Chat. If you are not successful in joining the Private Beta, your email address will not be stored.

We also store a record of your conversations with GOV.UK Chat to provide support, learn about user behaviour and identify malicious or dangerous behaviours.

The legal basis for the processing of personal data for GOV.UK Chat is that it’s in our legitimate interest to evaluate the emerging technology of large language models to improve how users interact with GOV.UK (according to Article 6(1)(f) of the UK GDPR legislation).

Some personal data published will be special category data. This is more sensitive, as defined by UK GDPR. We will process special category data on the legal basis that the processing is necessary for reasons of research in the public interest (according to paragraph 4, schedule 1, of the Data Protection Act 2018).

3.1 GOV.UK Chat users

To gain access to GOV.UK Chat, you must provide your email address. We process this data for communication purposes (to provide access updates and links to the tool). 

You can withdraw your consent by unsubscribing and cancelling your access using the link provided in any email from GOV.UK Chat.

4. Why we need your data

GOV.UK Chat is designed to help users to navigate information on GOV.UK, similar to a search function. For GOV.UK Chat to provide answers to users it needs most of the data GOV.UK has to give the most accurate answer.

Personal data exists across GOV.UK. It is not possible to provide GOV.UK Chat without considering all of GOV.UK first and then applying rules to remove pages that have a high chance of having personal data within them.

4.1 GOV.UK Chat users

Your email address will be used to send necessary communications about your access to GOV.UK Chat, including unique links to access the tool. 

If you reply to these emails, we may also use your email address to provide remote support. 

Unless you opt into emails about future research opportunities, we will not use your email address for any further communications. We will not share any email addresses with third parties.

We store a record of your conversations with GOV.UK Chat to: 

  • provide support
  • learn about user behaviour on GOV.UK Chat
  • identify and ban users behaving in a dangerous or malicious way

5. What we do with your data

GOV.UK Chat is a natural language interface. This means you are able to ask a question and the tool will provide a response similar to that of a human. GOV.UK Chat contains certain types of GOV.UK content and can answer questions relevant to information found on these pages. The URLs of these pages begin with ‘gov.uk’, such as gov.uk/universal-credit.

GOV.UK Chat does not have access to:

  • content created on external government websites, like ons.gov.uk
  • services created by other departments, like universal-credit.service.gov.uk
  • any personal data you provide when using a government service, such as applying for a passport

Some of the pages GOV.UK Chat has access to include personal data. This is because departments publishing on GOV.UK sometimes publish personal data for various legal reasons. If your personal data is included in these pages, it is processed as part of GOV.UK Chat. GOV.UK Chat does not intend to produce answers that contain the personal data that is held on GOV.UK and, for this reason, the tool is designed to remove pages that likely have personal data from its database. When you ask GOV.UK Chat a question, it should only search for the GOV.UK pages that do not contain personal data.

GOV.UK pages with personal data are filtered out at the earliest stage of processing so they are not included in question responses. When a user asks GOV.UK Chat a question, the remaining GOV.UK pages without personal data are searched. Pages related to the question are sent with the question to our third party provider, OpenAI. When OpenAI receives the question, it uses the GOV.UK content it has been sent to create an answer to the question that is written as a natural language response.

If a user types personal data into their question and it is not picked up by our filtering process, it will be sent to OpenAI.

We will not:

  • sell or rent your data to third parties
  • share your data with third parties for marketing purposes

We will share your data if we’re required to do so by law - for example, by court order, or to prevent fraud or other crime.

If you are a participant in the user research phase of GOV.UK Chat you can find out how your data is processed.

6. How long we keep your data

We will only keep your personal data for as long as:

  • the law requires us to
  • we need for the purposes listed above

Personal data is filtered, so it is not held in the database that holds GOV.UK content which is sent to our processor to create an answer. The database is refreshed every day to ensure up-to-date GOV.UK data is being searched.

6.1 GOV.UK Chat users

If you’ve opted into being contacted about future research, your email address will be stored for 1 year.

If not, your email address will be only stored until the end of the Private Beta phase.

GDS will store your chat history for 1 year to enable us to evaluate for accuracy and monitor the system. 

OpenAI will store questions and relevant GOV.UK content sent to OpenAI’s API for up to 30 days for the purpose of monitoring potential misuse or abuse. After 30 days, the data is deleted, except in cases where OpenAI is required by law not to do so. Find out more about OpenAI’s data retention policy.

7. Where your data is processed and stored

Data sent to OpenAI for processing happens in the United States.

As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case, it will be subject to equivalent legal protection through an adequacy decision. This is reliant on Standard Contractual Clauses or a UK International Data Transfer Agreement.

8. Who we share your data with

GOV.UK Chat uses a large language model (LLM) from OpenAI to generate human-like responses to user queries. When a user asks a question, the chatbot sends the query and relevant GOV.UK content to OpenAI’s LLM. OpenAI then processes this information and produces a natural-sounding answer.

9. How we protect your data and keep it secure

We are committed to doing all that we can to keep your data secure. We set up systems and processes to prevent unauthorised access to or disclosure of the data we collect about you – for example, we protect your data using varying levels of encryption. All third parties that process personal data for GDS are required to keep that data secure.

10. Children’s privacy protection

We do not design or promote services for children who are 13 years of age or younger, and we do not intentionally collect or keep data about anyone under the age of 13.

11. Your rights

You have the right to request:

  • information about how your personal data is processed, and to request a copy of that personal data
  • that any inaccuracies in your personal data are rectified without delay
  • that any incomplete personal data is updated - you can include the missing information in your request
  • that your personal data is erased if there is no longer a justification for it to be processed
  • that the processing of your personal data is restricted in certain circumstances - for example, where accuracy is contested 
  • that you object to the processing of your personal data 

12. Questions and complaints

Contact the GDS Privacy Office if you:

  • have any questions about anything in this document
  • think that your personal data has been misused or mishandled
  • want to make a subject access request (SAR)

The contact details for the data controller are: Cabinet Office (Government Digital Service), The White Chapel Building, 10 Whitechapel High Street, London, E1 8QS, or gds-privacy-office@digital.cabinet-office.gov.uk.

The contact details for the data controller’s Data Protection Officer are: dpo@cabinetoffice.gov.uk.

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or 0303 123 1113, or icocasework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

13. Changes to this notice

We may change this privacy notice. When we make changes to this notice, the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, GDS will take reasonable steps to make sure you know.