Research and analysis

Privacy notice for the Cyber Governance Code of Practice evaluation survey

Published 8 April 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/cyber-governance-code-of-practice-evaluation-survey/privacy-notice-for-the-cyber-governance-code-of-practice-evaluation-survey

1. Who is collecting my data?

The Department for Science, Innovation and Technology (DSIT) drives innovation that will deliver improved public services, create new better-paid jobs and grow the economy.

DSIT is conducting the evaluation survey for the Cyber Governance Code of Practice to enable the UK government to gather feedback on the Code and its supporting materials.

DSIT is the Data Controller for this Call for Views.

Your data will be processed by our contracted survey platform provider Qualtrics. For the purposes of this activity, Qualtrics is a data processor, providing services under the instruction of DSIT

2. Purpose of this privacy notice

This notice sets out how we will use your personal data.

This notice is provided within the context of the notice provided to meet the obligations as set out in Articles 13 and 14 of UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).

DSIT’s Personal Information Charter provides additional information on how we handle your personal information. It also explains how you can ask to view, change or remove your information from our records.

3. Personal data we collect

The personal data we will collect from you directly includes:

  • Contact details (name, name of organisation, email address)
  • Job title
  • Organisation regional location
  • Your IP address

The survey platform Qualtrics will collect essential cookies, including your IP address. You can view the full cookies policy from Qualtrics here. You can adjust your cookie preferences on Qualtrics once you open the survey. 

4. How we use your personal data

The purpose for which we are processing your personal data is to enable us to carry out our functions as a government department. This includes:  

  • analysis of responses to the survey
  • to re-contact you regarding DSIT’s further monitoring and evaluation of the Cyber Governance Code of Practice (if you provide contact details)
  • your IP address will be used to stop multiple responses and to make sure that the survey displays correctly.

Anonymised reporting of trends/answers submitted to the survey may be created and shared. This will not link back to you or any answers you submit.

The legal basis for processing your personal data under Article 6 of the UK GDPR is:

Article 6 (1) (e) Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.     This processing is necessary for the exercise of the functions of a government department (DPA Schedule 9, paragraph 5(d). This survey provides ministers and government officials with organisations’ views of the Cyber Governance Code of Practice in order to inform future policy development. 

6. Who your personal data will be shared with

If you provide them, your contact details may be shared with a third party outside of government acting on behalf of DSIT. This will be for the purposes of re-contacting you to engage with further evaluation of the Cyber Governance Code of Practice. You do not have to provide any personal data to participate in the survey and all questions are optional.  

Anonymised statistical data, drawn from survey results, may be shared with relevant governmental organisations, such as the National Cyber Security Centre, but the data shared would not include any personal or identifiable data.

As part of our IT infrastructure, your personal data will be stored on systems provided by our data processors - Microsoft and Amazon Web Services. This does not mean we actively share your personal data with these entities; rather, they are technical service providers who host infrastructure supporting our IT systems.

Your personal data will be processed by Qualtrics, however, we do not otherwise actively share your personal data with Qualtrics.

7. How long your personal data will be kept for

We will only retain your personal data for three years in line with DSIT retention policy. 

8. International transfers

Your personal data will be processed in the UK.

9. Will my data be used for automated decision making or profiling?

We will not use your data for any automated decision making.

10. Your rights

You have rights over your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). DSIT will ensure that it upholds your rights when processing your personal data.  

You have the right to request information about how your personal data are processed, and to request a copy of that personal data.

You have the right to request that any inaccuracies in your personal data are rectified without delay.

You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.

You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.

You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.

You have the right to object to the processing of your personal data. 

To exercise your rights please contact the Data Protection Officer using the contact details below.

11. Contact details

The data controller for your personal data is the Department for Science, Technology and Innovation. The contact details for the data controller’s Data Protection Officer (DPO) are:

DSIT Data Protection Officer
Department for Science, Innovation and Technology
22-26 Whitehall
London
SW1A 2EG

Email: dataprotection@energysecurity.gov.uk

If you are unhappy with the way we have handled your personal data and want to make a complaint or would like to exercise any of your rights in relation to your personal data, please write to the department’s Data Protection Officer at the relevant agency. You can contact the department’s Data Protection Officer using the details above.

12. Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator.  The Information Commissioner can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

https://ico.org.uk/make-a-complaint/

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

13. Updates to this notice

If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change.

If these changes affect how your personal data is processed, we will take reasonable steps to let you know.

Last updated: 27/01/2025

Back to top