Notice

Cyber Security Breaches Survey 2026-2028: Privacy Notice

Published 2 October 2024

This notice sets out how we will process your personal data, and your rights. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).  

The Cyber Security Breaches Survey (CSBS) is an ongoing quantitative and qualitative research study of UK businesses, charities and education institutions. CSBS is conducted by an external supplier and the Department for Science, and Technology (DSIT) holds and manages the contract. The Home Office is responsible for the cybercrime section and has been the co-funder for the CSBS since 2023. The current contract for CSBS concludes in 2025. However, DSIT and the Home Office plan to continue this research due to its value in informing policy context and decision making. 

The aim of this survey is to collect users and stakeholder’s feedback on different aspects of CSBS for 2026-2028, and to understand their views on the proposed changes in the survey. 

For this survey, DSIT is the controller of your personal data.

Your data

We will process the following personal data:  

• Individual respondents’ names
• Email addresses
• Your organisation

Personal data will be collected direct from you and we will not ask for any other personal information beyond those listed above. Free-text boxes are included within this survey where you are encouraged not to volunteer any additional personal data. Additional personal data included within answers are not required and will be deleted appropriately.   

If you opt to provide information through the survey platform, your data will be processed by our contracted survey platform provider Qualtrics. For the purposes of this activity, Qualtrics are a data processor, providing services under the instruction of DSIT (the data controller).  

Read:

• Qualtrics separate privacy statement    
• Qualtrics full cookie statement

Purpose

The purpose(s) for which we are processing your personal data is to enable us to carry out our functions as a government department. Your personal data is being collected as an essential part of the user engagement process, so that we can contact you regarding your response and for statistical purposes such as to ensure individuals cannot complete the survey more than once. 

Analysis of responses may be published after the survey closes. If we do so, we will ensure that neither you nor the organisation you represent are identifiable, and any responses used to illustrate findings will be anonymised.

Legal basis of processing

The legal basis for processing your personal data under Article 6 of the UK GDPR is:

1(e)Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. This survey provides ministers and government officials with information to inform the future development of the Cyber Security Breaches Survey (such as the scope and areas covered by the project).

Recipients 

Responses are collected on the survey platform of Qualtrics, which is DSIT’s contract provider. Your personal data will not be shared with any other party. DSIT will share fully anonymised data with HO. 

As part of our IT infrastructure, your personal data will be stored on systems provided by our data processors - Microsoft and Amazon Web Services. This does not mean we actively share your personal data with these entities; rather, they are technical service providers who host infrastructure supporting our IT systems. 

Retention  

We will only retain your personal data for 3 years in line with DSIT retention policy.    

Automated decision making 

Your personal data will not be subject to automated decision making.  

International Transfers  

Your personal data will be processed in the UK.

Your rights 

You have the right:

• to request information about how your personal data are processed, and to request a copy of that personal data.
• to request that any inaccuracies in your personal data are rectified without delay.
• to request that any incomplete personal data are completed, including by means of a supplementary statement.
• to request that your personal data are erased if there is no longer a justification for them to be processed.
• in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
• to object to the processing of your personal data.

Contact details

The data controller for your personal data is the Department for Science, Innovation and Technology (DSIT).

You can contact the DSIT Data Protection Officer at:

DSIT Data Protection Officer

Department for Science, Innovation and Technology
22-26 Whitehall
London
SW1A 2EG

Email dataprotection@dsit.gov.uk

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator. The Information Commissioner can be contacted at:

Information Commissioner's Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email casework@ico.org.uk

Telephone 0303 123 1113

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Updates to this notice

If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change. 

If these changes affect how your personal data is processed, we will take reasonable steps to let you know. 

Last updated: 23 September 2024