Research and analysis

Ipsos privacy notice: cyber security breaches survey (businesses)

Updated 3 September 2024

This Privacy Notice explains who we are, the personal data we collect, how we use it, who we share it with, and what your legal rights are.

About Ipsos UK and this study

Ipsos UK is a specialist research agency, commonly known as “Ipsos”. Ipsos is part of the Ipsos worldwide group of companies, and a member of the Market Research Society. As such we abide by the Market Research Society Code of Conduct and associated regulations and guidelines.

Ipsos has been asked by the Department for Science, Innovation and Technology (DSIT) and the Home Office to carry out research on their behalf, looking at organisations’ approaches to cyber security and whether they have experienced cyber security breaches or attacks. This is an annual study, called the cyber security breaches survey. The research includes:

  • a telephone and online survey of businesses
  • follow-up qualitative interviews with those taking part in the survey

DSIT, HO and Ipsos are joint controllers for the CSBS 2025. Ipsos provides DSIT/HO with fully anonymised reports and notes. This Ipsos privacy notice applies to all these aspects of the research with businesses.

The DSIT privacy policy

The Home Office privacy policy

What information does Ipsos UK have on you?

Ipsos has personal data relating to your business because we have been asked by DSIT and by the Home Office to carry out the Cyber Security Breaches Survey on their behalf.

Ipsos has taken a random sample of UK businesses (England, Wales, Scotland and Northern Ireland) from the Market Location business database to invite to take part in the survey and follow up qualitative interviews. Information on how Market Location collects this data can be found on their website.

The data (including personal data) Ipsos has received from these sources includes:

  • organisation registered and trading names

  • organisation address and postcode

  • organisation telephone number

  • contact name within the business where available – for an individual likely to be responsible for cyber security

  • contact email within the business where available

In some cases, we have supplemented the above organisation details with contact details sourced from business websites and publicly available LinkedIn data, via another research partner, Sample Solutions. Information on how Sample Solutions collects this data can be found on their website.

Ipsos UK requires a legal basis to process your personal data. Ipsos’ legal basis for processing personal data for this research study is your consent to take part. If you wish to withdraw your consent at any time, please see the section below covering “Your Rights”.

How will Ipsos use any personal data, including survey answers provided by participants?

Responding to this survey is voluntary and any answers are given with your consent.

Ipsos will use your personal data and answers solely for statistical research purposes. This includes producing anonymous, aggregated statistical research findings for DSIT and the Home Office. Ipsos will provide DSIT and the Home Office with a de-identified data file of responses for them to carry out their own analysis and quality assurance of the results. This de-identified file may be made available to other approved government departments, partner organisations or researchers for statistical research purposes only. Your personal data (including any contact information) will not be included in this data file.

Ipsos will therefore keep your personal data in confidence, in accordance with this Privacy Notice. Ipsos can further assure you that you will not be identifiable in any published results.

How will Ipsos ensure personal information is secure?

Ipsos takes its information security responsibilities seriously. We apply various precautions to ensure your information is protected from loss, theft or misuse. Security precautions include appropriate physical security of offices and controlled and limited access to computer systems.

Ipsos is accredited to the International Standard for Information Security, ISO 27001. In line with this, we have regular internal and external audits of our information security controls and working practices.

How long will Ipsos retain personal data and identifiable answers?

Ipsos will only retain any personal data and identifiable answers for as long as is necessary to support this research. In practice, this means that once we have reported the final anonymous research findings to DSIT or the Home Office, we will securely remove any personal data from our systems.

For this project we will securely remove your personal data from our systems by 1 July 2025, which is 3 months after the completion of the research project, to allow a period of amends post-project completion. This is unless you give your consent to be re-contacted to take part in follow-up research on this topic up to 12 months after your interview. In this case, Ipsos will securely remove your personal data from our systems by 8 January 2026.

Your rights

This section sets out your rights to the personal data that Ipsos holds about you, and the contact information you need to exercise your rights.

  • You have the right to access your personal data within the limited period that Ipsos holds it.

  • Providing responses to this survey is entirely voluntary and is done so with your consent. You have the right to withdraw your consent.

  • You also have the right to rectify any incorrect or out-of-date personal data about you which we may hold.

  • If you want to exercise your rights, please contact us at the Ipsos address below.

  • You have the right to lodge a complaint with the Information Commissioner’s Office (ICO), if you have concerns on how we have processed your personal data. You can find details about how to contact the Information Commissioner’s Office at https://ico.org.uk/global/contact-us/ or by sending an email to: casework@ico.org.uk.

  • If instead you want to contact DSIT and the Home Office, who commission the research, to exercise your rights about any data they may hold about you, please contact them using the details provided below.

Where will personal data be held and processed?

All of your personal data used and collected for this survey will be stored by Ipsos in data centres and servers within the United Kingdom and European Economic Area (EEA).

Contacting Ipsos and DSIT/the Home Office about this survey and/or your personal data

Contact the relevant Ipsos research team

Email Nada El-Hammamy at UK-PA-DSIT-CyberSecurityBreaches@ipsosresearch.com.

Contact the Ipsos compliance team

Email compliance@ipsos.com with “24-036437-01 Cyber-Security Breaches Survey 2025” in the subject line.

Post:

Subject:24-036437-01 Cyber-Security Breaches Survey 2025
Compliance Department Ipsos (market research)Limited
3 Thomas More Square
London
E1W 1YW

Contact the relevant DSIT research team

Email Saman Rizvi at cybersurveys@dsit.gov.uk.

Contact the DSIT data protection officer

Email dataprotection@dsit.gov.uk with “24-036437-01 Cyber-Security Breaches Survey 2025” in the subject line.

Post:

Subject: 24-036437-01 Cyber-Security Breaches Survey 2025
DSIT Data Protection Officer
Department for Science, Innovation and Technology
22 Whitehall
London
SW1A 2EG

Contact the relevant Home Office research team

Email CyberCrimeResearch@homeoffice.gov.uk.

Contact the Home Office data protection officer

Email dpo@homeoffice.gov.uk with “24-036437-01 Cyber-Security Breaches Survey 2025” in the subject line.

Post:

Subject: 24-036437-01 Cyber-Security Breaches Survey 2025
Office of the DPO
Home Office
Peel Building
2 Marsham Street
London
SW1P 4DF