Ipsos privacy notice: cyber security breaches survey (charities and education institutions)
Updated 3 September 2024
© Crown copyright 2024
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/cyber-security-breaches-survey/ipsos-privacy-notice-cyber-security-breaches-survey-charities-and-education-institutions
This privacy notice explains who we are, the personal data we collect, how we use it, who we share it with, and what your legal rights are.
About Ipsos UK and this study
Ipsos UK is a specialist research agency, commonly known as “Ipsos”. Ipsos is part of the Ipsos worldwide group of companies, and a member of the Market Research Society. As such we abide by the Market Research Society code of conduct and associated regulations and guidelines.
Ipsos has been asked by the Department for Science, Innovation and Technology (DSIT) and the Home Office to carry out research on their behalf, looking at organisations’ approaches to cyber security and whether they have experienced cyber security breaches or attacks. This is an annual study, called the cyber security breaches survey. The research includes:
- a telephone and online survey of charities and education institutions
- follow-up qualitative interviews with those taking part in the survey
DSIT, HO and Ipsos are joint controllers for the CSBS 2025. Ipsos provides DSIT and/or HO with fully anonymised reports and notes. This Ipsos privacy notice applies to all these aspects of the research with charities and education institutions.
The Home Office privacy policy
What information does Ipsos UK have on you?
If you are registered on one of the following websites as a charity or education institution, we have collected your personal data from one of these websites in order to invite your organisation to take part in the cyber security breaches survey:
- The Charity Commission for England and Wales
- The Office of the Scottish Charity Regulator
- The Charity Commission for Northern Ireland
- all institutions in England from the Get Information About Schools database
- schools in Scotland from the Scottish Government School contact details
- further education colleges in Scotland from the Colleges Scotland directory
- schools in Wales from the Welsh Government address list of schools
- further education colleges in Wales from the Welsh Government Further Education Institutions contact details
- schools in Northern Ireland from the Northern Ireland Department of Education database
- further education colleges in Northern Ireland from the NI Direct FE College directory
- online lists of all UK universities, e.g. the Universities UK website, cross-referenced against the comprehensive list of recognised bodies on GOV.UK (which also includes, for example, degree-awarding arts institutes).
This is a research survey jointly commissioned by DSIT and the Home Office.
The data (including personal data) Ipsos has received from these sources includes:
- organisation registered and trading names
- organisation address and postcode
- organisation telephone number
- contact name within the organisation where available – for an individual likely to be responsible for cyber security
- contact email within the organisation where available
In some cases, we have supplemented the above organisation details with contact details sourced from business websites and publicly available LinkedIn data, via another research partner, Sample Solutions. Information on how Sample Solutions collects this data can be found on their website.
What is Ipsos’s legal basis for processing personal data?
Ipsos UK requires a legal basis to process your personal data.
-
Ipsos’ legal basis for processing data from the online lists of charities and education institutions is that it is necessary for the performance of a task in the public interest (i.e. a public task), as the information gathered helps DSIT and the Home Office to monitor the policies they oversee.
-
Ipsos’ legal basis for processing personal data from Criteria Fieldwork for this research study is your consent to take part. If you wish to withdraw your consent at any time, please see the section below covering “Your Rights”.
-
Ipsos’ legal basis for processing any personal data collected in the survey interview is you consent to use your personal data, provided during the survey interview. If you wish to withdraw your consent at any time, please see the section below covering “Your Rights”.
How will Ipsos use any personal data, including survey answers provided by participants?
Responding to this survey is voluntary and any answers are given with your consent.
Ipsos will use your personal data and answers solely for statistical research purposes. This includes producing anonymous, aggregated statistical research findings for DSIT and the Home Office. Ipsos will provide DSIT and the Home Office with a de-identified data file of responses for them to carry out their own analysis and quality assurance of the results. This de-identified file may be made available to other approved government departments, partner organisations or researchers for statistical research purposes only. Your personal data (including any contact information) will not be included in this data file.
Ipsos will therefore keep your personal data in confidence, in accordance with this Privacy Notice. Ipsos can further assure you that you will not be identifiable in any published results.
How will Ipsos ensure personal information is secure?
Ipsos takes its information security responsibilities seriously. We apply various precautions to ensure your information is protected from loss, theft or misuse. Security precautions include appropriate physical security of offices, and controlled and limited access to computer systems.
Ipsos is accredited to the International Standard for Information Security, ISO 27001. In line with this, we have regular internal and external audits of our information security controls and working practices.
How long will Ipsos retain personal data and identifiable answers?
Ipsos will only retain any personal data and identifiable answers for as long as is necessary to support this research. In practice, this means that once we have reported the final anonymous research findings to DSIT or the Home Office, we will securely remove any personal data from our systems.
For this project we will securely remove your personal data from our systems by 1 July 2025, which is 3 months after the completion of the research project, to allow a period of amends post-project completion. This is unless you give your consent to be re-contacted to take part in follow-up research on this topic up to 12 months after your interview. In this case, Ipsos will securely remove your personal data from our systems by 8 January 2026.
Your rights
This section sets out your rights to the personal data that Ipsos holds about you, and the contact information you need to exercise your rights.
-
You have the right to access your personal data within the limited period that Ipsos holds it.
-
Providing responses to this survey is entirely voluntary and is done so with your consent. You have the right to withdraw your consent.
-
You also have the right to rectify any incorrect or out-of-date personal data about you which we may hold.
-
If you want to exercise your rights, please contact us at the Ipsos address below.
-
You have the right to lodge a complaint with the Information Commissioner’s Office (ICO), if you have concerns on how we have processed your personal data. You can find details about how to contact the Information Commissioner’s Office at https://ico.org.uk/global/contact-us/ or by sending an email to: casework@ico.org.uk.
-
If instead you want to contact DSIT and the Home Office, who commission the research, to exercise your rights about any data they may hold about you, please contact them using the details provided below.
Where will personal data be held and processed?
All of your personal data used and collected for this survey will be stored by Ipsos in data centres and servers within the United Kingdom and European Economic Area (EEA).
Contacting Ipsos and DSIT/the Home Office about this survey and/or your personal data
Contact the relevant Ipsos research team
Email Nada El-Hammamy at UK-PA-DSIT-CyberSecurityBreaches@ipsosresearch.com.
Contact the Ipsos compliance team
Email compliance@ipsos.com with “24-036437-01 Cyber-Security Breaches Survey 2025” in the subject line.
Post:
Subject:24-036437-01 Cyber-Security Breaches Survey 2025
Compliance Department Ipsos (market research)Limited
3 Thomas More Square
London
E1W 1YW
Contact the relevant DSIT research team
Email Saman Rizvi at cybersurveys@dsit.gov.uk.
Contact the DSIT data protection officer
Email dataprotection@dsit.gov.uk with “24-036437-01 Cyber-Security Breaches Survey 2025” in the subject line.
Post:
Subject: 24-036437-01 Cyber-Security Breaches Survey 2025
DSIT Data Protection Officer
Department for Science, Innovation and Technology
22 Whitehall
London
SW1A 2EG
Contact the relevant Home Office research team
Email CyberCrimeResearch@homeoffice.gov.uk.
Contact the Home Office data protection officer
Email dpo@homeoffice.gov.uk with “24-036437-01 Cyber-Security Breaches Survey 2025” in the subject line.
Post:
Subject: 24-036437-01 Cyber-Security Breaches Survey 2025
Office of the DPO
Home Office
Peel Building
2 Marsham Street
London
SW1P 4DF