CDDO domain management privacy notice
Updated 17 June 2024
The Central Digital and Data Office (CDDO) is part of the Cabinet Office and provides Domain Management to:
-
approve third-level .gov.uk domains to eligible public sector organisations
-
support and protect domain names across government
-
reduce the risk of attack to services such as email, websites and digital services
The data controller for CDDO is the Cabinet Office - a data controller determines how and why personal data can be processed. Read the Cabinet Office’s entry in the Data Protection Public Register for more information.
1. What data we collect from you
We aim to collect role-based email addresses wherever possible, as this avoids our collection of personal data, and means that more than one person in your team can monitor it.
In all other circumstances, we are likely to collect the following personal data which will include your:
-
name and role
-
work email address
-
work telephone number
-
organisation and role
We may also collect personal email and physical addresses included on WHOIS data. When applying for .gov.uk domain names, we will also collect evidence of GOV.UK exemptions, permission to apply and ministerial exemptions where appropriate.
2. Our legal basis for processing your data
We need to process personal data to perform a task carried out in the public interest.
The task in this case is to process applications for .gov.uk domain names, protect public sector domains, infrastructure and digital services.
When we record events that are held virtually, the legal basis for processing your data is your consent. The full consent process is managed on an event by event basis. However, if you do not want to be recorded during a virtual event, you can simply turn your camera or microphone off.
3. Why we need your data
We need your data so we can:
-
process .gov.uk domain name applications
-
contact you regarding issues with your domains or associated services
4. What we do with your data
We will store your data in an internal database linked to organisations and domains.
We will not:
-
sell or rent your data to third parties
-
share your data with third parties for marketing purposes
We will share your data if we’re required to do so by law - for example, by court order, or to prevent fraud or other crime. In some cases we might share your personal data with officials in other government departments or public bodies. This is to assist in the development of government policy, or for operational reasons.
5. How long we keep your data
We will only keep your personal data for as long as:
-
the law requires us to
-
we need for the purposes listed above
We collect personal information such as emails and contact details in cases within our customer relationship management software. We hold cases for 7 years so that we can carry out analytics and keep track of any recurring issues. We will review whether the data still needs to be retained after 7 years.
If you ask us to remove your details from our live database we will do this within 28 days. We will ask you to provide an alternative contact to make sure that we always have a relevant contact. The process of removing your name completely may take at least 6 months due to information being stored in backups. However, we will retain information that was exchanged as part of our case records, such as emails.
In order to ensure domain related contacts stay current we will contact you every 6 months to confirm your details are still correct and you are still an active contact.
6. Where your data is processed and stored
We design, build and run our systems to make sure that your data is as safe as possible at any stage, both while it’s processed and when it’s stored.
In some cases we might share your personal data with officials in other government departments or public bodies. This is to assist in the development of government policy, or for operational reasons.
While your personal data is stored on our systems and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through the use of Standard Contract Clauses or Adequacy Decisions.
7. Who we share your data with
As part of the domain management function we share your data with other government departments, public bodies and suppliers including but not limited to:
-
the Cabinet Office
-
National Cyber Security Centre
-
the .gov.uk Registry Operator
-
the .gov.uk Approved Registrars
To provide our services we share your data with data processors who provide us with contact management, online survey tools, email verification checks, email and helpdesk services.
8. How we protect your data and keep it secure
We’re committed to doing all that we can to keep your data secure. We set up systems and processes to prevent unauthorised access to, or disclosure of, the data we collect about you. For example, we protect your data using varying levels of encryption. All third parties that process personal data for CDDO are required to keep that data secure.
9. Your rights
You have the right to request:
-
information about how your personal data is processed
-
a copy of that personal data
-
that any inaccuracies in your personal data are corrected without delay
-
that any incomplete personal data is updated - you can include the missing information in your request
-
that your personal data is erased if there is no longer a justification for it to be processed
-
that the processing of your personal data is restricted in certain circumstances - for example, where accuracy is contested
If you gave your consent for us to collect and process your data, you have the right to:
-
withdraw your consent - this can be done at any time
-
request a copy of your personal data - this copy will be provided in a structured, commonly used and machine-readable format
10. Questions and complaints
Contact the GDS Privacy Office if you:
- have any questions about anything in this document
- think that your personal data has been misused or mishandled
- want to make a subject access request (SAR)
The contact details for the data controller are: The Cabinet Office (Government Digital Service), The White Chapel Building, 10 Whitechapel High Street, London, E1 8QS, or gds-privacy-office@digital.cabinet-office.gov.uk.
The contact details for the data controller’s Data Protection Officer are: Stephen Jones, Data Protection Officer, Cabinet Office, 70 Whitehall, London, SW1A 2AS, or dpo@cabinetoffice.gov.uk.
The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or 0303 123 1113, or casework@ico.org.uk.
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
11. Changes to this notice
We may change this privacy notice. When we make changes to this notice, the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, CDDO will take reasonable steps to make sure you know.