Guidance

IT secure platform privacy notice

Updated 25 July 2024

The IT platform and operating system are provided by the Government Digital Service (GDS) which is part of the Cabinet Office.

The data controller for GDS is the Cabinet Office – a data controller determines how and why personal data can be processed. Read the Cabinet Office’s entry in the Data Protection Public Register for more information.

Why we need your data

We process your personal data in order to:

  • provide a secure IT platform and operating system so that staff can do their jobs
  • set up and remove user accounts
  • test and pilot new technology to develop, expand or upgrade the platform
  • monitor the system for potential abuses of the ICT Acceptable Usage Policy, or for fraudulent or criminal activity
  • monitor threats to the system, identifying and fixing technical issues, and identifying and tackling cyber security risks
  • support the GDS threat intelligence team in producing daily, weekly and monthly threat updates for staff by creating algorithms and programs that help us spot problem accounts and take remedial activities to support our systems
  • compile anonymised office occupancy statistics and report on overall numbers of staff attending Cabinet Office locations, in order to monitor overall office usage and help inform the Cabinet Office’s future estates strategy

What data we collect from you

We process the following personal data on the IT platform:

  • name
  • job title
  • email addresses
  • telephone numbers
  • office location and team membership
  • web access logs and records of usage of the system including all emails
  • IP address
  • telemetry data
  • devices and operating systems used
  • software required, including accessibility software

Telemetry data is metadata of how the IT device is operating, for example, the list and versions of the software installed, or the time and date of when a file was downloaded and the size of the file.

The legal basis for processing your personal data is legitimate interest.

Our legitimate interest relates to monitoring threats to the system, identifying and fixing technical issues, and identifying and tracking cyber security risks. This is necessary to maintain the integrity of our IT system and the continuity of our business.

It’s also necessary for the performance of your employment contract.

Who we share your data with

As part of communications between government departments, we share your personal data with data processors who provide us with a collaboration service and IT software that underpin the IT infrastructure and services. These data processors provide cybersecurity, email, and document management and storage services.

You can read Mailchimp’s own privacy policy.

How long we keep your data

Your personal data will be kept for as long as you are in a role where you use the secure IT platform. Once you leave that role, the information will be deleted when the local records are updated. This will be at least once a year.

For Mailchimp, data will be retained for as long as the accounts are maintained and data will be deleted once the accounts are closed.

For senior leaders, such as ministers, personal data may be retained in line with the Public Records Act (or other applicable legislation) where they may be of historical interest.

Subsystems within the OFFICIAL IT retain and erase data automatically based on the purpose of the function. For example, retention of technical data to enable security detection and response. These systems may retain technical data after your account has been deleted, but such technical data will be automatically deleted when no longer required for security management.

Your rights

You have the right:

  • to request information about how your personal data is processed, and to request a copy of that personal data
  • to request that any inaccuracies in your personal data are rectified without delay
  • to request that any incomplete personal data is completed, including by means of a supplementary statement
  • to request that your personal data is erased if there is no longer a justification for them to be processed
  • in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted
  • to object to the processing of your personal data where it is processed for direct marketing purposes

In relation to monitoring threats to the system, identifying and fixing technical issues, and identifying and tackling cyber security risks:

  • you have the right to object to the processing of your personal data

In relation to all other data:

  • you have the right to request a copy of any personal data you have provided, and for this to be provided in a structured, commonly used and machine-readable format

Where your data is stored

Your data is stored in Mailchimp and our internal IT systems.

As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the European Union. Where that is the case it will be subject to equivalent legal protection through the use of Model Contract Clauses and the suppliers membership in the Privacy Shield scheme.

We also design, build and run our systems to make sure that your data is as safe as possible at every stage, both while it’s processed and when it’s stored.

Changes to this notice

We may change this privacy notice. When we make changes to this notice, the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, GDS will take reasonable steps to make sure you know.

Questions and complaints

Contact the GDS Privacy Team if you:

  • have any questions about anything in this document
  • think that your personal data has been misused or mishandled
  • want to make a subject access request (SARS)

Cabinet Office (Government Digital Service)
The White Chapel Building
10 Whitechapel High Street
London
E1 8QS

Email: gds-data-protection@digital.cabinet-office.gov.uk

The contact details for our Data Protection Officer are:

Data Protection Officer

Cabinet Office
70 Whitehall
London
SW1A 2AS

You can also complain to the Information Commissioner, who is an independent regulator.

Information Commissioner's Office

Email icocasework@ico.org.uk

Contact form https://ico.org.uk/glo...

Telephone 0303 123 1113

Textphone 01625 545 860