Guidance

Government Security Profession (GSP) Database MOU

Updated 31 October 2024

1. Joint data controller memorandum of understanding under Article 26 GDPR

This MOU is made between Cabinet Office and the employing departments listed at Annex B, referred to jointly in this document as the Parties. It remains valid until superseded by a revised MOU mutually endorsed by the Parties.

1.1 MOU Purpose

The purpose of this MOU is to explain the nature of the personal data collected and processed as part of the Government Security Profession Database, and the roles of the Parties, who are joint-controllers of this data.

1.2 Overview

The GSP database holds information on all Government Security Profession Civil Servants & Contractors employed across government departments. The data is updated on an annual basis by employing departments, sourced from both information held by the department and through departments surveying the member directly. The information is collated at the Cabinet Office into an amalgamated cross government database of Government Security Profession Civil Servants & Contractors.

The database contains both personal information and sensitive personal information. The data are classified as Official-Sensitive. Further detail on the data collected can be found in the ‘Your data’ section of the Privacy Notice.

1.3 Cabinet Office and employing government department’s responsibilities as joint data controllers

Under Article 26 (Joint Data Controllers) Cabinet Office and the employing departments will act as joint data controllers, in respect of any personal data pursuant to this MOU. Cabinet Office will only process personal data to the extent necessary to meet the purposes as set out in the relevant Privacy Notices issued by both Cabinet Office and employing departments. For Cabinet Office specifically these are:

  • to design and implement workforce strategies and the general management/employment of the Government Security Profession and the Government Security function;
  • for succession planning and deployment decisions;
  • to identify skills and experience to aid in workforce planning and to facilitate the targeting of talent management or other development initiatives;
  • to provide an up-to-date picture of the security profession in departments and bench mark across Government to inform capability delivery plans;
  • to continue to build an understanding of the security profession and its makeup to inform work to include D&I, SCS Leadership, Role Mapping and Pay and the Career Framework;
  • to enable tracking and measurement of the implementation of initiatives;
  • to monitor and report management and statistical information to officials across the Civil Service and for use in the public domain including diversity monitoring information;
  • to report and publish management and statistical information in a non- identifiable aggregated format including diversity monitoring information.

The parties will ensure that they have appropriate technical and organisational procedures in place to protect any personal data they are processing. This includes unauthorised or unlawful processing, and protection against any accidental disclosure, loss, destruction or damage. Cabinet Office will promptly inform employing departments, and vice versa, of any unauthorised or unlawful processing, accidental disclosure, loss, destruction or damage to any such personal data. Both parties will take reasonable steps to ensure the suitability of their staff having access to such personal data.

Neither the Cabinet Office nor participating organisations will transfer any personal data it is processing outside of the UK and the European Economic Area, unless appropriate legal safeguards are in place, such as Model Contract Clauses.

1.4 Specific Cabinet Office responsibilities as joint data controllers:

  • Carrying out any required Data Protection Impact Assessment for the Government Security Profession database for related Cabinet Office activities.
  • Commissioning the updated annual departmental datasets from departments. Details can be found in Annex B.
  • Maintaining and compiling the amalgamated ‘GSP database’ from departmental datasets.
  • Following Cabinet Office Data Security Guidance to ensure that the necessary measures are taken to protect personal data.
  • Ensuring approved staff are appropriately trained in how to use and look after personal data, and follow approved processes for data handling.
  • Ensuring staff have appropriate security clearance to handle personal information held as part of the database.
  • Ensuring an appropriate level of technical and organisational security for the personal data, including restricting access to the database to approved staff only.
  • Comply with the data protection principles, and with all relevant data protection legislation.
  • Maintaining a PDPR (Personal Data Processing Record) and Privacy Notice for the cross-Civil Service GSP dataset and adhering to the retention policy and processing purposes stated therein.
  • Responding to data subject requests in relation to the cross-Civil Service GSP dataset, such as for access (SARs), rectification or erasure and liaising as necessary with the employing department.
  • Restrict access to the personal data to only the officials detailed in the ‘Recipients’ section of the Privacy Notice.
  • Providing a data sharing agreement for sharing the cross-Civil Service GSP dataset with any separate data controllers.
  • Secure transfer of personal data both internally and externally from CO. Details can be found at Annex A.
  • Cabinet Office is responsible for reporting any reportable breach within Cabinet Office to their Data Protection Office and the ICO within 72 hours, in consultation with the employing departments Data Protection Officer.

1.5 Specific employing department’s responsibilities as joint data controllers:

  • Updating their departmental dataset and providing the dataset to Cabinet Office on an annual basis.
  • Following their departmental Security Guidance to ensure that the necessary measures are taken to protect personal data.
  • Ensuring staff are appropriately trained in how to use and look after personal data, and follow approved processes for data handling.
  • Ensuring staff have appropriate security clearance to handle personal information.
  • Ensuring an appropriate level of technical and organisational security for the personal data, including restricting access to the database to approved staff only and ensuring staff follow approved processes for data handling.
  • Comply with the data protection principles, and with all relevant data protection legislation.
  • Ensuring that where the cross-Civil Service GSP dataset is used for their own departmental purposes that any necessary Privacy Notices are provided to data subjects.
  • Responding to data subject requests in respect of departmental GSP data, such as for access (SARs), rectification or erasure and liaising as necessary with Cabinet Office.
  • Secure transfer of personal data both internally and externally from the department.
  • Employing departments are responsible for reporting any reportable data breaches within the department to their Data Protection Officer and ICO within 72 hours, in consultation with the Cabinet Office.

1.6 Data retention

Although spreadsheets collected in the main Government Security Profession database are anonymised, Cabinet Office have taken the decision to class spreadsheet data as personal data under the legislation. This is because it may be possible to identify an individual at the point that a spreadsheet response is reviewed.

Responses collected in the Government Security Profession database will be held by the Cabinet Office for statistical purposes (there is regularly the requirement to do time series analysis) and personal data will be kept by us for 5 years to allow for trend analysis over a period of time. We will keep aggregate depersonalised data indefinitely. The responses will never be used to make decisions about individuals.

Any organisation participating in the Government Security Profession database will hold a spreadsheet and will receive report data for their organisation from Cabinet Office, will be the controller of those data, and therefore responsible for determining how long they will be retained by their organisation.

Aggregate results from the Government Security Profession database (which do not count as personal data) will be kept indefinitely, or until they are no longer considered useful by the organisation.

Email addresses for engagement managers will be held and used by the Cabinet Office while that individual performs this role. When the individual no longer performs this role, then their email will be deleted.

1.7 Publishing this MOU

The Cabinet Office will take responsibility for publishing this MOU.

2. Annex A - List of departments

ATTORNEY GENERAL’S OFFICE
CABINET OFFICE
CHARITY COMMISSION
COMPETITION & MARKETS AUTHORITY
CROWN PROSECUTION SERVICES
DEPARTMENT FOR BUSINESS, ENERGY & INDUSTRIAL STRATEGY
DEPARTMENT FOR EDUCATION
DEPARTMENT FOR ENVIRONMENT, FOOD AND RURAL AFFAIRS
DEPARTMENT FOR INTERNATIONAL TRADE
DEPARTMENT FOR TRANSPORT
DEPARTMENT FOR WORK AND PENSIONS
DEPARTMENT OF DIGITAL, CULTURE, MEDIA & SPORT
DEPARTMENT OF HEALTH AND SOCIAL CARE
DRIVER AND VEHICLE LICENSING AGENCY
DRIVER AND VEHICLE STANDARDS AGENCY
FOOD STANDARDS AGENCY
FOREIGN, COMMONWEALTH AND DEVELOPMENT OFFICE
FORESTRY COMMISSION
GOVERNMENT ACTUARY’S DEPARTMENT
GOVERNMENT LEGAL DEPARTMENT
HIGHWAYS ENGLAND
HM LAND REGISTRY
HM REVENUE & CUSTOMS
HM TREASURY
HOME OFFICE
MARITIME & COASTGUARD AGENCY
MINISTRY FOR HOUSING, COMMUNITIES AND LOCAL GOVERNMENT
MINISTRY OF DEFENCE
MINISTRY OF JUSTICE
NATIONAL CRIME AGENCY
NATIONAL SAVINGS & INVESTMENT
NORTHERN IRELAND OFFICE
OFFICE FOR NATIONAL STATISTICS
OFFICE FOR STANDARDS IN EDUCATION, CHILDREN’S SERVICES AND SKILLS
OFFICE FOR THE SECRETARY OF STATE FOR SCOTLAND
OFFICE OF GAS AND ELECTRICITY MARKETS
OFFICE OF QUALIFICATIONS AND EXAMINATIONS REGULATION
OFFICE OF RAIL & ROAD
OFFICE OF THE SECRETARY OF STATE FOR WALES
ORDNANCE SURVEY
SERIOUS FRAUD OFFICE
SUPREME COURT OF THE UNITED KINGDOM
THE NATIONAL ARCHIVE
TRAFFIC COMMISSIONERS FOR GREAT BRITAIN
UK EXPORT FINANCE
UK SPACE AGENCY
VEHICLE CERTIFICATE AGENCY
WATER SERVICES REGULATION AUTHORITY