Statutory guidance

Joint data controller Memorandum of Understanding (MOU) under Article 26 UK GDPR - Cabinet Office and Civil Service Participating Organisations

Updated 3 September 2024

This MOU is made between Cabinet Office and organisations participating in the Civil Service People Survey (CSPS), referred to jointly in this document as the Parties. It remains valid until superseded by a revised MOU mutually endorsed by the Parties. All services provided up to the date of termination shall be properly accounted for in accordance with the terms of this MOU.

Signed For and on behalf of participating organisation:

Name: A list of signatory organisations can be found at Annex A.

Date: 06 August 2024

Signed For and on behalf of Cabinet Office:

Name: Lisa Jordan

Position: Head of Analysis and Insight Division and Chief Economist, Cabinet Office

Date: 06 August 2024

1. MOU Purpose

The purpose of this MOU is to explain the role that the Cabinet Office and the role that organisations participating in the Civil Service People Survey (CSPS) each play in deciding what personal data is collected from staff working in the Civil Service, as part of the CSPS programme. Organisations which participate are considered joint-controllers of their own organisation’s data, with the Cabinet Office, as both parties influence which data are collected, when data are collected and who data are collected from.

2. Overview

The Civil Service People Survey is an annual staff survey that offers all civil servants the opportunity to share their views and experiences on a range of workplace topics. The survey is delivered by the experience management software company Qualtrics. The contract with Qualtrics to deliver the survey (and associated results reporting) is held by the Cabinet Office on behalf of all participating organisations. Qualtrics is a data processor under the terms of this contract.

2A. User Research

Cabinet Office and Qualtrics will conduct user research with a range of stakeholders across the Civil Service to help ensure the survey platform and reporting products adhere to the principles set out in the Government Service Standard[footnote 1] and meet users’ needs. They will design and conduct the user research, and analyse the findings.

In some cases, organisations will help recruit volunteers from their organisation to participate in the user research, and in these instances will be considered joint controllers of the user research with the Cabinet Office because they are playing a role in collecting personal data (the contact information of the research participants).

2B. Questionnaire

The majority of questions in the CSPS are agreed between Cabinet Office and Qualtrics, as is the timing of the main survey (which runs in September/October/November), the delivery mechanism and reporting products. However, organisations participating in the survey can also decide to add some ‘local questions’ on additional topics for staff in their organisation to answer, and ask to show their local grades rather than their Civil Service equivalents.

Where organisations do ask local questions and/or provide local grades, they are considered joint controllers of their survey with the Cabinet Office as they are taking a role in deciding what survey data (which constitutes personal data) is collected.

2C. Survey Data

While we do not ask survey respondents to personally identify themselves, it may be possible in a small number of cases for individuals to be identifiable from a combination of their responses to demographic questions. Personal data may also be submitted in free text boxes. For this reason, the Cabinet Office treats People Survey data as personal data. 

All individual-level responses to the People Survey will be seen by the Cabinet Office’s central Analysis and Insight Directorate and their survey supplier. Cabinet Office may also share an organisation’s individual survey responses with a qualified analyst from that organisation for further analysis, and may disclose each organisation’s data in compliance with a Freedom of Information request or in response to a court order or other legal obligation where it would not breach respondents’ data protection rights to do so.

Where organisations nominate a qualified analyst to sign a Data Sharing Agreement with Cabinet Office to access their own organisation’s individual level data, and that data has been shared, then they will be considered joint-controllers of this data.

2D. Dashboards

Cabinet Office and Qualtrics will design a series of digital dashboards to report the results from the CSPS for each organisation. Each organisation will be responsible for deciding who within their organisation can see the dashboards, and for deciding how they will access the dashboards (either by providing the names and email addresses of permitted staff members, or a generic email for use by multiple employees). Organisations will be responsible for ensuring their dashboard access list is up-to-date, and for removing users if they move on from their role or ask to be removed. Cabinet Office and Qualtrics will also be able to update user permissions on request.

All organisations who provide the names and email addresses of staff members to access the digital dashboards will be considered joint-controllers of this data.

2E. Pulse Surveys

Cabinet Office and Qualtrics may offer organisations the opportunity to participate in smaller pulse surveys on an ad hoc basis. If an organisation decides to participate in any pulse survey and influences the question content or dashboard user access, then they will be considered joint-controllers of their organisation’s data.

3. Data Protection

Cabinet Office and organisations who participate in the CSPS or pulse surveys under the same contract will comply with all relevant provisions of the United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, and will actively work to ensure that both parties comply with the Regulation.

3A. Cabinet Office and Participating Organisation responsibilities as joint data controllers

Under Article 26 (Joint Data Controllers) Cabinet Office and participating organisations will act as joint data controllers in the circumstances set out in sections 2A to 2E above, and in respect of any personal data pursuant to this MOU.

They will only process such personal data to the extent necessary to meet the purposes of the survey. These are:

  • To help leaders at all levels of the Civil Service identify where there are problems in their organisations, who they affect, and to help them to take action to improve staff experiences;
  • To provide comparable data so that senior leaders can be held accountable for people management in a consistent way;
  • Common data across the Civil Service creates a common currency and language to share experiences.

Data stored on Cabinet Office IT infrastructure may be transferred and stored securely outside the UK. Data stored on Qualtrics platforms may be transferred and stored securely in Frankfurt, Germany. Where either of these are the case, or where a participating organisation stores or processes personal data pursuant to this MOU outside of the UK, it will be subject to equivalent legal protection through the use of Model Contract Clauses.

Cabinet Office and participating organisations will ensure that they have appropriate technical and organisational procedures in place to protect any personal data they are processing. This includes any unauthorised or unlawful processing, and against any accidental disclosure, loss, destruction or damage.

Cabinet Office will promptly inform affected organisations, and vice versa, of any unauthorised or unlawful processing, accidental disclosure, loss, destruction or damage to any such personal data. Both parties will also take reasonable steps to ensure the suitability of their staff having access to such personal data.

3B. Specific Cabinet Office Responsibilities

Cabinet Office has the following specific responsibilities:

  • Carrying out any required Data Protection Impact Assessment for the CSPS project and pulse surveys.
  • Defining and managing the contractual relationship with Qualtrics.
  • Following Cabinet Office Data Security Guidance to ensure that the necessary measures are taken to protect personal data.
  • Ensuring Cabinet Office staff are appropriately trained in how to use and look after personal data, and follow approved processes for data handling.
  • Ensuring Cabinet Office staff have appropriate security clearance to handle personal information collected during the CSPS.
  • Providing a data sharing agreement to enable sharing of individual-level data with organisations that participate in the survey.
  • Secure transfer of individual-level data to participating organisations who have signed the data sharing agreement.
  • Coordinating responses to Data Subject Requests where data is required from multiple organisations or systems.
  • Reporting any data breaches within Cabinet Office to their Data Protection Officer and any reportable breaches to the ICO and affected data subjects as required.
  • Maintaining any Article 30 processing records for data held on CO systems.

3C. Specific Participating Organisation Responsibilities

Participating organisations will have the following responsibilities:

  • Defining local questions and local grades asked in the main CSPS and in some cases ad hoc pulse surveys.
  • Identifying members of staff to participate in CSPS user research.
  • Looking after any individual-level survey data for the organisation, if obtained from the Cabinet Office, in accordance with the Data Sharing Agreement.
  • Deciding who within their organisation can access their organisation’s CSPS and pulse survey dashboards, deciding how access will be granted (though unique or generic logins), and keeping their dashboard access list up-to-date.
  • Informing Cabinet Office of any Data Subject Requests for data collected in the main CSPS within two weeks of receipt of the request.
  • Responding to Data Subject requests where data relates only to their own staff, including requests to change access to the dashboards.
  • Reporting any data breaches within their organisation to their Data Protection Officer and any reportable breaches to the ICO and affected data subjects.
  • Maintaining any Article 30 processing records for data held on organisation systems.

4. Individual rights

UK GDPR specifies new rights for individuals over the processing of their data. These rights, and the process an individual should follow when making a request, are listed in the CSPS privacy notices for user research participants, survey respondents, and dashboard users.

Data Subject requests (such as for rectification or erasure) and general enquiries may be directed to Cabinet Office (csps@cabinetoffice.gov.uk), or organisations participating in the survey.

In response to any subject access request, Cabinet Office or the relevant participating organisation will undertake a proportionate and reasonable search and respond within one month of the original request. Depending on the details of the request, the Cabinet Office will coordinate the collation of data from relevant parties and ensure that the requestor receives a response. The relevant participating organisation will support this process by responding in a timely manner and providing the relevant data.

5. Data breach

Cabinet Office is responsible for reporting any breach within Cabinet Office to their Data Protection Officer (DPO), and reporting any breaches within Qualtrics (and their implementation partner SplitPin) to their DPO. Where such breaches are reportable, Cabinet Office will report them to the ICO and affected data subjects. Cabinet Office will also inform any organisations participating in the survey affected by the breach (i.e. if it relates to survey responses or email addresses from staff in their organisation). Any breach under relevant data protection legislation will be reported to the Information Commissioner within 72 hours, in consultation with the Cabinet Office DPO.

Qualtrics and their implementation partner SplitPin are responsible for reporting any data breaches within their systems to their DPO as well as to the Cabinet Office.

Organisations are responsible for reporting any data breaches within their systems to their Data Protection Officer as well as to the Cabinet Office. They should also report any reportable breaches to the ICO and data subjects as appropriate.

6. Data retention

6A. Survey data

Individual-level survey data will be held by the Cabinet Office for statistical purposes for 10 years after the date the survey is completed (there is regularly the requirement to do time series analysis), at which point retention will be reviewed. If the data are no longer in use at this point, they will be deleted; if they are still in use, they will be retained, but their retention will (from then on) be reviewed on an annual basis.

This data will also be held by the Cabinet Office’s survey supplier for up to 5 years after the date the survey is completed, or when asked by the Cabinet Office to delete it.

Any organisation receiving the individual-level survey data for their organisation, from Cabinet Office, will be the controller of those data and therefore responsible for determining how long they will be retained by their organisation.

Aggregated survey data does not count as personal data and will therefore be kept indefinitely, or until no longer considered useful.

6B. User research data

Contact information for individuals who participate in CSPS user research will be retained by the Cabinet Office until March 2021, or until Cabinet Office are notified in writing by the individual that they no longer wish to participate (whichever comes first). Cabinet Office will retain the anonymised opinion data indefinitely, until it is no longer needed to inform the delivery of the CSPS.

Any organisation who has identified members of staff to participate in CSPS user research will be the controller of those data and therefore responsible for determining how long the contact details will be retained by their organisation.

Addendum (September 2021)

The above text in section 6B contains an error regarding the date that contact information for individuals who participate in CSPS user research will be retained by the Cabinet Office. The correct year is 2024. The revised text is:

Contact information for individuals who participate in CSPS user research will be retained by the Cabinet Office until end 2024, or until Cabinet Office are notified in writing by the individual that they no longer wish to participate (whichever comes first).

6C. User logins

Contact information for organisation survey and engagement managers will be held and used by the Cabinet Office while that individual performs this role. When the Cabinet Office is notified in writing that that individual no longer performs this role, then their contact information will be deleted.

Email addresses for organisation survey and engagement managers to receive access to the survey building platform and dashboards will be stored and used by Qualtrics (and their implementation partner SplitPin) while they are under contract with Cabinet Office. Individuals will be removed from the list when Cabinet Office are informed in writing that they have moved on from their role or should no longer have access.

Email addresses for staff in organisations to receive access to survey results dashboards will be stored and used by Qualtrics (and their implementation partner SplitPin) while they are under contract with Cabinet Office. Organisation survey and engagement managers will manage this list and individuals will be removed from the list whenever the survey or engagement manager, or Cabinet Office, are informed in writing that they should no longer have access.

7. Publishing this MOU

The Cabinet Office will take responsibility for publishing this MOU.

8. Contact information

If you have any questions about this MOU, please contact: CSPS@cabinetoffice.gov.uk 

Annex A - List of signatory organisations

  • Acas
  • Accountant in Bankruptcy
  • Active Travel England
  • Attorney General’s Office
  • Animal and Plant Health Agency
  • Building Digital UK
  • Cabinet Office
  • Charity Commission
  • Crown Commercial Service
  • Centre for Environment, Fisheries and Aquaculture Science
  • Companies House
  • Criminal Injuries Compensation Authority
  • Competition and Markets Authority
  • Crown Office and Procurator Fiscal Service
  • Crown Prosecution Service
  • Department for Business and Trade
  • Department for Culture, Media & Sport
  • Department for Energy Security and Net Zero
  • Department for Environment, Food and Rural Affairs
  • Defence Equipment & Support
  • Defence Science and Technology Laboratory
  • Department for Education
  • Department for Science, Innovation and Technology
  • Department for Transport
  • Department of Health and Social Care
  • Disclosure Scotland
  • Driver and Vehicle Licensing Agency
  • Driver and Vehicle Standards Agency
  • Department for Work and Pensions
  • Education Scotland
  • Estyn
  • Foreign, Commonwealth and Development Office
  • FCDO Services
  • Food Standards Agency
  • Food Standards Scotland
  • Forestry and Land Scotland
  • Government Actuary’s Department
  • Government Internal Audit Agency
  • Government Legal Department
  • Government Property Agency
  • HMCPSI
  • HM Courts and Tribunals Service
  • His Majesty’s Inspectorate of Constabulary and Fire & Rescue Services
  • HM Land Registry
  • His Majesty’s Prison and Probation Service HQ
  • HM Prison Service
  • HM Revenue & Customs
  • HM Treasury
  • Health and Safety Executive
  • Home Office
  • The Insolvency Service
  • The Institute for Apprenticeships and Technical Education
  • Intellectual Property Office
  • Legal Aid Agency
  • Maritime and Coastguard Agency
  • Met Office
  • Medicines and Healthcare products Regulatory Agency
  • Ministry of Defence
  • Ministry of Justice HQ
  • Ministry of Housing, Communities & Local Government
  • Ministry of Justice Arm’s Length and Other Bodies
  • National Crime Agency
  • National Infrastructure Commission
  • National Records of Scotland
  • National Savings & Investment
  • Office of Gas and Electricity Markets
  • Office of Qualifications and Examinations Regulation
  • Office for Standards in Education, Children’s Services and Skills
  • Office for National Statistics
  • Office of the Public Guardian
  • Office of Rail and Road
  • Office of the Scottish Charity Regulator
  • Ofwat
  • The Planning Inspectorate
  • Probation Service
  • Registers of Scotland
  • Rural Payments Agency
  • Revenue Scotland
  • Student Awards Agency Scotland
  • Scottish Courts and Tribunals Service
  • Scottish Forestry
  • Scottish Government
  • Scottish Housing Regulator
  • Scottish Public Pensions Agency
  • Scottish Prison Service
  • Scotland, Wales & Northern Ireland Offices (Office of the Secretary of State for Scotland and the Office of the Advocate General; Office of the Secretary of State for Wales; Northern Ireland Office)
  • Serious Fraud Office
  • Social Security Scotland
  • Submarine Delivery Agency
  • The National Archives
  • Transport Scotland
  • UK Debt Management Office
  • UK Export Finance
  • UK Health Security Agency
  • UK Hydrographic Office
  • UK Statistics Authority
  • UK Space Agency
  • Valuation Office Agency
  • Vehicle Certification Agency
  • Veterinary Medicines Directorate
  • Welsh Government
  • Welsh Revenue Authority
  • Wilton Park