Privacy Notice for management of cyber security events
Published 16 April 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/privacy-notice-for-management-of-cyber-security-events/privacy-notice-for-management-of-cyber-security-events
This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).
Your data
Purpose
The purposes for which we are processing your personal data are:
The Government Cyber Coordination Centre (GC3) is undertaking activities described below that may involve the processing of personal data (in, for example, incident reports).
The management of cyber security events across Government through the use of a case management system, which includes creating and managing user access.
The data
We will process the following personal data:
For users:
Name, email address, organisation, role, ip address.
For incident reports:
It is possible although unlikely that personal information could be captured in incident reports on the case management system. This could, as an example, include names or email addresses of persons who have been affected by the incident.
Legal basis of processing
The legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this case that is the logging, tracking and management of identified security incidents, threats or vulnerabilities across U.K. Government.
Recipients
Your personal data will be shared by us with the Department for Science, Innovation and Technology and the National Cyber Security Centre as required.
As your personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide case management, email, and document management and storage services.
Retention
We will keep your information in incident reports for 3 years, although there may be some cases where we will keep it longer. This could be because of a serious or significant incident which has historical and impactful importance where the data is needed to be kept for our records.
We will keep user data for as long as they require access.
Where personal data have not been obtained from you
Your personal data were obtained by us from the normal operations of GC3 to identify, track and manage identified security incidents, threats or vulnerabilities.
Your rights
You have the right to request information about how your personal data are processed, and to request a copy of that personal data.
You have the right to request that any inaccuracies in your personal data are rectified without delay.
You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.
You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.
You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
You have the right to object to the processing of your personal data.
International transfers
As your data will be shared with our IT supplier who provides case management services to us. It may be stored securely outside the UK. Where that is the case it will receive equivalent legal protection through the use of an adequacy decision and Model Contract Clauses.
Complaints
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
or 0303 123 1113, or icocasework@ico.org.uk.
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
Contact details
The data controllers for your personal data are the Cabinet Office and the Department for Science, Innovation and Technology acting jointly. The contact details for the lead data controller are:
Cabinet Office
70 Whitehall
London
SW1A 2AS
or 0207 276 1234, or https://www.gov.uk/guidance/contact-the-cabinet-office
The contact details for the lead data controller’s Data Protection Officer are: dpo@cabinetoffice.gov.uk.
The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.