Notice

Request for information from DSIT: privacy notice

Published 21 June 2024

This notice sets out how we will process your personal data, and your supplementary rights, for when you request recorded information under the Freedom of Information Act (2000) and the Environmental Information Regulations (2004). It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).

For the purposes of UK GDPR, the Department for Science, Innovation and Technology (DSIT) is the data controller.

Your data

To process your Freedom of Information Act (FOIA) request and Environmental Information Regulations (EIR) request, we require the following personal data:

• Name
• Correspondence address
• Your request

We may also process other personal data if you volunteer it, which may include special category or criminal offence data.

Please note that we do not require your special category or criminal offence data to process your FOI or EIR request. We therefore ask that you do not volunteer any such data when submitting your request.

Purpose

The purpose(s) for which we are processing your personal data is so that we can record and respond to your request for information under the FOIA and the EIR.

Legal basis of processing

The legal basis for processing your personal data under Article 6 of the UK GDPR is:

Article 6(1)(c): Processing is necessary for us to comply with the legal obligations under the Freedom of Information Act (2000) and the Environmental Information Regulations (2004).

The legal basis for processing your special category or criminal offence data under Article 9 of the UK GDPR is Article 9(2)(g): Processing is necessary for reasons of substantial public interest for the exercise of a function of the Crown, a Minister of the Crown or a government department (paragraph 6, schedule 1, DPA). This is to fulfil the legal obligations under the FOIA and EIR.

The processing of personal data relating to criminal convictions and offences or related security measures, is not carried out under official authority, but is authorised because it meets one of the following conditions from Schedule 1 of the DPA 2018: Extension of conditions in Part 2 of Schedule 1 referring to substantial public interest (paragraph 36). 

Recipients

Your personal data will be processed by our supplier of case management system (data processor). Data protection assurance is provided through contractual agreements.

As part of our IT infrastructure, your personal data will be stored on systems provided by our data processors - Microsoft and Amazon Web Services. This does not mean we actively share your personal data with these entities; rather, they are technical service providers who host infrastructure supporting our IT systems.

Retention

Your personal data will be retained by the department where such retention is necessary for compliance with a legal obligation to which we are subject.

Personal data held in relation to FOI and data subject requests and Internal reviews will be kept by the department for up to two years from the date the case has been closed on our system, unless the case has escalated to the Information Commissioner’s Office (ICO). In the event of the latter, we shall retain your data for three years from the date the ICO case has been closed on our system to maintain an appropriate record in case of further appeals.

Automated decision making

Your personal data will not be subject to automated decision making.

International Transfers

As your personal data is stored on our IT Infrastructure, and shared with our data processors, your personal data may be processed at data centres outside of the UK.

Your data will however remain within the European Economic Area (EEA) and will receive the same level of protection in the EEA, as it does in the UK, through the safeguard of Adequacy Decisions.

Your rights 

You have the right to:

• request information about how your personal data are processed, and to request a copy of that personal data.
• request that any inaccuracies in your personal data are rectified without delay.
• request that any incomplete personal data are completed, including by means of a supplementary statement.
• request that your personal data are erased if there is no longer a justification for them to be processed.
• in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
• to object to the processing of your personal data.

To exercise your rights please contact the Data Protection Officer using the contact details below. 

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator. The Information Commissioner can be contacted at:

Information Commissioner's Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email casework@ico.org.uk

Telephone 0303 123 1113

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Contact details

The data controller for your personal data is the Department for Science, Innovation and Technology (DSIT).

You can contact the DSIT Data Protection Officer at:

DSIT Data Protection Officer

Department for Science, Innovation and Technology
22-26 Whitehall
London
SW1A 2EG

Email dataprotection@dsit.gov.uk

If you are unhappy with the way we have handled your personal data, please write to the department’s Data Protection Officer in the first instance using the contact details above.

Updates to this notice

If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change.

If these changes affect how your personal data is processed, we will take reasonable steps to let you know.

Last updated: 6 June 2024.