Counter-Disinformation Data Platform: privacy notice
Published 16 March 2023
© Crown copyright 2023
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/counter-disinformation-data-platform-privacy-notice/counter-disinformation-data-platform-privacy-notice
Note: Due to the recent Machinery of Government (MoG) changes, responsibility for the Counter-Disinformation Data Platform (CDDP) is transitioning from the Department of Digital, Culture, Media & Sport (DCMS) to the Department for Science, Innovation & Technology (DSIT). DCMS remains the data controller and all references in this privacy notice to ‘we’, ‘us’, ‘our’ will refer to DCMS, until the transfer of functions from DCMS to DSIT is completed, at which point this notice will be updated.
The purpose of this notice is to set out how we collect and process personal data in relation to Counter-Disinformation Data Platform (‘CDDP’) when we have not obtained personal data directly from individuals. It is provided to meet the obligations set out in Article 14 of the UK General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018 (‘DPA’) to make information publicly available about the way in which we process personal data.
You may also find it helpful to refer to our overarching personal information charter (opens in a new tab), which sets out the standards you can expect when we collect, hold or use your personal information.
Overview of the Counter-Disinformation Data Platform (CDDP)
The CDDP is a prototype being developed to improve counter-disinformation capability across government, enabling relevant government departments to understand online misinformation (incorrect or misleading information) and disinformation (information which is deliberately created to cause harm) that risks potential harm or poses a threat to the UK in areas of public interest. It has been developed to support and coordinate the work of multiple teams across the UK Government and enhance their understanding of online disinformation and manipulation.
The CDDP works by analysing publicly available data to enable analysts to identify and monitor disinformation narratives, understand the behaviours and techniques that are amplifying them, and identify attempts to artificially manipulate the information environment.
Who is responsible for collecting data?
The Counter-Disinformation Data Platform has been developed to support the UK government’s efforts to counter disinformation online. The CDDP aims to improve cross-government disinformation analysis capabilities allowing the UK to better understand and mitigate the potential threats posed by disinformation.
DCMS is the controller for the personal information we process under UK GDPR, unless otherwise stated.
What is the purpose for which we collect personal data?
To help us analyse the disinformation threats online, we collect content from publicly available social media platforms. The purpose of our work is to conduct an evidence-based approach to countering harmful disinformation online, through aggregated analysis of publicly available information on social media sites. We can generally achieve our purpose without processing personal data, but the content we review may include the names and opinions of individuals. It may also incidentally include personal data that may be embedded within material that you or others may have published on those sites (for example usernames, social media handles, contact information, personal data embedded within comments or metadata). In some cases, this may include special categories of personal data such as political or philosophical opinions. See What is the legal basis for processing data below for more information.
It is important to note:
- we have adopted a number of measures to limit the personal data we hold about individuals, for example measures to remove personal data from data inputs wherever possible
- we do not collect or review private online information (material that is not made available on a public page)
What is the legal basis for processing data?
Our legal reason for collecting or processing personal data is set out in Article 6(1)(e) of the UK GDPR as the processing is necessary for us in our work as a public body and in the public interest. In particular, the processing is necessary for the exercise of our function as the government department responsible for addressing disinformation online, as permitted under section 8(d) of the Data Protection Act 2018.
The CDDP does not seek to collect special categories of personal data but we may do so incidentally (for example, where it is included in social media posts). To the extent that we do so, our legal reason for processing this information is that the processing is necessary for reasons of substantial public interest for the exercise of a function of a government department (article 9(2)(g) UK GDPR and paragraph 6 to Schedule 1 Part 2 of the Data Protection Act 2018).
Who will personal data be shared with?
We may share our analysis with other government departments whose departmental responsibilities include countering disinformation or impacted policy areas, in order for them to better understand the threat landscape. Any insights we provide will generally be on an aggregated basis. Where content is shared, measures are taken to minimise inclusion of any personal data.
A number of service providers are helping us to help develop the CDDP. Any access they may have to personal data will be strictly controlled in accordance with the requirements of UK GDPR to ensure they only process personal data to our instruction and implement appropriate technical and organisational measures to protect the security and confidentiality of information.
How long will data be held for?
We will only retain personal data for as long as it is needed in accordance with the purposes for which it was collected. This is typically no more than 2 years from collection, in line with our retention policy, unless, for example, the law requires us to keep the information for longer, such as for a public inquiry.
Will data be used for automated decision making or profiling?
No. We have no intention to undertake automated decision making, or profiling as anticipated in Article 22 of the UK GDPR.
Will data be transferred outside the UK and if it is how will it be protected?
We will not send personal data beyond the European Economic Area (where it is protected by equivalent legal safeguards to those in the UK).
Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices of the other websites you visit.
Understanding data protection rights
You have rights in relation to your personal data under the UK GDPR and the DPA 2018. If you would like further information regarding these rights and how to exercise them, please refer to our personal information charter and / or the Information Commissioner’s Office (ICO) website. The ICO is the supervisory authority for data protection legislation, and maintains a full explanation of these rights on their website
We will ensure that we uphold your rights when processing any of your personal data.
Our contact details
The contact details for the data controller’s Data Protection Officer (DPO) are:
Data Protection Officer
The Department for Digital, Culture, Media & Sport
100 Parliament Street
London
SW1A 2BQ
Email: dpo@dcms.gov.uk
If you’re unhappy with the way we have handled your personal data and want to make a complaint, please write to the department’s Data Protection Officer or the Data Protection Manager at the relevant agency. You can contact the department’s Data Protection Officer using the details above.
How to contact the Information Commissioner’s Office
If you believe that your personal data has been misused or mishandled, we would always hope that we can resolve the issue with you directly, using our contact information set out above. However, you may make a complaint to the Information Commissioner, who is an independent regulator and can be contacted as follows:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: www.ico.org.uk
Telephone: 0303 123 1113
Email: casework@ico.org.uk
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
Changes to our privacy notice
We may make changes to this privacy policy. In that case, the ‘last updated’ date at the bottom of this page will also change. Any changes to this privacy policy will apply to you and your data immediately.
If these changes affect how your personal data is processed, we will take reasonable steps to let you know.
This notice was last updated on 16/03/2023.