Notice

Counter-Disinformation Unit – open source information collection and analysis: privacy notice

Published 16 March 2023

Note: Due to the recent Machinery of Government (MoG) changes, the Counter Disinformation Unit (CDU) is in the process of transitioning from the Department of Digital, Culture, Media & Sport (DCMS) to the Department for Science, Innovation & Technology (DSIT). DCMS remains the data controller and all references in this privacy notice to ‘we’, ‘us’, ‘our’ will refer to DCMS until the transfer of functions from DCMS to DSIT is completed, at which point this notice will be updated.

The purpose of this privacy notice is to explain how the Counter Disinformation Unit (‘CDU’) collects and processes your personal data when we have not obtained personal data directly from you. It is provided to meet our obligations set out in Article 14 of the UK General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018 (‘DPA 2018’) to make information publicly available about the way in which we process personal data.

You may also find it helpful to refer to our personal information charter (opens in a new tab), which sets out the standards you can expect when we collect, hold or use your personal information.

Who is responsible for collecting my data?

The CDU leads the UK government’s operational response to disinformation threats online, and ensures the government takes necessary steps to identify and respond to acute misinformation (i.e. incorrect or misleading information) and disinformation (i.e. information which is deliberately created to cause harm) in areas of public interest.

DCMS is the controller under UK GDPR for the personal information we process, unless otherwise stated.

What is the purpose for which we collect personal data?

The purpose of the CDU’s work is focused on helping the government understand online disinformation narratives and attempts to artificially manipulate the information environment. The CDU takes an evidence-based approach to countering harmful disinformation online, through aggregated analysis of publicly available information, typically from social media. Whilst this data is anonymised wherever possible, the content we review may incidentally include personal data (for example usernames, social media handles, contact information, or personal data embedded within comments or metadata) that may be embedded within material that you or others may have published on those sites, e.g. on social media. In some cases, such content may include special categories of personal data, such as political or philosophical opinions. See What is the legal basis for processing data below for more information.

It is important to note we do not collect or review private online information (i.e. material that is not made available on a public page).

What is the legal basis for processing my data?

Our legal reason for collecting or processing personal data is set out in Article 6(1)(e) of the UK GDPR as the processing is necessary for us in our work as a public body and in the public interest. In particular, the processing is necessary for the exercise of our function as the government department responsible for addressing disinformation online, as permitted under section 8(d) of the DPA 2018.

The CDU does not seek to collect special categories of personal data, but we may incidentally process such data (for example, where it is included in social media posts). To the extent we do so, our legal reason for processing this information is that the processing is necessary for reasons of substantial public interest for the exercise of a function of a government department (article 9(2)(g) UK GDPR and paragraph 6 to Schedule 1 Part 2 of the DPA 2018).

Who will personal data be shared with?

We may share our analysis with other government departments whose work is impacted by disinformation. Any insights we provide will generally be on an aggregated basis. Where specific content is shared, personal identifiers will be redacted where possible.

If any of the content the CDU reviews may infringe the moderation policies of the social media platforms from which the content derived, the CDU may notify the relevant platform. The platform will make a decision whether to take any action consistent with their policies. The information CDU shares with social media providers is limited to sending links to content of concern, or aggregated overarching trends.

The CDU has appointed a third party to help conduct analysis of social media platforms. Any access they may have to personal data will be strictly controlled in accordance with the requirements under UK GDPR.

How long will my data be held for?

We will only retain your personal data for as long as it is needed in accordance with the purposes for which it was collected. This is typically no more than two years from collection, in line with DCMS’ retention policy, unless, for example, the law requires us to keep the information for longer, such as for a public inquiry.

Will my data be used for automated decision making or profiling?

No. We do not use your data for automated decision making or profiling.

Will my data be transferred outside the UK and if it is how will it be protected?

We will not send personal data beyond the European Economic Area (where it is protected by equivalent legal safeguards to those in the UK).

Understanding data protection rights

You have rights in relation to your personal data under the UK GDPR and the DPA 2018. To learn more about your rights and how to exercise them, please refer to our personal information charter and / or the Information Commissioner’s Office (ICO) website. The ICO is the supervisory authority for data protection legislation, and maintains a full explanation of these rights on their website

We will ensure that we uphold your rights when processing any of your personal data.

Our contact details

The contact details for the data controller’s Data Protection Officer (DPO) are:

Data Protection Officer
The Department for Digital, Culture, Media & Sport
100 Parliament Street
London
SW1A 2BQ

Email: dpo@dcms.gov.uk

If you’re unhappy with the way we have handled your personal data and want to make a complaint, please write to the department’s Data Protection Officer or the Data Protection Manager at the relevant agency. You can contact the department’s Data Protection Officer using the details above.

How to contact the Information Commissioner’s Office

If you believe that your personal data has been misused or mishandled, we would always hope that we can resolve the issue with you directly, using our contact information set out above. However, you may make a complaint to the Information Commissioner, who is an independent regulator and can be contacted as follows:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Website: www.ico.org.uk
Telephone: 0303 123 1113
Email: casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Changes to our privacy notice

We may make changes to this privacy policy. In that case, the ‘last updated’ date at the bottom of this page will also change. Any changes to this privacy policy will apply to you and your data immediately.

If these changes affect how your personal data is processed, we will take reasonable steps to let you know.

This notice was last updated on 16/03/2023.