National Security Online Information Team: privacy notice
Published 16 April 2024
© Crown copyright 2024
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/national-security-online-information-team-privacy-notice/national-security-online-information-team-privacy-notice
Department for Science, Innovation & Technology (DSIT) Privacy Notice for the National Security Online Information Team (NSOIT) – Open Source Information Collection and Analysis
The NSOIT leads the UK government’s operational response to information threats online, and ensures the government takes necessary steps to identify and respond to acute misinformation (i.e. incorrect or misleading information) and disinformation (i.e. information which is deliberately created to cause harm) in areas of public interest.
NSOIT is focused on the greatest risks to public safety and national security, which are agreed by ministers and regularly communicated to parliament.
While NSOIT does not actively collect personal data, NSOIT receives or processes some personal data in the course of its work. The purpose of this privacy notice is to explain how that personal data would be processed when we have not obtained personal data directly from you. It is provided to meet our obligations set out in Article 14 of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”) to make information publicly available about the way in which we process personal data.
You may also find it helpful to refer to our DSIT Personal Information Charter, which sets out how we may hold or use your personal information.
Who is responsible for collecting my data?
The NSOIT sits within the Department for Science, Innovation and Technology (DSIT) which is the data controller under UK GDPR for the personal information the team processes, unless otherwise stated.
What is the purpose for which we collect personal data?
The NSOIT’s work is focused on helping the government understand online mis and disinformation narratives and attempts to artificially manipulate the information environment. The NSOIT takes an evidence-based approach to countering harmful mis and disinformation online, through aggregated analysis of publicly available information, typically from social media websites, using internal and external tools.
Whilst this data is anonymised wherever possible, the content we review may incidentally include personal data (for example usernames, social media handles, contact information, or personal data embedded within comments or metadata) that may be embedded within material that you or others may have published on those sites. In some cases, such content may include special categories of personal data, such as political or philosophical opinions.
It is important to note we do not collect or review private online information (i.e. material that is not made available on a public page).
What is the legal basis for processing my data?
Personal data
Our legal reason for collecting or processing personal data is set out in Article 6(1)(e) of the UK GDPR as the processing is necessary for us in our work as a public body and in the public interest. In particular, the processing is necessary for the exercise of our function as the government department responsible for addressing disinformation online, as permitted under section 8(d) of the DPA 2018.
Special Category Data
The NSOIT does not seek to collect special categories of personal data, but we may incidentally process such data (for example, where it is included in social media posts). To the extent we do so, our legal reason for processing this information is that the processing is necessary for reasons of substantial public interest for the exercise of a function of a government department (article 9(2)(g) UK GDPR and paragraph 6 to Schedule 1 Part 2 of the DPA 2018). In this case there is substantial public interest in protecting the UK from harmful mis and disinformation which could adversely impact public safety or national security.
Who will personal data be shared with?
We may share our analysis with other government departments whose work is impacted by disinformation. Any insights we provide will generally be on an aggregated basis. Where specific content is shared, personal identifiers will be redacted where possible.
If any of the content the NSOIT reviews may infringe the moderation policies of the social media platforms from which the content derived, the NSOIT may notify the relevant platform. The information NSOIT shares with social media providers is limited to sending links to content of concern, or aggregated overarching trends. The platform will decide whether to take any action consistent with their policies.
We may use third-party data processors to support the work of NSOIT. In such cases data protection will be assured through contractual agreements and appropriate international transfer safeguards.
As part of our IT infrastructure, your personal data will be stored on systems provided by our data processors - Microsoft and Amazon Web Services. This does not mean we actively share your personal data with these entities; rather, they are technical service providers who host infrastructure supporting our IT systems.
Following a fair and open tender process, the NSOIT has appointed a third party, Crisp Thinking Limited, to help conduct analysis of social media platforms. Any access they may have to personal data will be strictly controlled in accordance with the requirements under UK GDPR.
How long will my data be held for?
We will only retain your personal data for as long as it is needed in accordance with the purposes for which it was collected. Where raw data samples are collected to generate narrative analysis either by DSIT or a third party, it will typically be held for a period of up to 3 months. The overall products and outputs of NSOIT will be held for no more than two years, in line with DSIT’s retention policy. NSOIT will anonymise data wherever possible when undertaking its analysis and producing its products and reports. There will be exceptions to the data retention periods set out above where, for example, the law requires us to keep the information for longer, such as for a public inquiry.
Will my data be used for automated decision making or profiling?
No. We do not use your data for automated decision making or profiling.
Will my data be transferred outside the UK and if it is how will it be protected?
Due to our use of third-party data processors, your personal data may be transferred outside the UK. Where we transfer personal data outside the UK, it will be subject to equivalent legal protection through an adequacy decision, the use of Standard Contractual Clauses or a UK International Data Transfer Agreement.
Understanding data protection rights
You have the right to request information about how your personal data are processed, and to request a copy of that personal data.
You have the right to request that any inaccuracies in your personal data are rectified without delay.
You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.
You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.
You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
You have the right to object to the processing of your personal data where it is processed for direct marketing purposes.
You have the right to object to the processing of your personal data.
To exercise your rights please contact the Data Protection Officer using the contact details below.
Contact details
The data controller for your personal data is the Department for Science, Innovation and Technology (DSIT). You can contact the DSIT Data Protection Officer at:
DSIT Data Protection Officer
Department for Science, Innovation and Technology
22-26 Whitehall
London
SW1A 2EG
How to contact the Information Commissioner’s Office
If you believe that your personal data has been misused or mishandled, we would always hope that we can resolve the issue with you directly, using our contact information set out above. However, you may make a complaint to the Information Commissioner, who is an independent regulator and can be contacted as follows:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Email casework@ico.org.uk
Telephone 0303 123 1113
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
Changes to our privacy notice
If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change.
If these changes affect how your personal data is processed, we will take reasonable steps to let you know.
Last updated: 24 June 2024