Privacy notice for the Software Security Code of Practice evaluation survey
Published 27 June 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/calls-for-evidence/evaluation-survey-for-the-software-security-code-of-practice/privacy-notice-for-the-software-security-code-of-practice-evaluation-survey
1. Who is collecting my data?
The Department for Science, Innovation and Technology (DSIT) drives innovation that will deliver improved public services, create new better-paid jobs and grow the economy.
DSIT is conducting the evaluation survey for the Software Security Code of Practice to enable the UK government to gather feedback on the Code and its supporting materials.
DSIT is the Data Controller for this evaluation survey.
Your data will be processed by our contracted survey platform provider Qualtrics. For the purposes of this activity, Qualtrics is a data processor, providing services under the instruction of DSIT.
2. Purpose of this privacy notice
This notice sets out how we will use your personal data.
This notice is provided within the context of the notice provided to meet the obligations as set out in Articles 13 and 14 of UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).
3. Personal data we collect
The personal data we will collect from you directly from you, should you choose to provide it, includes:
-
Contact details (name, name of organisation, email address)
-
Job title
-
Organisation regional location
The survey platform Qualtrics will collect cookies, including your IP address. The full cookies policy from Qualtrics can be found here. You can adjust your cookie preferences on Qualtrics once you open the survey.
The survey provides for free-text answer fields. Do no enter any personal data into these answer fields. Any personal data entered in these answer fields will be deleted.
4. How we use your personal data
The purpose for which we are processing your personal data is to enable us to carry out our functions as a government department. This includes:
-
analysis of responses to the survey
-
to re-contact you regarding DSIT’s further monitoring and evaluation of the Software Security Code of Practice (if you provide contact details)
-
your IP address will be used to stop multiple responses and to make sure that the survey displays correctly.
Anonymised reporting of trends/answers submitted to the survey may be created and shared. This will not link back to you or any answers you submit.
5. Our legal basis
The legal basis for processing your personal data under Article 6 of the UK GDPR is:
Article 6 (1) (e) Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. This processing is necessary for the exercise of the functions of a government department (DPA Schedule 9, paragraph 5(d). This survey provides ministers and government officials with organisations’ views of the Software Security Code of Practice in order to inform future policy development.
6. Who your personal data will be shared with
If you provide them, your contact details may be shared with a third party outside of government acting on behalf of DSIT. This will be for the purposes of re-contacting you to engage with further evaluation of the Software Security Code of Practice. Any third party would be working under contract on behalf of DSIT, and use your personal data only for the purposes of re-contacting you for further research. You do not have to provide any personal data to participate in the survey and all questions are optional. This notice will be updated accordingly to reflect any such third parties.
Anonymised statistical data, drawn from survey results, may be shared with relevant governmental organisations, such as the National Cyber Security Centre, but the data shared would not include any personal or identifiable data.
As part of our IT infrastructure, your personal data will be stored on systems provided by our data processors - Microsoft and Amazon Web Services. This does not mean we actively share your personal data with these entities; rather, they are technical service providers who host infrastructure supporting our IT systems.
Your personal data will be processed by Qualtrics, however, we do not otherwise actively share your personal data with Qualtrics.
7. How long your personal data will be kept for
We will only retain your personal data for 3 years in line with DSIT retention policy, and will periodically verify with you the retained contact details for accuracy.
8. International transfers
Your personal data will be processed in the UK.
9. Will my data be used for automated decision making or profiling?
We will not use your data for any automated decision making.
10. Your rights
You have rights over your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). DSIT will ensure that it upholds your rights when processing your personal data.
You have the right to request information about how your personal data are processed, and to request a copy of that personal data.
You have the right to request that any inaccuracies in your personal data are rectified without delay.
You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.
You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.
You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
You have the right to object to the processing of your personal data.
To exercise your rights please contact the Data Protection Officer using the contact details below.
11. Contact details
The data controller for your personal data is the Department for Science, Technology and Innovation. The contact details for the data controller’s Data Protection Officer (DPO) are:
DSIT Data Protection Officer
Department for Science, Innovation & Technology
22-26 Whitehall
London
SW1A 2EG
Email: dataprotection@dsit.gov.uk
If you are unhappy with the way we have handled your personal data and want to make a complaint or would like to exercise any of your rights in relation to your personal data, please write to the department’s Data Protection Officer at the relevant agency. You can contact the department’s Data Protection Officer using the details above.
12. Complaints
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator. The Information Commissioner can be contacted at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
https://ico.org.uk/make-a-complaint/
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
13. Updates to this notice
If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change.
If these changes affect how your personal data is processed, we will take reasonable steps to let you know.
Last updated: 24/06/2025