AI cyber security training project: privacy notice
Published 6 March 2026
© Crown copyright 2026
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/ai-cyber-security-virtual-training-workshops-privacy-notice/ai-cyber-security-training-project-privacy-notice
AI Cyber Security Virtual Training Workshops: Privacy Notice
This notice sets out how we will process your personal data, and your rights. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).
The Department for Science, Innovation and Technology (DSIT) is responsible for conducting AI Cyber Security Virtual Training Workshops to increase knowledge and support adoption of ETSI’s AI security global standard, EN 304 223 and its training materials. DSIT has commissioned a third party, Frazer-Nash Consultancy, to conduct this project on its behalf.
DSIT is acting as the Data Controller for this project and Frazer-Nash Consultancy is acting as a Data Processor for DSIT.
1. Your data
We will process the following personal data:
- Name, job title, company name and contact details (including email address) of those participating in the workshops.
We may include details about the types of roles held by participants in the final published report, but we will not list names, contact details, company names or job titles.
2. Purpose
The purpose(s) for which we are processing your personal data is:
- to enable Frazer-Nash Consultancy to undertake the project on behalf of DSIT and to recontact participants if necessary to clarify or validate elements of survey responses linked to their participation in the workshops.
3. Legal basis of processing
The legal basis for processing your personal data under Article 6 of the UK GDPR is:
1(e)Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller – Frazer-Nash Consultancy may wish to recontact project participants to clarify or validate elements of survey responses linked to their participation in the workshops.
4. Recipients
Your personal data will be shared by us with Frazer-Nash Consultancy staff working on this project.
When summarising findings in the publishable report at the end of the project, we may refer to the types of roles held by interviewees, but we will not list details about any individuals’ job titles.
As part of our IT infrastructure, your personal data will be stored in the European Economic Area (EEA) on systems provided by our data processors: Microsoft, Equinix, and Amazon Web Services. This does not mean we actively share your personal data with these entities; rather, they are technical service providers who host infrastructure supporting our IT systems. Where your personal data is processed in the EEA, the following safeguards will be in place: UK Adequacy Regulations.
5. Retention
Your personal data will be kept by Frazer-Nash Consultancy for the duration of the project, which is expected to finish in May 2026. All personal data will be deleted by Frazer-Nash Consultancy after 15 months from the end of the project.
6. International transfers
Your personal data may be held in an encrypted form in a Western European Data Centre but will only be processed in its unencrypted form in the UK.
7. Your rights
You have the right to:
- request information about how your personal data are processed, and to request a copy of that personal data.
- request that any inaccuracies in your personal data are rectified without delay.
- request that any incomplete personal data are completed, including by means of a supplementary statement.
- the right to request that your personal data are erased if there is no longer a justification for them to be processed.
- the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
- the right to object to the processing of your personal data
- the right to object to the processing of your personal data.
To exercise your rights please contact the Data Protection Officer using the contact details below.
8. Contact details
The data controller for your personal data is the Department for Science. Innovation and Technology (DSIT). You can contact the DSIT Data Protection Officer at:
DSIT Data Protection Officer
Department for Science, Innovation and Technology
22-26 Whitehall
London
SW1A 2EG
Email: dataprotection@dsit.gov.uk
If you are unhappy with the way we have handled your personal data, please write to the department’s Data Protection Officer in the first instance using the contact details above.
9. Complaints
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator. The Information Commissioner can be contacted at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
https://ico.org.uk/make-a-complaint/
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
10. Updates to this notice
If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change.
If these changes affect how your personal data is processed, we will take reasonable steps to let you know.
Last updated: 4 March 2026