Guidance

Communicating with GDS and CDDO privacy notice

Published 28 February 2019

This notice describes:

• how we process personal data of specific people who get in contact or communicate and collaborate with the Government Digital Service (GDS) and Central Digital and Data Office (CDDO) in an official capacity
• when that happens and why
• the rights these individuals have according to the General Data Protection Regulation (GDPR)

When we process personal data for communications and collaboration

Every day we communicate and collaborate with people working for other organisations. In some cases we collect, hold and use their personal information. This happens when we get in contact with:

• suppliers about their services
• individuals to inform them, or seek their views, about departmental policies or proposals outside of a formal consultation process
• customers or clients about services provided to them by the Government Digital Service
• officials in other departments or public bodies, national or international, to discuss and collaborate on policy proposals or development, communications activity, or operational matters
• private companies and individuals, to discuss policy proposals or development, communications activity, or operational matters

The personal data we process

We process the following personal data:

• name
• address
• email address
• job title
• phone number
• signature
• employer

The information may include your opinions if you provide them.

If we communicate with you via video conference or virtual collaboration platforms, the information may also include your image or voice.

Where we use our suppliers to provide video conferencing and online collaboration tools, the information may also include IP address and session data. You can refer to the privacy policies of the suppliers when accessing their tools for more information.

Recording the communication and collaboration

If the collaboration is virtual (via video conference or online collaboration platform), we may record it. When this happens, we will inform you in the invitation to the session that recording will take place, and again at the start of the session before recording begins. The full consent process for recording virtual events is managed on an event by event basis.

The legal basis for processing your personal data

We need to process personal data to perform a task carried out in the public interest in the exercise of our official authority. The tasks in this case are:

• developing government policies
• managing the department’s functions internally and externally, such as collaboration with other government departments

When we record events that are held virtually, the legal basis for processing your data is your consent. The full consent process is managed on an event by event basis. However, if you do not want to be recorded during a virtual event, you can simply turn your camera or microphone off.

Who we share your data with

In some cases we might share your personal data with officials in other government departments or public bodies. This is to assist in the development of government policy, or for operational reasons.

As your personal data will be stored on our IT systems, it will also be shared with our data processors who provide email, document management and storage services. Where we use suppliers to provide virtual collaboration tools, your data is also shared with them.

While your personal data is stored on our systems and shared with our data processors and service partners, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through the use of Standard Contract Clauses or Adequacy Decisions.

How long we keep your personal data for

We will only keep your personal data:

• for as long as necessary for the purpose it was obtained
• if you are still working in the role relating to our contact with you

As a contact for a piece of work, we may contact you where a work matter requires your input. Once you leave the role, we will update or delete the information we hold about you. This will take place at least once a year.

Your rights

You have the right to request:

• information about how your personal data is processed
• a copy of your personal data
• that we correct any inaccuracies in your personal data are rectified without delay
• that any incomplete personal data is updated - you can include the missing information in your request
• that your personal data is erased if there is no longer a justification for the data to be processed
• in certain circumstances (for example, where accuracy is contested), that the processing of your personal data is restricted

If you have any of these requests, contact the GDS Privacy Team.

Questions and complaints

Contact the GDS Privacy Team if you:

• have any questions about anything in this document
• think that your personal data has been misused or mishandled
• want to make a subject access request (SARS)

Email: gds-privacy-office@digital.cabinet-office.gov.uk

The data controller for your personal data is the Cabinet Office. The contact details for our Data Protection Officer are:

Data Protection Officer

Cabinet Office
70 Whitehall
London
SW1A 2AS

Email DPO@cabinetoffice.gov.uk

If you have a complaint, you can also contact the Information Commissioner, who is an independent regulator set up to uphold information rights.

Information Commissioner's Office

Email icocasework@ico.org.uk

Contact form https://ico.org.uk/glo...

Telephone 0303 123 1113

Textphone 01625 545 860

Changes to this privacy notice

We may change this privacy notice. If these changes affect how your personal data is processed, we will take reasonable steps to let you know.