Notice

Conformity Assessment Body Service: privacy notice

Published 10 October 2024

© Crown copyright 2024

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/conformity-assessment-body-service-privacy-notice/conformity-assessment-body-service-privacy-notice

This notice sets out your rights and how we will process your personal data. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR). 

The Department for Science, Innovation and Technology (DSIT) is responsible for maintaining the UK digital identity and attributes trust framework (UK DIATF) conformity assessment scheme, and for managing applications to join the register of digital identity and attribute services. This notice sets out how we will process your personal data on our application service.  

For the purposes of processing your personal data, DSIT is the data controller. 

1. Your Data 

We will process Conformity Assessment Body (CAB) employee details. This includes the following personal data:  

  • Details of employees using the service including name and email address.  

How your personal data is collected: 

We will collect the following personal data directly from Conformity Assessment Bodies (CAB): 

  • CAB employee contact details - this information will be collected when employees managing applications and issuing certificates create an account on the Conformity Assessment Body Service.  

For the personal data you provide when submitting surveys, your data will be processed by our contracted survey platform provider Qualtrics. For the purposes of this activity, Qualtrics are a data processor, providing services under the instruction of DSIT

Qualtrics privacy statement can be found here: https://www.qualtrics.com/privacy-statement/   

Qualtrics cookie statement can be found here: https://www.qualtrics.com/cookie-statement/ 

2. Purpose 

The purposes for which we are processing your personal data are:  

  • To create for you an account on the Conformity Assessment Body Service, which you will use to submit and manage applications from providers to join the register of digital identity and attribute services.  
  • To contact you about applications you have submitted. 
  • To notify you of updates to applications you have submitted. 
  • To assess survey responses to support the development of the register and ensure it meets user needs. 

The legal basis for processing your personal data under Article 6 of the UK GDPR is:  

  • 1(e) Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this case, processing is necessary for maintaining the security and integrity of the register of digital identity and attribute services.  

4. Recipients 

Your personal data will be shared by us with: 

  • Microsoft and Amazon Web Services - as part of our IT infrastructure, your personal data will be stored on systems provided by our data processors. This does not mean we actively share your personal data with these entities; rather, they are technical service providers who host infrastructure supporting our IT systems.  
  • Integrated Corporate Services (DESNZ) - as your personal data will be processed on Amazon Web Services, it will be shared with Integrated Corporate Services who are responsible for deploying Amazon Web Services for the department and have infrastructure level access to the platform.  
  • Qualtrics - your data will be processed by but not actively shared with our contracted survey platform provider Qualtrics.

5. Retention  

Your personal data will be kept by us until your account on the Conformity Assessment Body Service is deleted by DSIT. This will be deleted 1 to 5 working days after the conditions below are met. DSIT reserves the right to delete your account at any point in time. Your account will also be deleted in the following circumstances: 

  • If you make a request to have your account deleted. 
  • If you are no longer employed by your CAB.  
  • If your CAB is no longer approved to certify providers against the UKDIATF. 

You have the right to object to the processing of your personal data. 

You have the right to withdraw agreement to the processing of your personal data at any time. To do so, please contact the following email address: digital.identity.register@dsit.gov.uk 

6. Automated decision making   

Your personal data will not be subject to any automated decision making.  

7. International transfers  

Personal data will be stored on DSIT’s/DESNZ’s IT infrastructure, supported by Microsoft and Amazon Web Services. Personal data may therefore be processed in data centres outside of the UK but within the European Economic Area (EEA). The personal data will receive the same level of protection in the EEA as it does in the UK through the safeguard of Adequacy Decisions. 

8. Your Rights 

You have the right to request information about how your personal data are processed, and to request a copy of that personal data. 

You have the right to request that any inaccuracies in your personal data are rectified without delay. 

You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement. 

You have the right to request that your personal data are erased if there is no longer a justification for them to be processed. 

You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted. 

To exercise your rights please contact the Data Protection Officer using the contact details below. 

9. Contact Details 

The data controller for your personal data is the Department for Science, Innovation and Technology (DSIT). You can contact the DSIT Data Protection Officer at: 

DSIT Data Protection Officer
Department for Science, Innovation & Technology
22-26 Whitehall
London
SW1A 2EG

Email: dataprotection@DSIT.gov.uk  

If you are unhappy with the way we have handled your personal data, please write to the department’s Data Protection Officer in the first instance using the contact details above.  

10. Complaints 

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator. The Information Commissioner can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113 

Website: Make a complaint

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.  

11. Updates to this notice 

If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change. 

If these changes affect how your personal data is processed, we will take reasonable steps to let you know. 

Last update: 1 October 2024

Back to top