Counter-Disinformation Data Platform: privacy notice
Published 16 March 2023
© Crown copyright 2023
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/counter-disinformation-data-platform-privacy-notice/counter-disinformation-data-platform-privacy-notice
The purpose of this notice is to set out how we collect and process personal data in relation to Counter-Disinformation Data Platform (‘CDDP’) which is a prototype initially developed by the Department of Digital, Culture, Media and Sport and now being developed by the Department for Science, Innovation & Technology (“DSIT”).
The platform does not intend to collect personal data, however in the unlikely event that the CDDP collects personal data indirectly, the purpose of this privacy notice is to explain how that personal data would be handled. In this event, this notice is provided to meet the obligations set out in Article 14 of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA”) to provide transparency in the way in which we process personal data.
You may also find it helpful to refer to our overarching personal information charter (opens in a new tab), which sets out the standards you can expect when we collect, hold or use your personal information.
Overview of the Counter-Disinformation Data Platform (CDDP)
The CDDP is a prototype being developed to improve counter-disinformation capability across government, enabling relevant government departments to understand online misinformation (incorrect or misleading information) and disinformation (information which is deliberately created to cause harm) that risks potential harm or poses a threat to the UK in areas of public interest. It has been developed to support and coordinate the work of multiple teams across the UK Government and enhance their understanding of online disinformation and manipulation.
The CDDP works by analysing publicly available data to enable analysts to identify and monitor disinformation narratives, understand the behaviours and techniques that are amplifying them, and identify attempts to artificially manipulate the information environment.
Who is responsible for collecting data?
The CDDP is operated by DSIT to support the UK Government’s efforts to counter disinformation online. The CDDP aims to improve cross-government disinformation analysis capabilities allowing the UK to better understand and mitigate the potential threats posed by disinformation.
For the purposes of the UK GDPR, DSIT is the controller for any personal information processed, unless otherwise stated.
What is the purpose for which DSIT collect personal data?
To help us analyse the disinformation threats online, we collect content from publicly available social media platforms. The purpose of our work is to conduct an evidence-based approach to countering harmful disinformation online, through aggregated analysis of publicly available information on social media sites. We can generally achieve our purpose without processing personal data, but the content we review may include the names and opinions of individuals. It may also incidentally include personal data that may be embedded within material that you or others may have published on those sites (for example usernames, social media handles, contact information, personal data embedded within comments or metadata). In some cases, this may include special categories of personal data such as political or philosophical opinions. See What is the legal basis for processing data below for more information.
It is important to note:
- we have adopted a number of measures to limit the personal data we hold about individuals, for example measures to remove personal data from data inputs wherever possible
- we do not collect or review private online information (material that is not made available on a public page)
What is the legal basis for processing data?
Personal Data
Our legal reason for collecting or processing personal data is set out in Article 6(1)(e) of the UK GDPR as the processing is necessary for us in our work as a public body and in the public interest. In particular, the processing is necessary for the exercise of our function as the government department responsible for addressing disinformation online, as permitted under section 8(d) of the Data Protection Act 2018.
Special Category Data
The CDDP does not seek to collect special categories of personal data but we may do so incidentally (for example, where it is included in social media posts). To the extent that we do so, our legal reason for processing this information is that the processing is necessary for reasons of substantial public interest for the exercise of a function of a government department (article 9(2)(g) UK GDPR and paragraph 6 to Schedule 1 Part 2 of the Data Protection Act 2018). In this case there is substantial public interest in protecting the UK from harmful mis and disinformation which could adversely impact public safety or national security.
Who will personal data be shared with?
We may share our analysis with other government departments whose departmental responsibilities include countering disinformation or impacted policy areas, in order for them to better understand the threat landscape. Any insights we provide will generally be on an aggregated basis. Where content is shared, measures are taken to minimise inclusion of any personal data.
We contract service providers to help us develop the CDDP . Any access they may have to personal data is strictly controlled in accordance with the requirements under UK GDPR to ensure they only process personal data to our instruction and implement appropriate technical and organisational measures to protect the security and confidentiality of information.
How long will data be held for?
We will only retain personal data for as long as it is needed in accordance with the purposes for which it was collected. This is usually no more than three months from collection. However, there may be exceptional circumstances in which data is kept up to 2 years from collection in line with DSIT’s retention policy, unless, for example, the law requires us to keep the information for longer such as for a public inquiry.
Will data be used for automated decision making or profiling?
No. We do not use your data for automated decision making, or profiling.
Will data be transferred outside the UK and if it is how will it be protected?
As your personal data is stored on DSIT IT infrastructure and shared with our data processors, Microsoft and Amazon Web Services, it may be transferred and stored securely outside the UK. Where that is the case, it will be subject to equivalent legal protection through an adequacy decision, the use of Standard Contractual Clauses or a UK International Data Transfer Agreement.
Understanding data protection rights
You have the right to request information about how your personal data are processed, and to request a copy of that personal data.
You have the right to request that any inaccuracies in your personal data are rectified without delay.
You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.
You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.
You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
You have the right to object to the processing of your personal data where it is processed for direct marketing purposes.
You have the right to object to the processing of your personal data.
To exercise your rights please contact the Data Protection Officer using the contact details below.
We will ensure that we uphold your rights when processing any of your personal data.
Our contact details
The data controller for your personal data is the Department for Science. Innovation and Technology (DSIT). You can contact the DSIT Data Protection Officer at:
DSIT Data Protection Officer
Department for Science, Innovation and Technology
22-26 Whitehall
London
SW1A 2EG
If you’re unhappy with the way we have handled your personal data and want to make a complaint, please write to the department’s Data Protection Officer or the Data Protection Manager at the relevant agency. You can contact the department’s Data Protection Officer using the details above.
How to contact the Information Commissioner’s Office
If you believe that your personal data has been misused or mishandled, we would always hope that we can resolve the issue with you directly, using our contact information set out above. However, you may make a complaint to the Information Commissioner, who is an independent regulator and can be contacted as follows:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: www.ico.org.uk
Telephone: 0303 123 1113
Email: casework@ico.org.uk
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
Changes to our privacy notice
If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change.
If these changes affect how your personal data is processed, we will take reasonable steps to let you know.
This notice was last updated on 9 May 2024.