Research and analysis

DSIT privacy notice for the cyber security breaches survey 2024

Updated 14 September 2023

© Crown copyright 2023

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/cyber-security-breaches-survey/dcms-privacy-notice-for-the-cyber-security-breaches-survey-2023

1. Who is collecting my data?

The Department for Science, Innovation and Technology (DSIT) helps to drive innovation that will deliver improved public services, create new better-paid jobs and grow the economy.

The Cyber Security Breaches Survey is commissioned by the DSIT (“we” and “us“, “DSIT“) and is sponsored by the Home Office. DSIT is the Controller for the personal information we process as part of this survey.

2. Purpose of this Privacy Notice

This notice is provided within the context of the notice provided to meet the obligations as set out in Article 13 (this sets out the info we have to provide where the data is received directly from the data subject). Article 13 of UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA). This notice sets out how we will use your personal data as part of our legal obligations with regard to Data Protection.

The Department for Science, Innovation and Technology’s personal information charter (opens in a new tab) explains how we deal with your information. It also explains how you can ask to view, change or remove your information from our records.

3. Privacy policies of other websites

For further information on how DSIT processes personal data, please refer to the personal information charter (opens in a new tab).

4. What is personal data?

Personal data is any information relating to an identified or identifiable natural living person, otherwise known as a ‘data subject’. A data subject is someone who can be recognised, directly or indirectly, by information such as a name, an identification number, location data, an online identifier, or data relating to their physical, physiological, genetic, mental, economic, cultural, or social identity. These types of identifying information are known as ‘personal data’. Data protection law applies to the processing of personal data, including its collection, use and storage.

5. What personal data do we collect?

For the Cyber Security Breaches Survey 2024, Ipsos, on behalf of DSIT, has obtained information relating to business organisations from the Market Location database. The Market Location database is a list of businesses compiled from a mix of public business directories, Companies House data, and call centre activity. The Market Location database is a commercial database that is regularly updated.

Information on how Market Location collects this data can be found on their website.

Whilst much of this data is business in nature, some of this data may be personal information. The personal data relates to:

  • Contact name and job title within the business where available.

If you are registered on one of the following websites as a charity or state education body, Ipsos have collected your personal data from one of these websites in order to invite your organisation to take part in the Cyber Security Breaches survey, on behalf of DSIT.

This notice only refers to your personal data (e.g. your name, email address, and anything that could be used to identify you personally) not the content of your responses to the survey.

6. How will we use your data?

We use personal information to enable us to carry out our functions as a government department. Your personal data is being collected as an essential part of the research process, so that we can contact you for the purpose of the Cyber Security Breaches Survey 2024.

To process this personal data, our legal reason for collecting or processing this data is: Article 6(1)

  1. it is necessary to perform a public task (to carry out a public function or exercise powers set out in law, or to perform a specific task in the public interest that is set out in law)

8. What will happen if I do not provide this data?

The data for businesses is held in the Market Location Database, which is a list of UK businesses maintained by Market Location for commercial purposes. This information is provided to us by Market Location, so please see their privacy notice for details.

The data for charity and schools was obtained from the databases as detailed above. This information on charities and schools is publicly available.

9. Who will your data be shared with?

Ipsos will access the Market Location Database to allow them to contact UK businesses to conduct the Cyber Security Breaches Survey 2024, on behalf of DSIT. Interviews are scheduled to run from September 2023 to February 2024. DSIT will not have access to any personal data.

10. How long will my data be held for?

Ipsos will securely remove any personal data from their systems by 31 March 2024, once this research is complete. DSIT will ensure that this data has been deleted securely.

11. Will my data be used for automated decision making or profiling?

We will not use your data for any automated decision making.

12. Will my data be transferred outside the UK and if it is how will it be protected?

We will not send your data beyond the European Economic Area.

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices of the other websites you visit.

14. What are your data protection rights?

You have rights over your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). The Information Commissioner’s Office (ICO) is the supervisory authority for data protection legislation, and maintains a full explanation of these rights on their website

DSIT will ensure that it upholds your rights when processing your personal data.

15. How do I complain?

Emma Johns
The Department for Science, Innovation and Technology
100 Parliament Street
London
SW1A 2BQ

Email: emma.johns@dsit.gov.uk

The contact details for the data controller’s Data Protection Officer (DPO) are:

DSIT Data Protection Officer
Department for Science, Innovation and Technology
Victoria Street
London
SW1H 0ET

Email: dataprotection@energysecurity.gov.uk

If you’re unhappy with the way we have handled your personal data and want to make a complaint, please write to the department’s Data Protection Officer or the Data Protection Manager at the relevant agency. You can contact the department’s Data Protection Officer using the details above.

16. How to contact the Information Commissioner’s Office

If you believe that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. You may also contact them to seek independent advice about data protection, privacy and data sharing.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Website: www.ico.org.uk

Telephone: 0303 123 1113

Email: casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

17. Changes to our privacy notice

We may make changes to this privacy policy. In that case, the ‘last updated’ date at the bottom of this page will also change. Any changes to this privacy policy will apply to you and your data immediately.

If these changes affect how your personal data is processed, DSIT will take reasonable steps to let you know.

This notice was last updated on 14/09/2023.

Back to top