Guidance

CDDO domain management privacy notice

Updated 26 May 2023

© Crown copyright 2023

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/gds-cross-government-domain-management-privacy-notice/gds-domain-management-privacy-notice

The Central Digital and Data Office (CDDO) is part of the Cabinet Office and provides Domain Management to:

  • support and protect domain names across government

  • reduce the risk of attack to services such as email, websites and digital services 

The data controller for CDDO is the Cabinet Office - a data controller determines how and why personal data can be processed. Read the Cabinet Office’s entry in the Data Protection Public Register for more information.

1. What data we collect from you

We aim to collect role-based email addresses wherever possible, as this avoids our collection of personal data, and means that more than one person in your team can monitor it.

In all other circumstances,  we are likely to collect the following personal data  which will include your:

  • name

  • work email address

  • work telephone number

  • organisation and role

We may also collect personal email and physical addresses included on WHOIS data.

We need to process personal data to perform a task carried out in the public interest.

The task in this case is to protect public sector domains, infrastructure and digital services.

When we record events that are held virtually, the legal basis for processing your data is your consent. The full consent process is managed on an event by event basis. However, if you do not want to be recorded during a virtual event, you can simply turn your camera or microphone off.

3. Why we need your data

We need your data so we can contact you regarding issues with your domains or associated services as part of our domain support services.

4. What we do with your data

We will store your data in an internal database linked to organisations and domains.

We will not:

  • sell or rent your data to third parties

  • share your data with third parties for marketing purposes

We will share your data if we’re required to do so by law - for example, by court order, or to prevent fraud or other crime. In some cases we might share your personal data with officials in other government departments or public bodies. This is to assist in the development of government policy, or for operational reasons.

How long we keep your data We will only keep your personal data for as long as:

  • the law requires us to

  • we need for the purposes listed above

We collect personal information such as emails and contact details in cases within our customer relationship management software. We hold cases for 7 years so that we can carry out analytics and keep track of any recurring issues. We will review whether the data still needs to be retained after 7 years.

If you ask us to remove your details from our live database we will do this within 28 days. We will ask you to provide an alternative contact to make sure that we always have a relevant contact. The process of removing your name completely may take at least 6 months due to information being stored in backups. However, we will retain information that was exchanged as part of our case records, such as emails.

In order to ensure domain related contacts stay current we will contact you every 6 months to confirm your details are still correct and you are still an active contact. 

5. Where your data is processed and stored

We design, build and run our systems to make sure that your data is as safe as possible at any stage, both while it’s processed and when it’s stored. 

In some cases we might share your personal data with officials in other government departments or public bodies. This is to assist in the development of government policy, or for operational reasons.

While your personal data is stored on our systems and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through the use of Standard Contract Clauses or Adequacy Decisions.

6. Who we share your data with 

As part of the domain management function we share your data with other government departments and public bodies including but not limited to:

  • the Cabinet Office

  • National Cyber Security Centre

We may also share some data with the .gov.uk registry operator Jisc and .gov.uk registrars.

To provide our services we share your data with data processors who provide us with contact management, online survey tools, email verification checks, email and helpdesk services.

How we protect your data and keep it secure

We’re committed to doing all that we can to keep your data secure. We set up systems and processes to prevent unauthorised access to, or disclosure of, the data we collect about you. For example, we protect your data using varying levels of encryption. All third parties that process personal data for CDDO are required to keep that data secure.

7. Your rights

You have the right to request:

  • information about how your personal data is processed

  • a copy of that personal data

  • that any inaccuracies in your personal data are corrected without delay

  • that any incomplete personal data is updated - you can include the missing information in your request

  • that your personal data is erased if there is no longer a justification for it to be processed

  • that the processing of your personal data is restricted in certain circumstances - for example, where accuracy is contested

If you gave your consent for us to collect and process your data, you have the right to:

  • withdraw your consent - this can be done at any time

  • request a copy of your personal data - this copy will be provided in a structured, commonly used and machine-readable format

8. Questions and complaints

Contact the GDS Privacy Office if you:

  • have any questions about anything in this document
  • think that your personal data has been misused or mishandled
  • want to make a subject access request (SAR)

The contact details for the data controller are: The Cabinet Office (Government Digital Service), The White Chapel Building, 10 Whitechapel High Street, London, E1 8QS, or gds-privacy-office@digital.cabinet-office.gov.uk.

The contact details for the data controller’s Data Protection Officer are: Stephen Jones, Data Protection Officer, Cabinet Office, 70 Whitehall, London, SW1A 2AS, or dpo@cabinetoffice.gov.uk.

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or 0303 123 1113, or casework@ico.org.uk.

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

9. Changes to this notice

We may change this privacy notice. When we make changes to this notice, the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, CDDO will take reasonable steps to make sure you know.

Back to top