Guidance

Privacy Notice

Updated 17 April 2024

This notice sets out how Building Digital UK will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).

1. Who is collecting my data?

Building Digital UK (BDUK) is helping to bring fast and reliable broadband and mobile coverage to hard-to-reach places across the UK, transforming people’s lives.

BDUK is an Executive Agency, sponsored by the Department for Science, Innovation and Technology.

The Department for Science, Innovation and Technology’s personal information charter explains how we deal with your information. It also explains how you can ask to view, change or remove your information from our records.

This website (“Website“) is run by the Department for Science, Innovation and Technology (“we” and “us“, “DSIT“). DSIT is the controller for the personal information we process, unless otherwise stated.

2. What personal data do we collect?

2.1 Voucher beneficiaries

Most of the personal information we collect and process is provided to us directly from suppliers when you approach them to request a voucher. Any other information we hold will be provided by you. This includes:

• personal identifiers and contacts (name, contact details – phone number, email address, postal address)

2.2 Suppliers and local bodies

Personal information held about suppliers will be provided by the organisation that you work for or represent. This will include:

• personal identifiers and contacts (name, contact details – phone number, email address, postal address)
• we ask suppliers to provide photographic ID for the company director

3. How will we use your data?

We use personal information for a wide range of purposes, to enable us to carry out our functions as a government department. This includes:

• operating and administering the Scheme effectively, through functions such as verifying the use of vouchers, determining eligibility for the Scheme (based on location, inclusiveness in other funding options and connection speeds)
• to report on the effectiveness of the Scheme to local and central governments
• to report on the activity of DSIT within a certain jurisdiction to the relevant local authorities

4. What is the legal basis for processing my data?

The legal basis for processing your personal data is:

• public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller

The lawful basis that we rely on to process your personal data will determine which of the following rights are available to you. Much of the processing we do in DSIT will be necessary to meet our legal obligations or to perform a public task. If we hold personal data about you in different parts of DSIT for different purposes, then the legal basis we rely on in each case may not be the same.

5. What will happen if I do not provide this data?

You will not be able to participate in the scheme.

6. Who will your data be shared with?

We may share this information with:

Suppliers – third party audit teams, Zendesk, Pega, Softserve, Aaseya.

Beneficiaries – BDUK Vouchers team, local bodies, third party audit teams, third party beneficiary verification services such as Experian, Zendesk, Pega, Softserve and Aaseya.

We will share your personal data with third parties where:

• it is required or allowed by law
• it is in the public interest to do so, including in relation to fraud prevention considerations
• you authorise us to do so
• it is necessary for the performance of our functions as a government department, including in relation to sharing information with other UK government departments and agencies
• we will also share your personal data with the police and other law enforcement agencies where it is necessary to do so for the prevention, investigation, detection or prosecution of criminal offences, and other regulatory authorities when it is necessary for the purposes of their regulatory functions

As your personal data will be stored on our IT infrastructure it will also be shared with our data processors Microsoft, Amazon Web Services.

7. How long will my data be held for?

Personal data is retained in accordance with the DSIT retention and disposal policy. We aim to retain your personal information for only as long as it is necessary for us to do so for the purposes for which we are using it and in line with our retention and disposal policy. ~

In some circumstances we will anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you. Your personal data will be kept by us for up to 10 years.

8. Will my data be used for automated decision making or profiling?

We will not use your data for any automated decision making.

9. Will my data be transferred outside the UK and if it is how will it be protected?

As your personal data is stored on our IT infrastructure and shared with our data processors Microsoft and Amazon Web Services, it may be transferred and stored securely in the UK and European Economic Area. Where your personal data is stored outside the UK and EEA it will be subject to equivalent legal protection through the use of Standard Contract Clauses.

10. What are your data protection rights?

You have rights over your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). The Information Commissioner’s Office (ICO) is the supervisory authority for data protection legislation, and maintains a full explanation of these rights on their website.

You have the right to:

• request information about how your personal data are processed, and to request a copy of that personal data
• request that any inaccuracies in your personal data are rectified without delay
• request that any incomplete personal data are completed, including by means of a supplementary statement
• request that your personal data are erased if there is no longer a justification for them to be processed
• in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted
• object to the processing of your personal data where it is processed for direct marketing purposes
• object to the processing of your personal data

If you would like to exercise these rights, please contact;

Data Protection Lead,
Building Digital UK
Bloc 17
Marble Street
Manchester
M2 3AW
Email: dataprotection@bduk.gov.uk

11. How do I complain?

If you’re unhappy with the way we have handled your personal data and want to make a complaint, please write to the department’s Data Protection Officer and/or the data controller’s Data Protection Lead in Building Digital UK. ~

You can contact the DSIT Data Protection Officer at:

DSIT Data Protection Officer
Department for Science, Innovation and Technology
22-26 Whitehall
London
SW1A 2EG

Email dataprotection@dsit.gov.uk

12. How to contact the Information Commissioner’s Office

If you believe that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. You may also contact them to seek independent advice about data protection, privacy and data sharing.

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: www.ico.org.uk
Telephone: 0303 123 1113
Email: casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

13. Changes to our privacy notice

If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change.

If these changes affect how your personal data is processed, we will take reasonable steps to let you know.