Guidance

IT secure platform privacy notice

Updated 2 October 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/government-digital-service-it-platform-privacy-notice/it-secure-platform-privacy-notice

This privacy notice is for the Government Digital Service (GDS), part of the Department for Science, Innovation and Technology (DSIT). It covers how to how we handle your personal data for use of our IT platform and operating system.

The data controller is DSIT, as the parent organisation for GDS. A data controller determines how and why personal data is processed.  Read DSIT’s registration details with the Information Commissioner’s Office for more information.

Why we need your data

We process your personal data in order to:

  • provide a secure IT platform and operating system so that staff can do their jobs
  • set up and remove user accounts
  • test and pilot new technology to develop, expand or upgrade the platform
  • monitor the system for potential abuses of the ICT Acceptable Usage Policy, or for fraudulent or criminal activity
  • monitor threats to the system, identifying and fixing technical issues, and identifying and tackling cyber security risks
  • support the GDS threat intelligence team in producing daily, weekly and monthly threat updates for staff by creating algorithms and programs that help us spot problem accounts and take remedial activities to support our systems
  • compile anonymised office occupancy statistics and report on overall numbers of staff attending GDS and DSIT locations, in order to monitor overall office usage and help inform GDS and DSIT’s future estates strategy
  • support our use of Gemini and Copilot services

What data we collect from you

We process the following personal data on the IT platform:

  • name
  • home address, for sending and retrieving IT kits
  • job title
  • email addresses
  • telephone numbers
  • office location and team membership
  • web access logs and records of usage of the system including all emails
  • IP address and geolocation
  • telemetry data – this is metadata of how the IT device is operating, for example, the list and versions of the software installed, or the time and date of when a file was downloaded and the size of the file
  • devices and operating systems used – our operating systems are Google and Microsoft Office 365
  • software required, including accessibility software

The legal basis for processing your personal data is legitimate interest.

Our legitimate interest relates to monitoring threats to the system, identifying and fixing technical issues, and identifying and tracking cyber security risks. This is necessary to maintain the integrity of our IT system and the continuity of our business.

It’s also necessary for the performance of your employment contract or contract for services.

Who we share your data with

As part of communications between government departments, we share your personal data with data processors who provide us with a collaboration service and IT software that underpin the IT infrastructure and services. These data processors provide cybersecurity, email, and document management and storage services.

We share your data internally between GDS and DSIT Integrated Corporate Services (ICS) and Cabinet Office for support in delivering the service.

How long we keep your data

Your personal data will be kept for as long as you are in a role where you use the secure IT platform. Once you leave that role, the information will be deleted when the local records are updated. This will be at least once a year.

For senior leaders, such as ministers and senior civil servants (SCS), personal data may be retained in support of public inquiries or in line with the Public Records Act (or other applicable legislation) where they may be of historical interest.

Subsystems within the OFFICIAL IT retain and erase data automatically based on the purpose of the function. For example, retention of technical data to enable security detection and response. These systems may retain technical data after your account has been deleted, but such technical data will be automatically deleted when no longer required for security management.

Your rights

You have the right:

  • to request information about how your personal data is processed, and to request a copy of that personal data
  • to request that any inaccuracies in your personal data are rectified without delay
  • to request that any incomplete personal data is completed, including by means of a supplementary statement
  • to request that your personal data is erased if there is no longer a justification for them to be processed
  • in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted
  • to request a copy of any personal data you have provided, and for this to be provided in a structured, commonly used and machine-readable format

Where your data is stored

Your data is stored in our internal IT systems, which are provided by Google and Microsoft Office 365.

As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the European Union. Where that is the case it will be subject to equivalent legal protection through the use of Model Contract Clauses.

We also design, build and run our systems to make sure that your data is as safe as possible at every stage, both while it’s processed and when it’s stored.

Changes to this notice

We may change this privacy notice. When we make changes to this notice, the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, GDS will take reasonable steps to make sure you know.

Questions and complaints

Contact the GDS Data Protection Team if you:

  • have any questions about anything in this document
  • think that your personal data has been misused or mishandled
  • want to make a subject access request (SARS)

GDS Data Protection Team
gds.data.protection@dsit.gov.uk

The contact details for our Data Protection Officer are:

Data Protection Officer
dataprotection@dsit.gov.uk

You can also complain to the Information Commissioner, who is an independent regulator.

Information Commissioner's Office

Email icocasework@ico.org.uk

Telephone 0303 123 1113

Textphone 01625 545 860

Back to top