Guidance

GOV.UK Chat: privacy notice

Published 25 October 2023

© Crown copyright 2023

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/govuk-chat-privacy-notice/govuk-chat-privacy-notice

GOV.UK Chat is an experiment which is open to invited users only. It is provided by the Government Digital Service (GDS), which is part of the Cabinet Office. 

The data controller for GDS is the Cabinet Office. A data controller determines how and why personal data can be processed. Read the Cabinet Office’s entry in the Data Protection Public Register for more information. 

Mentions of ‘us’ and ‘we’ in this privacy notice refer to GDS. Cabinet Office is the independent controller for the GOV.UK Chat experiment.

1. Who this notice is for

This privacy notice is for people whose data is processed as part of providing GOV.UK Chat. 

This includes:

  • anyone who already has personal data published on GOV.UK 
  • users of GOV.UK Chat

2. What data we collect from you

GOV.UK Chat relies on GOV.UK content to answer questions users may have about government and our services. GOV.UK publishes a variety of personal data as determined by the government department publishing the content (you can check the GOV.UK privacy notice to find out how GOV.UK collects and uses your data). 

You may need to view the privacy notice for the department that is publishing your information to understand how and why they process and publish your personal data. We do not intend to use personal data to answer GOV.UK Chat queries. We process the personal data in order to filter and remove it from the database that GOV.UK Chat uses to generate answers. Filtering or removing is classed as processing.

The legal basis for the processing of personal data for GOV.UK Chat is that it’s in our legitimate interest to evaluate the emerging technology of large language models to improve how users interact with GOV.UK (according to Article 6(1)(f) of the UK GDPR legislation).

Some personal data published will be special category data. This is more sensitive, as defined by UK GDPR. We will process special category data on the legal basis that the processing is necessary for reasons of research in the public interest (according to paragraph 4, schedule 1, of the Data Protection Act 2018).

4. Why we need your data

GOV.UK Chat is designed to help users to navigate information on GOV.UK, similar to a search function. For GOV.UK Chat to provide answers to users it needs most of the data GOV.UK has to give the most accurate answer. 

Personal data exists across GOV.UK. It is not possible to provide GOV.UK Chat without considering all of GOV.UK first and then applying rules to remove pages that have a high chance of having personal data within them.

5. What we do with your data

GOV.UK Chat is a natural language interface. This means you are able to ask it a question and it provides a human-like response. GOV.UK Chat contains GOV.UK content and can answer questions relevant to information found on GOV.UK pages.

GOV.UK content includes pages that have gov.uk at the start of the URL, for example https://www.gov.uk/government/organisations/department-for-work-pensions. It does not include content created on a department’s own websites or data collected in their services. This can usually be noticed by the ‘gov.uk’ being at the end of the web address instead of the start, for example, https://careers.dwp.gov.uk/. This means personal data you enter to use government services, for example to get your driving licence with DVLA or a passport with HMPO, is not used by GDS for GOV.UK Chat.

GOV.UK sometimes publishes personal data for various legal reasons depending on the department publishing the information. If your personal data is published on GOV.UK, it is processed as part of GOV.UK Chat. GOV.UK Chat does not intend to produce answers that contain the personal data that is held on GOV.UK and, for this reason, the tool is designed to remove pages that likely have personal data from its database. When you ask GOV.UK Chat a question, it should only search for the GOV.UK pages that do not contain personal data.

GOV.UK pages with personal data are filtered out at the earliest stage of processing so they are not included in question responses. When a user asks GOV.UK Chat a question, the remaining GOV.UK pages without personal data are searched and ones related to the question are sent with the question to our third party provider, OpenAI. When OpenAI receives the question, it uses the GOV.UK content it has been sent to create an answer to the question that is written in a human-like response.

If a user types personal data into their question, it will be sent to OpenAI.

We will not:

  • sell or rent your data to third parties
  • share your data with third parties for marketing purposes

We will share your data if we’re required to do so by law - for example, by court order, or to prevent fraud or other crime.

If you are a participant in the user research phase of GOV.UK Chat you can find out how your data is processed.

6. How long we keep your data

We will only keep your personal data for as long as:

  • the law requires us to
  • we need for the purposes listed above

Personal data is filtered, so it is not held in the database that holds GOV.UK content which is sent to our processor to create an answer. The database is refreshed every day to ensure up-to-date GOV.UK data is being searched.

Chat history is held by GDS for 1 year in order to enable us to evaluate for accuracy and monitor the system. Questions and relevant GOV.UK content sent to OpenAI’s API are stored by OpenAI for a duration of up to 30 days for the purpose of monitoring potential misuse or abuse. After 30 days, the data is deleted, except in cases where OpenAI is required by law not to do so. Find out more about OpenAI’s data retention policy.

7. Where your data is processed and stored

Data sent to OpenAI for processing happens in the United States.

As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case, it will be subject to equivalent legal protection through an adequacy decision. This is reliant on Standard Contractual Clauses or a UK International Data Transfer Agreement.

8. Who we share your data with

GOV.UK Chat sends the search query and related GOV.UK content to OpenAI, who provide us with Large Language Model (LLM) services. The LLM enables OpenAI to convert and condense the GOV.UK content into a human-like written response to the question.

9. How we protect your data and keep it secure

We are committed to doing all that we can to keep your data secure. We set up systems and processes to prevent unauthorised access to or disclosure of the data we collect about you – for example, we protect your data using varying levels of encryption. All third parties that process personal data for GDS are required to keep that data secure.

10. Children’s privacy protection

We do not design or promote services for children who are 13 years of age or younger, and we do not intentionally collect or keep data about anyone under the age of 13.

11. Your rights

You have the right to request:

  • information about how your personal data is processed, and to request a copy of that personal data
  • that any inaccuracies in your personal data are rectified without delay
  • that any incomplete personal data is updated - you can include the missing information in your request
  • that your personal data is erased if there is no longer a justification for it to be processed
  • that the processing of your personal data is restricted in certain circumstances - for example, where accuracy is contested 
  • that you object to the processing of your personal data 

12. Questions and complaints

Contact the GDS Privacy Office if you:

  • have any questions about anything in this document
  • think that your personal data has been misused or mishandled
  • want to make a subject access request (SAR)

The contact details for the data controller are: Cabinet Office (Government Digital Service), The White Chapel Building, 10 Whitechapel High Street, London, E1 8QS, or gds-privacy-office@digital.cabinet-office.gov.uk.

The contact details for the data controller’s Data Protection Officer are: dpo@cabinetoffice.gov.uk.

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or 0303 123 1113, or icocasework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

13. Changes to this notice

We may change this privacy notice. When we make changes to this notice, the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, GDS will take reasonable steps to make sure you know.

Back to top