Guidance

GovFlex Pilot Data Privacy Notice

Updated 10 October 2025

1. Data Privacy Notice: GovFlex pilot

Published: October 2025

1.1 Overview and who we are

This privacy notice explains how the Government Property Agency (GPA) collects, uses, and protects your personal data when you use the GovFlex pilot service.

The GPA is an executive agency of the Cabinet Office. We are the Data Controller for the personal information we process for the GovFlex pilot. This means we are responsible for deciding how your personal data is used and for ensuring it is protected.

This notice should be read in conjunction with the main GPA Data Privacy Notice.

1.2 What personal data we collect

To provide the GovFlex service and manage your bookings, we will collect the following personal data:

• Full Name
• Work Email Address

We will also collect the following additional data:

• Employing government department (e.g. Home Office, DfE)
• Job title
• Security clearance level (to the extent required for building access, e.g. CTC)
• Booking details (date and time of your requested booking)
• Accessibility and evacuation needs (if you choose to provide this information, such as details of a Personal Emergency Evacuation Plan (PEEP), so we can ensure your safety).

We will also gather data on service usage, such as booking frequency and departmental uptake. This data will be anonymised for reporting purposes.

1.3 Why we collect your personal data (Our purpose)

We process your personal data for the following specific purposes:

• To manage your bookings: To process your requests for touchdown space, confirm your booking, and manage the availability of desks.
• To ensure building security: To share necessary details with our partners at the Department for Education (who manage the St Paul’s Place building) to grant you secure access to the building for the day of your booking.
• To communicate with you: To send you booking confirmations and important information about your visit.
• To ensure your health and safety: To make necessary arrangements to support your accessibility or emergency evacuation needs while you are in the building.
• To evaluate the Pilot service: To monitor overall usage patterns, demand, and user behaviour. This is crucial for gathering the data needed to evaluate the success of the pilot and build a business case for a potential national rollout. This monitoring is to understand service demand, not to track individual employees’ movements or performance. Data used for reporting purposes will be anonymised. 
• To gather your feedback: We may use your contact details to invite you to complete a post-visit survey to help us improve the service.

1.4 Our Lawful Basis for processing your data

Under the UK General Data Protection Regulation (UK GDPR), our legal basis for processing your personal data is:

• Public Task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority as a government agency providing workplace services to the Civil Service.

Where we process special category data, such as health information related to a PEEP, our legal basis is substantial public interest and to ensure your health and safety.

1.5 Who we may share your data with

We will only share your personal data where necessary and in line with data protection laws. For the GovFlex pilot, this includes:

• The Department for Education (DfE): As our partner and the operator of the St Paul’s Place building, we will share your name, department, and booking details with their facilities and security teams to arrange building access.
• Internal GPA teams: Relevant operational teams within the GPA who are responsible for managing the GovFlex service.
• Your employing department: In cases of suspected misuse of the service (such as repeated non-attendance after booking, or behaviour that contravenes building or departmental policies), we may share necessary details of your booking and usage with your home department to ensure the fair and proper use of this shared government resource.
• Aggregated data sharing: We will share anonymised, aggregated statistical data about service usage with participating departments (Home Office, DfE, DWP, Cabinet Office, MHCLG) and GPA leadership to report on the pilot’s performance. No personally identifiable information will be included in these reports.

1.6 How long we keep your data

We will only keep your personal data for as long as it is needed for the purposes set out in this notice. Personal data related to bookings will be retained for the duration of the pilot (ending March 2026) plus a further three months for final analysis and reporting. After this period, all personally identifiable data will be securely destroyed.

1.7 How we protect your data

We are committed to keeping your data secure. We have systems and processes in place to prevent unauthorised access or disclosure. Any third parties we deal with, such as DfE, are required to keep your data secure and in line with data protection legislation.

1.8 Your rights

You have the right to request:

• Information about how your personal data is processed.
• A copy of the personal data we hold about you (this is called a Subject Access Request).
• That any inaccuracies in your personal data are corrected without delay.
• That your personal data is erased if there is no longer a justification for it to be processed.

To make a request, please contact the GPA Data Protection Team.

1.9 Contact details and complaints

For any questions about how we handle your data, or to exercise your rights, please contact:

GPA Data Protection Team

Email: dataprotection@gpa.gov.uk

If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO).

Information Commissioner’s Office

Website: www.ico.org.uk

Telephone: 0303 123 1113