Policy paper

IT Reuse for Good charter: privacy notice

Updated 7 October 2025

This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and 14 of the UK General Data Protection Regulation (UK GDPR). 

For data protection purposes, the Department for Science, Innovation and Technology (DSIT) is the data controller. 

Purpose 

We process personal data to respond to letters, emails or other communications from members of the public, parliamentarians, and representatives of organisations.

Data 

We will process the following personal data:

  • your name 
  • your organisation 
  • your organisation size 
  • your organisation sector  
  • your occupation 
  • your email address 
  • your senior responsible officer’s contact details 
  • evidence of your organisation’s device donation scheme 

We will also process:

  • any other information you volunteer about yourself 
  • special category data or data about criminal convictions if you volunteer such information

Special categories of personal data include: 

  • data about racial or ethnic origin 
  • political opinions 
  • religious or philosophical beliefs 
  • trade union membership 
  • health data 
  • genetic data 
  • data concerning an individual’s sex life or sexual orientation 
  • biometric data for the purpose of uniquely identifying a natural person 

The processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this case, that is being accountable and transparent about the functions and policies for which the department is responsible. 

Where special category data or data about criminal convictions is volunteered by a correspondent, our legal basis for processing it is: 

The processing is necessary for reasons of substantial public interest for the exercise of a function of the Crown, a Minister of the Crown, or a government department. The substantial public interest is being accountable and transparent about the functions and policies for which the department is responsible.

Recipients 

Your information may be shared with other public bodies, or the devolved administrations, where necessary. This is in order to provide a full answer to you, or where we need to transfer correspondence to a more appropriate body for an answer. 

Your information may also be shared with third parties, including partner organisations involved in the development of the charter and government agencies, in order to provide a full answer to you. 

Your information may be shared with your MP if they are writing on your behalf. 

As personal data will be stored on our IT infrastructure it will also be accessible by our data processors who provide email, document management, storage, system troubleshooting and support services. These processors do not use your data for their own purposes.

How we receive personal data 

If we did not receive your personal data from you, it may have been provided by your MP, or by another person writing in on your behalf, or by another correspondent with your consent.

Retention  

Personal information in correspondence will usually be deleted 5 calendar years after the correspondence or case is closed or concluded. 

Public correspondence may be kept if it is sufficiently significant that it should be retained for the historical record.

Automated decision making   

Your personal data will not be subject to automated decision making, including profiling.   

International transfers  

Your personal data will be processed in the UK, however as it is stored on our IT infrastructure, and shared with our data processors, it may be transferred outside of the UK but will remain within the European Economic Area (EEA). Your data will receive the same level of protection in the EEA as it does in the UK, through the safeguard of adequacy decision.

Your rights 

You have the right to: 

  • request information about how your personal data is processed, and to request a copy of that personal data 
  • request that any inaccuracies in your personal data are rectified without delay 
  • request that any incomplete personal data is completed, including by means of a supplementary statement 
  • request that your personal data are erased if there is no longer a justification for it to be processed 
  • in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted 
  • object to the processing of your personal data 

A full list of your rights under the UK General Data Protection Regulation (GDPR) is available on the ICO website.

Contact details

Contact the DSIT Data Protection Officer (DPO) if you: 

  • have any questions about anything in this document 
  • think that your personal data has been misused or mishandled 

DSIT Data Protection Officer
Department for Science, Innovation & Technology
22-26 Whitehall
London
SW1A 2EG

Email: dataprotection@DSIT.gov.uk  

If you are unhappy with the way we have handled your personal data, please write to the department’s Data Protection Officer in the first instance using the contact details above.  

Complaints 

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator. The Information Commissioner can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Email icocasework@ico.org.uk
Website: Make a complaint

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.  

Updates to this notice 

We may change this privacy notice. When we make changes to this notice, the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, DSIT will take reasonable steps to make sure you know. 

Added details: 

  • concerning the scope of correspondence to be managed via the CoMS solution 
  • on the data we will process 
  • on the special category data 
  • of the use of data about offences/convictions.  
  • details regarding the use of AI 
  • details on the data processors

Last update: 3 October 2025