Notice

National Security Online Information Team: privacy notice

Published 16 April 2024

© Crown copyright 2024

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/national-security-online-information-team-privacy-notice/national-security-online-information-team-privacy-notice

The Department for Science, Innovation and Technology (DSIT) is committed to protecting the privacy and security of your personal data. This notice describes how we collect and use your personal data in accordance with data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018.

DSIT is the data controller. This means that we are responsible for deciding how we hold and use your personal data. We are required under data protection legislation to notify you of the information contained in this privacy notice.

This notice explains your rights, and the reasons we are using your information.

About the National Security Online Information Team (NSOIT)

The National Security Online Information Team (NSOIT) leads the UK government’s operational response to disinformation threats online, and ensures the government takes necessary steps to identify and respond to acute misinformation (i.e. incorrect or misleading information) and disinformation (i.e. information which is deliberately created to cause harm) in areas of public interest.

NSOIT is focused on the greatest risks to public safety and national security, which are agreed by ministers, and regularly communicated to parliament.

In the unlikely event that the NSOIT receives or processes personal data, the purpose of this privacy notice is to explain how that personal data would be processed when we have not obtained personal data directly from you. It is provided to meet our obligations set out in Article 14 of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”) to make information publicly available about the way in which we process personal data.

You may also find it helpful to refer to our DSIT Personal Information Charter, which sets out how we may hold or use your personal information.

Your data

The NSOIT sits within the Department for Science, Innovation and Technology (DSIT) which is the data controller under UK GDPR for the personal information the team processes, unless otherwise stated.

Purpose

The NSOIT’s work is focused on helping the government understand online disinformation narratives and attempts to artificially manipulate the information environment. The NSOIT takes an evidence-based approach to countering harmful disinformation online, through aggregated analysis of publicly available information, typically from social media websites. Whilst this data is anonymised wherever possible, the content we review may incidentally include personal data (for example usernames, social media handles, contact information, or personal data embedded within comments or metadata) that may be embedded within material that you or others may have published on those sites. In some cases, such content may include special categories of personal data, such as political or philosophical opinions.

It is important to note we do not collect or review private online information (i.e. material that is not made available on a public page).

Personal data

Our legal reason for collecting or processing personal data is set out in Article 6(1)(e) of the UK GDPR as the processing is necessary for us in our work as a public body and in the public interest. In particular, the processing is necessary for the exercise of our function as the government department responsible for addressing disinformation online, as permitted under section 8(d) of the DPA 2018.

Special Category Data

The NSOIT does not seek to collect special categories of personal data, but we may incidentally process such data (for example, where it is included in social media posts). To the extent we do so, our legal reason for processing this information is that the processing is necessary for reasons of substantial public interest for the exercise of a function of a government department (article 9(2)(g) UK GDPR and paragraph 6 to Schedule 1 Part 2 of the DPA 2018).  In this case there is substantial public interest in protecting the UK from harmful mis and disinformation which could adversely impact public safety or national security.

Recipients

We may share our analysis with other government departments whose work is impacted by disinformation. Any insights we provide will generally be on an aggregated basis. Where specific content is shared, personal identifiers will be redacted where possible.      

If any of the content the NSOIT reviews may infringe the moderation policies of the social media platforms from which the content derived, the NSOIT may notify the relevant platform. The information NSOIT shares with social media providers is limited to sending links to content of concern, or aggregated overarching trends. The platform will decide whether to take any action consistent with their policies.

Following a fair and open tender process, the NSOIT has appointed a third party, Crisp Thinking Limited, to help conduct analysis of social media platforms. Any access they may have to personal data will be strictly controlled in accordance with the requirements under UK GDPR.

Retention

We will only retain your personal data for as long as it is needed in accordance with the purposes for which it was collected. Where raw data samples are collected to generate narrative analysis either by DSIT or a third party, it will typically be held for a period of up to 3 months.  The overall products and outputs of NSOIT will be held for no more than two years, in line with DSIT’s retention policy. NSOIT will anonymise data wherever possible when undertaking its analysis and producing its products and reports. There will be exceptions to the data retention periods set out above where, for example, the law requires us to keep the information for longer, such as for a public inquiry.  

Data security 

Will my data be used for automated decision making or profiling?

No. We do not use your data for automated decision making or profiling.

Will my data be transferred outside the UK and if it is how will it be protected?

As your personal data is stored on our IT infrastructure and shared with our data processors Microsoft and Amazon Web Services, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision, the use of Standard Contractual Clauses or a UK International Data Transfer Agreement.

Your rights

You have the right to:

  • request information about how your personal data is processed, and to request a copy of that personal data
  • request that any inaccuracies in your personal data are rectified without delay
  • request that any incomplete personal data is completed, including by means of a supplementary statement
  • request that your personal data is erased if there is no longer a justification for them to be processed
  • in certain circumstances (for example, where accuracy is contested), request that the processing of your personal data is restricted
  • object to the processing of your personal data where it is processed for direct marketing purposes
  • object to the processing of your personal data

To exercise your rights please contact the Data Protection Officer using the contact details below.

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator. The Information Commissioner can be contacted at:

Information Commissioner's Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email casework@ico.org.uk

Telephone 0303 123 1113

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Contact details

The data controller for your personal data is the Department for Science, Innovation and Technology (DSIT).

You can contact the DSIT Data Protection Officer at:

DSIT Data Protection Officer

Department for Science, Innovation and Technology
22-26 Whitehall
London
SW1A 2EG

Updates to this notice

If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change.

If these changes affect how your personal data is processed, we will take reasonable steps to let you know

Last updated: 21 March 2024

Back to top