Statutory guidance

Data processing agreement - Civil Service People Survey

Updated 25 August 2023

Data processing agreement - Civil Service people survey

This Annex shall be completed by the Controller, who may take account of the view of the Processor, however the final decision as to the content of this Annex shall be with the Customer at its absolute discretion.

The contact details of the Customer’s Data Protection Officer are: Steve Jones, dpo@cabinetoffice.gov.uk

The contact details of the Supplier’s Data Protection Officer are: Rachael McCrystal, privacy@qualtrics.com

The Processor shall comply with any further written instructions with respect to Processing by the Controller.

Any such further instructions shall be incorporated into this Annex.

Description

Identity of Controller for each Category of Personal Data

Details

The Customer is Controller and the Supplier is Processor

The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor of the following Personal Data:

The Civil Service People Survey (CSPS) is an annual staff survey which invites all civil servants to share their views on a range of workplace topics. The CSPS is managed by the Cabinet Office on behalf of all participating organisations. Cabinet Office has appointed Qualtrics LLP to help deliver the 2020 and 2021 surveys, with the possibility of two one-year extensions. Under the terms of this contract, Cabinet Office is the data controller and Qualtrics LLP is the data processor.

The two types of data we collect are:

Survey data

• This includes any responses given to attitudinal questions; open-ended; demographic questions (including sex, ethnicity, age, disability, religion, sexual orientation, and socio-economic background), as well as metadata about how the respondent completed the survey (such as IP addresses and completion times).

• While we do not ask survey respondents to personally identify themselves, it may be possible in a small number of cases for individuals to be identifiable from a combination of their responses. Personal data may also be submitted in free text boxes. For this reason the Cabinet Office treats survey data as personal data.

Contact information

• This includes the name, organisation, and contact details for: survey managers (who act as the primary point of contact for the People Survey in each organisation); user research participants (who help us test the survey and participate in interviews and other types of research to understand different user’s needs); members of our working groups; and dashboard users (who each organisation determines should be able to view their organisation’s aggregated survey results).

• In some instances, we also collect information about the personal characteristics of individuals, such as their grade, disability and use of assistive technology, to inform the design of the survey platform and tools, and ensure it is meeting a range of user needs.

The purposes for which we process these data are:

Survey data

• To help leaders identify where there are problems in their organisation, and where there are disparities between different groups of staff, and to help them to take action to improve staff experiences and wellbeing.

• By running the same survey across all Civil Service organisations, we are able to compare employee views and experiences across the Civil Service, and provide a means for leaders to be held accountable for people management in a consistent way.

• Survey data will never be used to make decisions about individuals.

Contact information

• To support each organisation to build their survey and share best practice we need to be able to contact key individuals within each organisation (‘survey managers’)

• To ensure the survey is meeting the needs of a range of civil servants, we need the contact details of individuals to carry out interviews or invite feedback from them, with their informed consent

• To ensure the survey is accessible for staff with impairments who may also use assistive technology, we need to be able to contact staff with these characteristics who have given their consent to be involved in user research

• To ensure the survey is technically sound and meeting our strategic aims, we need to be able to contact analysts and other experts across government to invite their views

• To ensure that people within organisations only access the results that are relevant to them and/or their role, we need their names and email addresses to provide individual login access to the People Survey results dashboards

The Parties are Independent Controllers of Personal Data

The Parties acknowledge that they are Independent Controllers for the purposes of the Data Protection Legislation in respect of:

• Business contact details of Supplier Personnel for which the Supplier is the Controller,

• Business contact details of any directors, officers, employees, agents, consultants and contractors of Customer (excluding the Supplier Personnel) engaged in the performance of the Customer’s duties under the Contract) for which the Customer is the Controller,

Description

Duration of the Processing

Details

Controller solely determines the duration of processing. Once data is deleted from the active database all backups of said data are deleted within 90 days.

The earlier of (i) expiry/termination of the order specifying the Services; or (ii) the date upon which processing is no longer necessary for the purposes of either party performing its obligations under the order(to the extent applicable).

Description

Nature and purposes of the Processing

Details

The transferred Personal Data is subject to the following basic processing activities:

• use of Personal Data to set up, operate, monitor and provide the Cloud Service (including operational and technical Support)

• provision of Services;

• communication to Authorized Users

• storage of Personal Data in dedicated Data Centers (multi-tenant architecture)

• upload any fixes or upgrades to the Cloud Service

• back up of Personal Data

• computer processing of Personal Data, including data transmission, data retrieval, data access

• network access to allow Personal Data transfer

• execution of instructions of Customer in accordance with the Agreement.

Qualtrics shall process Personal Data outside of the data center region selected by Customer to the extent necessary to comply with Customer’s instructions (e.g. support purposes, use of subprocessor services) or as strictly necessary to provide the Cloud Service. Where such processing involves the transfer of Personal Data to third countries outside of the European Economic Area (where such country is not deemed adequate by the European Commission), the parties agree that Module 2 of the Standard Contractual Clauses (2021) shall apply, with Customer as Controller, and Qualtrics as Processor.

Storage: Data collected are stored by Cabinet Office in an offline drive and/or google drive with restricted, named user access, as well as Qualtrics LLP (including their implementation partner SplitPin), whose data centre is based in Frankfurt Germany.

Analysis: Individual level data are analysed in order to produce aggregate survey results; findings from user research and opinions from working group members are also analysed to produce aggregate results not attributed to an identifiable individual.

Dissemination: Aggregate survey results are shared internally and high level results (cross-Civil Service or departmental level) are published on gov.uk. Individual level data from the survey is given to a subset of participating organisations (those who sign a data sharing agreement) – each organisation only receives data from individuals in their organisation, rather than the whole Civil Service data set.

Description

Type of Personal Data

Details

In terms of survey data, we process:

• Opinion data, including responses to attitudinal questions about working in the Civil Service

• Comments data, where individuals can type their response into a free-text box and potentially disclose personal information

• Demographic data, including: sex, gender, ethnicity, age, disability, caring responsibilities, childcare responsibilities, religion, sexual orientation, socio-economic background, and job characteristics

• Metadata, including: IP address, browser, and completion time

Participation in the survey is voluntary and all attitudinal, open-ended and demographic questions can be skipped.

In terms of contact information, we process:

• Names

• Contact information (including email addresses and telephone numbers)

• Organisation and job title

• Profession

• Use of assistive technology and impairments

This is collected completely separately to the survey data and provided on a voluntary basis with the consent of each individual.

This is solely determined by the Buyer.

Description

Categories of Data Subject

Details

Staff working in the Civil Service.

This is solely determined by the Buyer.

Description

Plan for return and destruction of the data once the Processing is complete

UNLESS requirement under law to preserve that type of data

Details

DATA REMOVAL - LEAVING THE PLATFORM

Because customers are in control of their Data, Qualtrics encourages Customers to export and delete their Data from Qualtrics prior to terminating their license to use the platform. After the conclusion of the contract period, the Customer will no longer be able to access any Data remaining on the platform. Qualtrics then will delete any remaining Data in accordance with applicable law and contractual obligations. This time period will not exceed 6 months.

Customers requesting confirmation of Data deletion should make such request 180 days after expiry of their contract.

DISPOSAL OF MEDIA

Formal processes and procedures are in place to securely dispose of devices that may contain Customer Data. These procedures apply to all data center environments. Deprecated or defective media (specifically, hard drives) are erased according to a U.S. Department of Defense compliant 3-pass overwrite standard, and/or physically destroyed.

Description

Locations at which the Supplier and/or its Sub-contractors process Personal Data under this Contract

Details

All Data is owned and controlled by Qualtrics’ Customers, who are designated as data controllers. Qualtrics is the data processor. All Data is stored in a multi-tenant data center and in a single region (e.g. EEA, US, Canada, Australia, UK, Japan) chosen by the Customer on the applicable order form. While Data is hosted within the region where the Customer’s primary data centre resides, Data may be transferred and processed outside the data center region to comply with Customer requests or instructions (e.g. support purposes, use of sub- processor services) or as necessary to provide the Cloud Service. In all data centers, Qualtrics solely operates and is responsible for all system and developed software.

European Data Location: AWS, Frankfurt, Germany with backups in Dublin, Ireland

System Engineering Supported out of: USA, Ireland and Poland

Customer Support Supported out of: USA, Ireland, Germany, Australia, Japan, Argentina

Description

Protective Measures that the Supplier and, where applicable, its Sub-contractors have implemented to protect Personal Data processed under this Contract Agreement against a breach of security (insofar as that breach of security relates to data) or a Personal Data Breach

Details

This Schedule 2 applies to describe the applicable technical and organizational measures for the purposes of the Standard Contractual Clauses (2010), New Standard Contractual Clauses and applicable Data Protection Law.

Qualtrics will apply and maintain the Technical and Organizational Measures.

To the extent that the provisioning of the Cloud Service comprises New SCC Relevant Transfers, the Technical and Organizational Measures set out in Schedule 2 describe the measures and safeguards which have been taken to fully take into consideration the nature of the personal data and the risks involved. If local laws may affect the compliance with the clauses, this may trigger the application of additional safeguards applied during transmission and to the processing of the personal data in the country of destination (if applicable: encryption of data in transit, encryption of data at rest, anonymization, pseudonymization).

1 - TECHNICAL AND ORGANIZATIONAL MEASURES

The following sections define Qualtrics’ current technical and organizational measures. Qualtrics may change these at any time without notice so long as it maintains a comparable or better level of security. Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level protecting Personal Data.

1.1 - Physical Access Control. Unauthorized persons are prevented from gaining physical access to premises, buildings or rooms where data processing systems that process and/or use Personal Data are located.

Measures:

• Qualtrics protects its assets and facilities using the appropriate means based on the Qualtrics Security Policy

• In general, buildings are secured through access control systems (e.g., smart card access system).

• As a minimum requirement, the outermost entrance points of the building must be fitted with a certified key system including modern, active key management.

• Depending on the security classification, buildings, individual areas and surrounding premises may be further protected by additional measures. These include specific access profiles, video surveillance, intruder alarm systems and biometric access control systems.

• Access rights are granted to authorized persons on an individual basis according to the System and Data Access Control measures (see Section 1.2 and 1.3 below). This also applies to visitor access. Guests and visitors to Qualtrics buildings must register their names at reception and must be accompanied by authorized Qualtrics personnel.

• Qualtrics employees and external personnel must wear their ID cards at all Qualtrics locations.

Additional measures for Data Centers:

• All Data Centers adhere to strict security procedures enforced by guards, surveillance cameras, motion detectors, access control mechanisms and other measures to prevent equipment and Data Center facilities from being compromised. Only authorized representatives have access to systems and infrastructure within the Data Center facilities. To protect proper functionality, physical security equipment (e.g., motion sensors, cameras, etc.) undergo maintenance on a regular basis.

• Qualtrics and all third-party Data Center providers log the names and times of authorized personnel entering Qualtrics’ private areas within the Data Centers.

1.2 - System Access Control. Data processing systems used to provide the Cloud Service must be prevented from being used without authorization.

Measures:

• Multiple authorization levels are used when granting access to sensitive systems, including those storing and processing Personal Data. Authorizations are managed via defined processes according to the Qualtrics Security Policy

• All personnel access Qualtrics’ systems with a unique identifier (user ID).

• Qualtrics has procedures in place so that requested authorization changes are implemented only in accordance with the Qualtrics Security Policy (for example, no rights are granted without authorization). In case personnel leaves the company, their access rights are revoked.

• Qualtrics has established a password policy that prohibits the sharing of passwords, governs responses to password disclosure, and requires passwords to be changed on a regular basis and default passwords to be altered. Personalized user IDs are assigned for authentication. All passwords must fulfill defined minimum requirements and are stored in encrypted form. In the case of domain passwords, the system forces a password change every six months in compliance with the requirements for complex passwords. Each computer has a password-protected screensaver.

• The company network is protected from the public network by firewalls.

• Qualtrics uses up–to-date antivirus software at access points to the company network (for e-mail accounts), as well as on all file servers and all workstations.

• Security patch management is implemented to provide regular and periodic deployment of relevant

• security updates. Full remote access to Qualtrics’ corporate network and critical infrastructure is protected by strong authentication.

1.3 - Data Access Control. Persons entitled to use data processing systems gain access only to the Personal Data that they have a right to access, and Personal Data must not be read, copied, modified or removed without authorization in the course of processing, use and storage.

Measures:

• As part of the Qualtrics Security Policy, Personal Data requires at least the same protection level as “confidential” information according to the Qualtrics Information Classification standard.

• Access to Personal Data is granted on a need-to-know basis. Personnel have access to the information that they require in order to fulfill their duty. Qualtrics uses authorization concepts that document grant processes and assigned roles per account (user ID). All Customer Data is protected in accordance with the Qualtrics Security Policy.

• All production servers are operated in the Data Centers or in secure server rooms. Security measures that protect applications processing Personal Data are regularly checked. To this end, Qualtrics conducts internal and external security checks and penetration tests on its IT systems.

• An Qualtrics security standard governs how data and data carriers are deleted or destroyed once they are no longer required.

1.4 - Data Transmission Control. Except as necessary for the provision of the Cloud Services in accordance with the Agreement, Personal Data must not be read, copied, modified or removed without authorization during transfer. Where data carriers are physically transported, adequate measures are implemented at Qualtrics to provide the agreed-upon service levels (for example, encryption and lead-lined containers).

Measures:

• Personal Data in transfer over Qualtrics internal networks is protected according to Qualtrics Security Policy.

• When data is transferred between Qualtrics and its customers, the protection measures for the transferred Personal Data are mutually agreed upon and made part of the relevant agreement. This applies to both physical and network based data transfer. In any case, the Customer assumes responsibility for any data transfer once it is outside of Qualtrics-controlled systems (e.g. data being transmitted outside the firewall of the Qualtrics Data Center).

1.5 - Data Input Control. It will be possible to retrospectively examine and establish whether and by whom Personal Data have been entered, modified or removed from Qualtrics data processing systems.

Measures:

• Qualtrics only allows authorized personnel to access Personal Data as required in the course of their duty.

• Qualtrics has implemented a logging system for input, modification and deletion, or blocking of Personal Data by Qualtrics or its subprocessors within the Cloud Service to the extent technically possible.

1.6 - Job Control. Personal Data being processed on commission (i.e., Personal Data processed on a customer’s behalf) is processed solely in accordance with the Agreement and related instructions of the customer.

Measures:

• Qualtrics uses controls and processes to monitor compliance with contracts between Qualtrics and its customers, subprocessors or other service providers.

• As part of the Qualtrics Security Policy, Personal Data requires at least the same protection level as “confidential” information according to the Qualtrics Information Classification standard.

• All Qualtrics employees and contractual subprocessors or other service providers are contractually bound to respect the confidentiality of all sensitive information including trade secrets of Qualtrics customers and partners.

1.7 - Availability Control. Personal Data will be protected against accidental or unauthorized destruction or loss.

Measures:

• Qualtrics employs regular backup processes to provide restoration of business-critical systems as and when necessary.

• Qualtrics uses uninterrupted power supplies (for example: UPS, batteries, generators, etc.) to protect power availability to the Data Centers.

• Qualtrics has defined business contingency plans for business-critical processes and may offer disaster recovery strategies for business critical Services as further set out in the Documentation or incorporated into the Order Form for the relevant Cloud Service.

• Emergency processes and systems are regularly tested.

1.8 - Data Separation Control.

Measures:

• Qualtrics uses the technical capabilities of the deployed software (for example: multi- tenancy, system landscapes) to achieve data separation among Personal Data originating from multiple customers.

• Customer (including its Controllers) has access only to its own data.

1.9 - Data Integrity Control. Personal Data will remain intact, complete and current during processing activities.

Measures:

Qualtrics has implemented a multi-layered defense strategy as a protection against unauthorized modifications.

In particular, Qualtrics uses the following to implement the control and measure sections described above:

• Firewalls;

• Security Monitoring Center;

• Antivirus software;

• Backup and recovery;

• External and internal penetration testing;

• Regular external audits to prove security measures.