Guidance

Privacy notice for Cabinet Office OFFICIAL IT platform

Updated 20 September 2023

1. Your data

1.1 Purpose

The purposes for which we are processing your personal data are:

• providing an OFFICIAL IT platform and data storage system for staff, to allow them to discharge their duties, including setting up and removing user accounts, and migrating between suppliers
• the data is also used for testing and piloting of new technology, to develop, expand or upgrade the platform
• the data is also used for monitoring the system for potential abuses of the ICT Acceptable Usage Policy, or for fraudulent or criminal activity
• it is also processed for monitoring threats to the system, identifying and fixing technical issues, and identifying and tackling cyber security risks
• it is also processed to compile anonymised office occupancy statistics in order to monitor and report overall office usage and help inform the Cabinet Office’s future estates strategy

1.2 The data

We will process the following personal data:

OFFICIAL IT Platform:

• name
• job title
• email addresses
• telephone numbers
• office location
• team membership of user and their contacts
• email and document access logs
• general records of usage of the system, including all emails
• IP address
• Telemetry data
• Devices and operating systems used
• Software required including accessibility software

Staff can also provide additional information voluntarily on their profile, such as:

• date of birth
• gender
• people in their social groups
• adding a profile image
• uploading video

Staff can also voluntarily publish personal data through social media posts. Video and audio may be recorded through video chat, and/or published internally through internal websites.

Our supplier may collect information about:

• devices used
• time last active
• apps used
• media stored
• web searches
• IP address
• contacts
• calendars
• location
• language
• ads clicked
• things bought on advertiser sites
• voice when using voice commands
• YouTube search and watch history

Any other personal data may be stored on the system by business units. Where this is the case, the individual business unit will be responsible for providing a privacy notice.

OFFICIAL Records Management software:

Personal data may include:

• user IDs
• email
• textual information used in document titles, description and other metadata
• text and images to be displayed by the service
• audit log information and other data

1.3 Legal basis of processing

The legal basis of processing your personal data is:

In relation to monitoring threats to the system, identifying and fixing technical issues, migrating to new suppliers, and identifying and tackling cyber security risks:

• it is necessary for the purposes of our legitimate interests. i.e. maintaining the security of our IT system and the continuity of our business

In relation to staff photos, videos and other profile information voluntarily provided:

• because you consent

In relation to all other purposes:

• it is necessary for the performance of a contract to which the data subject is a party, which in this case is your employment contract

Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Our lawful basis for processing accessibility requirements is that it is necessary for the purposes of performing or exercising our obligations or rights as the controller, or your obligations or rights, under employment law.

Any sensitive personal data, or data about criminal convictions, may be stored on the system by business units. Where this is the case, the individual business unit will be responsible for providing a privacy notice.

1.4 Recipients

Your personal data will be shared by us with our IT suppliers who provide and maintain the OFFICIAL IT platform, and the records management software that sits alongside it. These data processors provide cybersecurity, email, and document management and storage services.

1.5 Retention

Your personal data will be kept by us for the duration of your employment in the department. Once you leave the organisation, your account will be deleted. This should be at least once a year.

For senior leaders, such as ministers, personal data may be retained indefinitely where they may be of historical interest.

Subsystems within the OFFICIAL IT retain and erase data automatically based on the purpose of the function. For example, retention of technical data to enable security detection and response. These systems may retain technical data after your account has been deleted, but such technical data will be automatically deleted when no longer required for security management.

2. Your rights

You have the right:

• to request information about how your personal data are processed, and to request a copy of that personal data
• to request that any inaccuracies in your personal data are rectified without delay
• to request that any incomplete personal data are completed, including by means of a supplementary statement
• to request that your personal data are erased if there is no longer a justification for them to be processed
• in certain circumstances (for example, where accuracy is contested), to request that the processing of your personal data is restricted
• to object to the processing of your personal data where it is processed for direct marketing purposes

In relation to staff photos, videos and other profile information voluntarily provided, you have the right:

• to withdraw consent to the processing of your personal data at any time
• to request a copy of any personal data you have provided, and for this to be provided in a structured, commonly used and machine-readable format

In relation to monitoring threats to the system, identifying and fixing technical issues, and identifying and tackling cyber security risks, you have the right:

• to object to the processing of your personal data

3. International transfers

As your personal data is stored on our IT infrastructure and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision, or the use of Standard Contractual Clauses or the UK International Data Transfer Agreement.

4. Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

icocasework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

5. Contact details

For employees of the Cabinet Office, or its arms length bodies, the data controller (or lead data controller in respect of arms length bodies) for your personal data is the Cabinet Office. The contact details for the data controller are:

Cabinet Office
70 Whitehall
London
SW1A 2AS

Telephone: 0207 276 1234

https://www.gov.uk/guidance/contact-the-cabinet-office

The contact details for the data controller’s Data Protection Officer are:

dpo@cabinetoffice.gov.uk

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

For employees of the Department for Culture, Media and Sport, the data controller for your personal data is the Department for Culture, Media and Sport, and the Cabinet Office is acting as their data processor. Please consult your departmental staff privacy notice for further details.