Guidance

Privacy Notice for Estates and Security in Cabinet Office managed buildings, and Cabinet Office Business Continuity

Published 25 October 2018

© Crown copyright 2018

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/privacy-notice-for-estates-and-security-in-cabinet-office-managed-buildings-and-cabinet-office-business-continuity/privacy-notice-for-estates-and-security-in-cabinet-office-managed-buildings-and-cabinet-office-business-continuity

1. Your data

1.1 Purpose

The purposes for which we are processing your personal data are:

  • to allow you to book rooms and order hospitality; details of room bookings and requests for hospitality in Cabinet Office buildings are maintained for the purpose of ensuring the continued safety and integrity of buildings; of the assets housed within them; and for the financial auditing purposes
  • to issue, and maintain records of, security passes used by staff to gain entry to Cabinet Office managed buildings
  • to maintain access control logs. These concern those who have required access to specific areas of the Cabinet Office’s managed estate, out of hours access to the department’s buildings, or the loan of keys to gain specific areas of the buildings. These records are maintained for the purpose of ensuring the continued safety and integrity of buildings and of the assets housed within
  • to maintain logs of accidents and near misses or of items lost/found are maintained for the purpose of both good management and staff wellbeing
  • to maintain incident logs. Details of incidents occurring on the Cabinet Office estate, including security breaches, staff taken ill and equipment lost are maintained for the purpose of ensuring the continued safety and integrity of buildings and of the assets housed within them and for the purpose of staff wellbeing
  • to maintain records of security briefings and ICT equipment issued to Cabinet Office staff for the purpose of ensuring the safety and integrity of the department’s assets issued and held
  • to maintain a database of contact details of staff members for business continuity purposes; to maintain logs of local business continuity leads; and to maintain logs of prospective members of the department’s Incident Management Team (IMT)
  • to maintain a database of contact details of staff members who are responsible for managing some aspects of security matters for the purpose of the efficient distribution of such information

1.2 The data

We will process the following personal data:

Room bookings and hospitality:

  • name
  • contact details
  • cost centre

Staff passes:

  • name
  • date of birth
  • image of passholder
  • business unit
  • location/access arrangements
  • clearance level
  • date of clearance expiry

Access control logs:

  • name
  • date of birth
  • security clearance and expiry date
  • team and location of work
  • photograph (for access passes)
  • access control group details
  • date/time of access (for specific areas)
  • authoriser
  • contact details
  • signature

Accidents, near misses and lost and found:

  • name
  • contact details
  • issue
  • items lost/found
  • return date
  • donation to charity details (unclaimed items) and resolution details
  • names and details of staff involved in H&S incidents and near misses are also held
  • we also process the following sensitive personal data: health information relating to accidents or near misses

Incident logs:

  • name
  • contact details
  • details of incident
  • issues
  • item lost/found
  • return date
  • resolution details
  • we also process the following sensitive personal data: health information relating to staff taken ill

Security briefings and ICT equipment issued:

  • name
  • security clearance level
  • team & location
  • briefing completion dates
  • start/end dates in business group
  • parent department
  • CO IT assets issued to the data subject

Business continuity:

a) All staff:

  • name
  • business unit
  • business phone
  • personal phone (optional)
  • business email
  • personal email (optional)
  • business office location
  • IMT role (if any)
  • next of kin name (optional)
  • next of kin contact number (optional)

b) IMT staff:

  • name
  • contact details including mobile telephone numbers and any other agreed out of hours contact arrangements

Security contacts:

  • name
  • business unit
  • business phone number
  • business email address

The legal basis for processing your personal data is:

Because it is necessary for the performance of a contract to which you are a party. In this case, your contract of employment.

For contractors, this information is required in order to fulfil their contractual requirements with the department.

For accidents, near misses, lost and found, and incident logs:

The legal basis for processing your sensitive personal data is it is necessary for the purposes of performing or exercising our obligations or rights as the controller, or your obligations or rights to the data subject, under employment law.

1.4 Recipients

Your personal data will be shared by us with our Total Facilities Management provider for the London buildings who is acting as our data processor.

In relation to business continuity:

Your contact details will be held by our IT supplier, who provides business-continuity communications services. As your personal data will be stored on our IT infrastructure, it will also be shared with our data processors who provide email, and document management and storage services.

Name, business unit, business phone number will be published on our intranet site.

In relation to Security contacts:

As your personal data will be stored on our IT infrastructure, it will also be shared with our data processors who provide email, and document management and storage services.

Name, business unit, business phone number & email address will be published on our intranet site.

1.5 Retention

Your personal data will be kept by us for:

  • room bookings and hospitality - three years
  • staff passes and access control logs - for the period of time that you are a member of the Cabinet Office
  • access control logs in respect of contractors – 12 months
  • accidents, near misses and lost and found – 5 years
  • incident logs – 5 years
  • security briefings and ICT equipment issued - for the period that an individual is a member of the department and until the record of their ‘indoctrination’ is created at another department and thus is no longer needed
  • business continuity - Data on individual members of staff only needs to be retained as long as that person works for the Cabinet Office. Local business continuity leads and IMT contact details will only be held on those logs whilst the individual is acting in either capacity
  • security Contacts - Data on individual members of staff only needs to be retained as long as that person works for the Cabinet Office

2. Your rights

You have the right:

  • to request information about how your personal data are processed, and to request a copy of that personal data
  • to request that any inaccuracies in your personal data are rectified without delay
  • to request that any incomplete personal data are completed, including by means of a supplementary statement
  • to request that your personal data are erased if there is no longer a justification for them to be processed.
  • in certain circumstances (for example, where accuracy is contested), to request that the processing of your personal data is restricted
  • to object to the processing of your personal data where it is processed for direct marketing purposes
  • to request a copy of any personal data you have provided, and for this to be provided in a structured, commonly used and machine-readable format.

3. International transfers

This information is not being stored outside of the European Union.

In relation to business continuity and security contacts:

As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the European Union. Where that is the case, it will be subject to equivalent legal protection through the use of Model Contract Clauses.

4. Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

5. Contact details

The data controller for your personal data is the Cabinet Office. The contact details for the data controller are:

Cabinet Office
70 Whitehall
London
SW1A 2AS

Public Enquiries: Online Contact Form

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

The contact details for the data controller’s Data Protection Officer are: dpo@cabinetoffice.gov.uk

Back to top