Guidance

Privacy notice for Government Major Projects Portfolio (GMPP)

Updated 15 October 2020

1. GMPP HMT OSCAR and non-OSCAR systems

2. Processing of Personal data

Please note that this GDPR privacy notice is related singularly to the GMPP application on OSCAR II and non-OSCAR II systems, and not to any of the other Finance based applications also present on the platform.

For the GDPR notice for these, please visit One Finance

This notice sets out how HM Treasury / Cabinet Office will use your personal data for the purposes of collecting, processing, analysing and publishing information through the OSCAR system and non- OSCAR II systems and explains your rights under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).

3. Your data (Data Subject Categories)

The personal information relates to you as either an OSCAR system user, or as someone whose personal information are recorded in the OSCAR system and other GMPP systems such as, but not limited to, MS Office, Databases, and Visualisation software. Below is a list of the data subject categories covered by this notice:

• OSCAR system users – Central and local government staff that needs to access the system to enter, approve or analyse data
• leaders of Major Government Projects – Individuals covering leadership roles in projects tracked in the Government Major Projects Portfolio (GMPP) i.e. Project Directors and Senior Responsible Officers
• other stakeholders of Major Government Projects – Key contacts in the department sponsoring the project, HMT (Spending Teams) and Cabinet Office (IPA Team)

4. The data we collect (Data Categories)

4.1 OSCAR system users

• name
• surname
• email
• organisation

4.2 Leaders of Major Government Projects

• is this position (SRO / PD) currently filled?
• SRO / PD ID
• name / surname name
• email
• telephone
• tenure start date
• tenure end date
• tenure length
• if tenure end date change, the reason for the change
• job title
• grade
• career anchor – primary
• career anchor – secondary
• percentage time spent on role
• if new SRO/PD, the reason for the change
• for new SROs / PDs, your previous roles and project ID

4.3 Other stakeholders of Major Government Projects

• name
• surname
• email
• organisation

5. Legal basis of processing

The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in HM Treasury and Cabinet Office. In this case the task originates from the Prime Ministerial mandate of January 2011, which required us to ‘compile a government portfolio of major projects.

The task is to collect, store, consolidate, process and analyse data collected from different public bodies with the purpose of monitoring and publishing key government information for HMG, the UK Parliament and various other stakeholders.

6. Special categories data

Special categories data include: Race and ethnic origin, religious or philosophical beliefs, political opinions, trade union memberships, biometric data used to identify an individual, genetic data, health data and data related to sexual preferences, sex life, and/or sexual orientation. None of the data collected by the OSCAR system falls in this category.

7. Purpose

7.1 OSCAR system users

Data about OSCAR system users is collected to create OSCAR accounts and enable workflow email notifications (e.g. approval of submissions).

7.2 Leaders of Major Government Projects and other stakeholders of Major Government Projects

Data on the government’s top projects is collected / processed on a quarterly basis. This includes data on project leaders as well details around the person/people completing/managing the form.

The purposes for which personal data is collected and processed are:

• making contacts with projects / departments when required (e.g. chasing GMPP submissions, data queries, flash surveys on GMPP processes, organising meetings such as the Data Steering Group, or distributing documents)
• contacting Project leaders when data / analytical issue of importance arises
• being a source of information for
  • the Infrastructure and Projects Authority
  • central government departments such as the Cabinet Office and HM Treasury and their arms lengths bodies / agencies;
  • organisations that work closely with Cabinet Office and HM Treasury, but that are not directly linked, such as the National Infrastructure Commission
  • Project X; GMPP data is shared with individuals on Project X under Non-Disclosure agreements. Project X was conceived within IPA as a vehicle to engage contemporary research in project and programme with the ‘real-world’ issues that are manifest across the Government’s Major Project Portfolio (GMPP). Project X is ambitious, it seeks to promote and support methodologically rigorous research that is firmly grounded in clear pathways to impact – with an ultimate ambition of delivering savings for the Treasury and enhancing project management capability across government departments. Project X has been developed with support from Academia, Industry, Government and Consultancies.
  • other GMPP projects who may need project leader details.
• analysing the data e.g. project leader performance and turnover and time spent in the role
• understanding the training Project Leaders receive through Major Projects Leadership Academy / Project Leadership Programme, which is a mandatory stipulation of GMPP projects
• triangulating data with the Profession’s team data to ensure we have the correct data around SRO letters and MPLA / PLP attendance
• linking the data to other relevant data sources to support further analysis of project delivery across Government

8. Who we share your information with (Recipients)

8.1 OSCAR system users

Data collected to create OSCAR user accounts securely stored in the OSCAR Multi factor Authentication Tool is not shared with anyone. Users’ emails are used to communicate with them (either directly or via automated workflow notifications).

8.2 Leaders of Major Government Projects and other stakeholders of Major Government Projects

Data about GMPP Project leaders or other stakeholders may be shared with officials within the departments of the Cabinet Office and HM Treasury, or officials within other arm’s length bodies / agencies connected to these departments. Other bodies this data could be shared with include:

• organisations that work closely with Cabinet Office and HM Treasury, but that are not directly linked, such as the National Infrastructure Commission
• NAO, for audit purposes
• Project X representatives, for analysis
• departmental director generals representing their departments at the Project Council
• private companies, such as research consultants, contracted for specific analytical work by the IPA, and subject to Non-Disclosure Agreements

As your personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide email, document management and storage services.

9. How long we will hold your data (Retention)

9.1 OSCAR system users

Data collected to create OSCAR user accounts will be retained until the user account is removed, on request of the data subject or the data subject’s organisation.

9.2 Leaders of Major Government Projects and other stakeholders of Major Government Projects

The personal data the IPA collects on GMPP Project Leaders (Senior Responsible Owners and Project Directors) is collected for the purposes of long-term strategic analysis and as a record of the individuals previously responsible for major projects (as per the Government’s Osmotherly Rules), and will therefore be stored until the Government Major Projects Portfolio data (or any data collection that succeeds it) is no longer required. Please do speak to the IPA Analysis Team if you have any concerns about this.

For SRO’s of GMPP projects

Some of this data may also be in the public domain through the Osmotherley process and its mandatory requirement to publish SRO appointment letters. This process is not owned by the Analysis and Insight Unit in IPA and must therefore be covered by its owners’ adherence to GDPR. Although there is currently no requirement for Project / Programme Directors to go through the Osmotherley process, or a similar version of it, this paragraph would apply if such a process was initiated.

It may not be possible to remove your data from third parties i.e. search engines, web archives etc.

10. Where we will store your data

10.1 OSCAR system users

OSCAR System users’ data will be stored in the OSCAR Multi factor Authentication Tool’s (OKTA) European Union cell, which is hosted in Amazon Web Services Frankfurt (primary) and Dublin (backup).

User’s emails will also be stored in Amazon Web Services UK Servers.

10.2 Leaders of Major Government Projects and other stakeholders of Major Government Projects

GMPP Data will be stored in Amazon Web Services UK Servers.

As your personal data will also be stored external to OSCAR on our internal IT infrastructure it will also be shared with our data processors who provide email, and document management and storage services. (Google and AODocs) GMPP data is analysed using Tableau, a visualisation package which is linked to our GMPP database in Access (this may change in the future to SQL). All do or will sit on our internal networks.

Your rights:

• you have the right to request information about how your personal data are processed and to request a copy of that personal data
• you have the right to request that any inaccuracies in your personal data are rectified without delay
• you have the right to request that your personal data are erased if there is no longer a justification for them to be processed
• you have the right, in certain circumstances (for example, where accuracy is contested), to request that the processing of your personal data is restricted
• you have the right to object to the processing of your personal data where it is processed for direct marketing purposes
• you have the right to data portability, which allows your data to be copied or transferred from one IT environment to another

11. How to submit a Data Subject Access Request (DSAR)

To request access to personal data that HM Treasury holds about you, contact:

HM Treasury Data Protection Unit
G11 Orange
1 Horse Guards Road
London
SW1A 2HQ
dsar@hmtreasury.gov.uk

12. Complaints

If you have any concerns about the use of your personal data, please contact us via this mailbox: privacy@hmtreasury.gov.uk

If we are unable to address your concerns to your satisfaction, you can make a complaint to the Information Commissioner, the UK’s independent regulator for data protection. The Information Commissioner can be contacted at:

Information Commissioner’s Office

Wycliffe House Water Lane
Wilmslow
Cheshire
SK9 5AF
0303 123 1113
casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

13. Contact details

13.1 OSCAR system users

The data controller for personal information collected to create and maintain OSCAR System users is HM Treasury, the contact details for which are:

HM Treasury
1 Horse Guards Road
London
SW1A 2HQ
020 7270 5000
public.enquiries@hmtreasury.gov.uk

13.2 Leaders of Major Government Projects and other stakeholders of Major Government Projects.

The data controller for personal information on GMPP Project leaders and other GMPP Project stakeholders is the Cabinet Office, the contact details for which are:

Cabinet Office
70 Whitehall
London
SW1A 2AS
020 7276 1234
publiccorrespondence@cabinetoffice.gov.uk

The contact details for the data controller’s Data Protection Officer (DPO) are:

Stephen Jones, DPO
Cabinet Office
70 Whitehall
dpo@cabinetoffice.gov.uk