Privacy Notice for the Information and Data Exchange
Published 20 November 2023
© Crown copyright 2023
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/privacy-notice-for-the-information-and-data-exchange/privacy-notice-for-the-information-and-data-exchange
Definitions
INDEX
Information & Data Exchange
UK GDPR
The UK General Data Protection Regulation (as amended).
DPA 2018
Data Protection Act 2018 (as amended).
Purpose
This Privacy Notice applies to the processing of personal data by INDEX as part of its work providing all-source national security assessments for His Majesty’s Government. This notice sets out how the INDEX service may process your personal data, which may be included in information processed by INDEX. This notice also explains your rights in relation to the data we process. It is made under Articles 13 and 14 of UK GDPR.
INDEX
INDEX is a secure digital service for the national security community; this includes producers and consumers of reporting on national security. INDEX is managed by the Cabinet Office for HMG to access government analysis and assessment and paywall sources of relevance to national security. INDEX is designed to meet the needs of HMG analysts and consumers who draft and read assessments on situations and issues of current concern. The assessments provide geopolitical analysis, foreign policy analysis and risk analysis on national security priorities. It is based on “information assets” which include government analysis and assessment from HMG and international allied governments and publicly accessible electronic information from commercially available sources.
Why we process personal data
Personal data which may be included in information assets hosted on INDEX
Information assets may include personal data of world leaders or persons working in a public capacity. This may involve the processing of special category data and/or criminal offence data. Where that is the case, this data will only be held for as long as is necessary. This personal data is necessary to the integrity of national security analysis.
INDEX does not intentionally collect or process personal data of the general public or anyone whose personal data is not relevant to national security priorities. However, the content of the information assets collected and processed by INDEX may include incidental personal data, including special category data, of members of the public, within the body of an open source information asset. INDEX uses a number of methods to actively minimise the processing of this personal data.
Legal basis of processing
INDEX processes all personal data in accordance with UK GDPR and the DPA 2018. The legal basis for processing personal data for the production of assessments to inform the development of government policy provision is that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller (Article 6(1)(e) UK GDPR and section 8 of the DPA 2018). Special category data and/or criminal offence data will be processed in accordance with the following: paragraph 6 of Schedule 1 of the DPA 2018 (processing necessary for reasons of substantial public interest, in the exercise of a function of a government department (INDEX is part of the Cabinet Office).
Who we share personal data with
INDEX is a digital service managed by the Cabinet Office for HMG. Where necessary and proportionate, personal data which is relevant to national security assessments may be shared with other public authorities (including those overseas). As personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide software development, email, document management and storage services.
How long we keep personal data
Personal data which we process as part of INDEX’s operation will be retained for as long as is necessary for the purpose for which it was collected (i.e. safeguarding national security). All data is reviewed after 3 years and if no longer needed for the purpose for which it was collected, will be deleted. Some personal data may be retained for the purpose of archiving in the public interest (i.e. historic records).
Decision based on automated processing
In relation to the use of data covered by this notice, the Cabinet Office does not make decisions which produce legal effects concerning the data subject based on automated processing, including profiling.
Where you did not provide your personal data
Personal data may be obtained by us from a wide range of sources including UK and overseas government departments, UK government analysis and assessment, and public sources.
Your rights
If we process your personal data, you have rights in respect of that data which you may choose to exercise. Your rights and how you may exercise them are fully detailed on the independent Information Commissioner’s Office website.
These rights include:
The right to request a copy of your personal data;
The right to require us to restrict the processing of your data in certain circumstances;
The right to request your data be deleted or corrected;
The right to object to the processing of your data; and
The right to lodge a complaint with the independent Information Commissioner’s Office (ICO) if you think we are not handling your personal data in accordance with the law.
The exercise of these rights may be subject to certain limitations or exemptions, including (but not limited to) where an exemption is required for national security.
International transfers
As personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision or the use of Standard Contractual Clauses, or a UK International Data Transfer Agreement.
We may occasionally transfer personal data outside the UK to a country without an adequacy decision where this is necessary for important reasons of public interest (e.g. national security).
Contact details
The Cabinet Office and other government departments using the service are joint-controllers of the data. The parties are considered joint controllers because they have jointly determined to pool their data (which includes some personal data) for the purposes of data analysis and assessment, and to combine that data with public data (which may include some personal data). The lead data controller for your personal data is the Cabinet Office.
The contact details for the lead data controller are:
Cabinet Office
70 Whitehall
London
SW1A 2AS
0207 276 1234
The contact details for the lead data controller’s Data Protection Officer are:
The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.
Complaints
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator.
The Information Commissioner can be contacted at:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
0303 123 1113
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.