Guidance

Cabinet Office Security and Integrity Standards Privacy Notice

Published 13 October 2023

This notice sets out how the Cabinet Office will use your personal data in the course of maintaining the propriety standards expected of holders of public office and civil servants, and standards of government security or confidentiality. This includes: the provision of advice on compliance with codes of conducts such as the Ministerial Code, the Special Advisers’ Code, the Civil Service Code and other ethical standards; support on propriety and security standards; authorised investigations into specific potential breaches of these standards; and analysis in support of advice and policy development.  

This privacy notice does not cover processing carried out by National Security Vetting (UKSV) or HR functions within the Cabinet Office, such as appraisals, performance management, grievances or breaches of contract, or any investigations managed by HR functions. For further information on how data is processed under these functions please refer to the relevant notice in our Personal Information Charter on GOV.UK.

This notice may be updated from time to time – the latest version is available on GOV.UK. 

The terms of this notice are intended to sit alongside those of any relevant departmental privacy notice or retention policy. Where the terms do not align, the terms of this notice will supersede other privacy notices insofar as the processing relates to any of the purposes listed above and below. 

1. Your data

1.1 Purpose

The Cabinet Office is responsible for providing advice and support to other government departments and officials on propriety and ethics considerations, usually at the request of the relevant Permanent Secretary or a Minister. It also provides advice and support on how to conduct government business securely. This most commonly relates to the implementation of Cabinet Office guidance, on issues such as maintaining government business during democratic events, such as elections, or  compliance with a code of conduct. 

The Cabinet Office is also sometimes asked to carry out investigations by the Prime Minister, the Cabinet Secretary, the Permanent Secretary or the Government Chief Security Officer. It sometimes supports other government departments in conducting investigations. These investigations are necessary to ensure the proper functioning of the government, to uphold public trust and/or to ensure effective working relationships, decision-making and policy development in Government. They can also have wider implications, including for national security or law enforcement. 

The Cabinet Office may also need to conduct analysis of the personal data collected in the course of these activities in order to identify common patterns, or connections between queries and investigations, and may maintain a record of precedents. This may be necessary to ensure the effective completion of an individual investigation or to inform future decision-making and policy development.

1.2 The data

Most of the personal data the Cabinet Office processes is provided to us in the request for advice or in the course of an investigation, either by you, your employer, a complainant or third parties. This may include: 

• Name
• Job title
• Email address (work and personal)
• Phone number (work and personal)
• Employment history
• Education history
• Nature of complaint/concern 
• Disciplinary and investigation information

The activities in section 1.1 may also include the occasional processing of special category data and/or criminal offence data. Where that is the case, this data will only be held for as long as is necessary and shorter retention periods may apply.

Where your personal data is not provided directly by you or your employer, it is provided by a complainant, or another person connected with an investigation, or another third party such as another government department. Only when relevant, necessary and proportionate, information may be obtained from public sources such as public records and other open source information.

1.3 Data controllers

The Cabinet Office is an independent data controller of personal data it processes internally for the purposes of section 1.1. 

In specific instances where the Cabinet Office undertakes investigations jointly or on behalf of another government department, the Cabinet Office and the department are joint data controllers of personal data. Where the Cabinet Office and the department are joint data controllers, you can exercise your rights by contacting either department. The Cabinet Office’s contact details are set out at the end of this privacy notice.

1.4 Legal basis for processing

Cabinet Office processes your personal data and that of third parties in accordance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”).

The primary legal basis for the processing of data is that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller (Article 6(1)(e) UK GDPR and section 8 of the DPA 2018), specifically, to provide official advice and conduct investigations to ensure the proper functioning of government. 

If an investigation reveals potential criminal activity, we may share that with appropriate law enforcement authorities. In these cases we may rely on the basis of ‘legitimate interests’ (Article 6(1)(f) UK GDPR). The relevant interests in this case are those of the law enforcement agency and ensuring they have all information needed for the proper and fair detection and investigation of offences. 

Special category data or criminal offence data may be obtained in the course of investigation and if so will be processed under paragraph 9(2)(g) UK GDPR, in accordance with one or both of the following conditions:

• It is necessary for the purposes of performing or exercising our obligations or rights as the controller, or the data subject’s obligations or rights, under employment law, social security law or the law relating to social protection (paragraph 1, schedule 1, Data Protection Act 2018).
• It is necessary for reasons of substantial public interest, in the exercise of  function of the Crown, a Minister of the Crown or a government department. (paragraph 6 of Schedule 1 of the DPA 2018).
• It is necessary for the purposes of detecting and preventing unlawful acts (paragraph 10 Schedule 1 of the Data Protection Act 2018). 
• in exceptional circumstances, when processing is necessary for reasons of substantial public interest, in the exercise of a protective function (paragraph 11 of Schedule 1 of the DPA Act 2018).

Occasionally, we may seek the data subject’s consent for processing certain personal data or special category data for specific purposes. Where that is the case, the provisions of this privacy notice will apply.

1.5 Recipients

Personal data collected and processed by the Cabinet Office is very strictly controlled, and protected by a number of cyber, physical and personnel security controls. Only the minimum data necessary for the purpose above is collected and retained. Personal data processed in connection with an investigation is kept and processed separately from personal data processed for other or more general purposes. 

Only where necessary and proportionate for the carrying out of its activities in section 1.1, Cabinet Office may share personal data collected in an investigation or as part of the provision of advice with third parties. The third parties may include other government departments, Civil Service Human Resources, UKSV, legal advisers, a regulator, law enforcement, and/or other third parties. Personal data is also shared with our IT providers who provide document management and storage and email services.

Personal data may also be shared with third parties for purposes outside the activities in section 1.1. This will be done in exceptional circumstances, and only when necessary and proportionate to do so. For example, personal data may be shared with the relevant law enforcement or security agency when information suggests that an individual may have committed - or may be about to commit - a civil or criminal offence, or where action is required to prevent harm or safeguard national security. 

1.6 Retention

Your personal data will be kept by us for as long as is necessary for the purposes for which it was collected. Personal data will normally be retained in line with the Cabinet Office Information and Records Retention and Destruction Policy for up to seven years. However, Cabinet Office may retain some personal data beyond this period where necessary to do so in the interests of national security, for the purpose of legal proceedings, or disciplinary action which has already commenced or which is reasonably in prospect. Exceptionally, data may also be retained if it is sufficiently significant that it should be retained for the historical record under the Public Records Act 1958. 

2. Your data rights

If we process your personal data, you have rights in respect of that data which you may choose to exercise. Your rights and how you may exercise them are fully detailed on the independent Information Commissioner’s Office website.​ These rights include:

• to request information about how your personal data are processed, and to request a copy of that personal data – if still held;
• to request that any inaccuracies in your personal data are rectified without delay;
• to request that any incomplete personal data are completed, including by means of a supplementary statement;
• to request that your personal data are erased if there is no longer a justification for them to be processed;
• in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted;
• to object to the processing of your personal data; and
• the right to lodge a complaint with the independent Information Commissioner’s Office (ICO) if you think we are not handling your personal data in accordance with the law.

The exercise of these rights may be subject to certain limitations or exemptions, including (but not limited to) where an exemption is required for national security or reasons of substantial public interest or where processing is necessary for the prevention and/or detection of crime. In the exceptional circumstances where we process data with your consent, you have the right to withdraw that consent at any time. 

3. International transfers

As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision or reliance on Standard Contractual Clauses or a UK International Data Transfer Agreement.

4. Contact details

The data controller for your personal data is the Cabinet Office. The contact details for the data controller are:

Cabinet Office
70 Whitehall
London
SW1A 2AS

Public Enquiries: Online Contact Form

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

The contact details for the data controller’s Data Protection Officer are: dpo@cabinetoffice.gov.uk 

5. Complaints

If you wish to exercise any of your data rights, or complain about how we are processing your personal data, please write to:

Cabinet Office
70 Whitehall
London
SW1A 2AS

or 0207 276 1234, or Contact the Cabinet Office.

We will acknowledge your complaint within 5 working days, and provide you with a substantive response within one month of receipt of the request, except where a longer period may be necessary. If a longer period is necessary, we will write to you within one month of your request informing you of when you can expect a substantive response and the reasons for the delay.

You may also make a complaint to the Cabinet Office Data Protection Officer: dpo@cabinetoffice.gov.uk. The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

If you are not satisfied with the response, you have the right to lodge a complaint with the Information Commissioner’s Office if you think we are not handling your data or your request in accordance with the law. You can contact the ICO by calling 0303 123 1113 or by using their online form available at Your personal information concerns.