Research and analysis

Privacy notice for UK cyber security sector and labour market research

Updated 22 July 2025

1. Research on the UK cyber security labour market and sector and your personal data

This Privacy Notice explains who we are, the personal data we collect, how we use it, who we share it with, and what your legal rights are.

2. About Ipsos UK

Ipsos (market research) Limited is a specialist research agency, commonly known as Ipsos and referred to in this privacy notice as “Ipsos UK”. Ipsos UK is part of the Ipsos worldwide group of companies, and a member of the Market Research Society. As such we abide by the Market Research Society Code of Conduct and associated regulations and guidelines.

3. About this research

Ipsos UK has been asked by the Department for Science, Innovation and Technology (DSIT), to conduct research on the cyber security labour market and sector. This research involves talking to the individuals responsible for cyber security in UK businesses, public sector organisations and charities, as well as the individuals running UK cyber sector businesses, recruitment agents, cyber security training providers and investors in the sector.

We are collecting data for this study in the following ways:

• a telephone and online survey of UK businesses (including cyber sector businesses), public sector organisations and charities

• follow-up qualitative interviews with those taking part in the survey

• additional qualitative interviews with individuals who did not take part in the survey, including those in cyber security roles, recruitment agents, cyber security training providers and investors in the cyber security sector.

This Ipsos UK privacy notice applies to all these aspects of the research.

Participation in this research is voluntary – you are free to decide not to take part if you do not want to. You can withdraw your consent at any time. Your decision will not affect your relationship with DSIT or the government in any way.

4. What personal data has Ipsos UK received for this research?

Ipsos UK has personal data relating to your business because we have been asked by DSIT to carry out research on their behalf.

• Private sector businesses – Ipsos has taken a random sample of UK businesses (England, Wales, Scotland and Northern Ireland) and their contact details from the Market Location business database, to invite them to take part in the survey and follow-up qualitative interviews. Information on how Market Location collects this data can be found on their website.

• Public sector organisations – Ipsos has taken a random sample of public sector organisations from the Inter-Departmental Business Register (IDBR) held by the Office for National Statistics (ONS). Information on how ONS collects this data can be found on their website.

• Charities – Ipsos has taken a random sample of charities from the publicly available databases for charities in England and Wales, and Northern Ireland. Separately, it has obtained a random sample of Scotland charities from the Office of the Scottish Charity Regulator (OSCR). Information on how OSCR collects this data can be found on their website.

• Cyber sector businesses – as part of this research, Ipsos and its partner, Perspective Economics, have generated a sample of cyber sector businesses, using sources such as the Bureau van Dijk Fame database, the Orbis database, the Beauhurst database, a DSIT list of businesses involved in various cyber security start-up initiatives, and business websites.

In some cases, we have supplemented the above organisation details with contact details sourced from business websites and publicly available LinkedIn data, via our research partners, Sample Solutions, as well as Ipsos’ own desk research. Information on how Sample Solutions collects this data can be found on their website.

The data (including personal data) Ipsos has received from these sources includes:

• organisation registered and trading names

• organisation address and postcode

• organisation telephone number

• contact name within the business where available – for an individual likely to be responsible for major finance, legal or compliance matters

• contact email within the business where available.

We may have also taken contact details from the information provided by you at the end of a previous survey or interview, after you agreed to be recontacted for similar research.

5. What is Ipsos UK’s legal basis for processing your personal data?

Ipsos UK requires a legal basis to process your personal data. For this research:

• Ipsos UK’s legal basis for collecting charity contact details from the charity regulator websites is the legitimate interests of DSIT.

• Ipsos UK’s legal basis for processing personal data from each type of organisation or individual beyond this stage is their consent to take part in this research study. If you wish to withdraw your consent at any time, please see the section below covering ‘Your Rights’.

6. How will Ipsos UK use any personal data including interview responses you provide?

Participating in this research is voluntary and any answers are given with your consent.

Ipsos UK will keep your personal data and responses private in strict confidence in accordance with this Privacy Policy. You will not be identifiable in any published results.

We will only share recorded material(s) from any qualitative interviews with the Project Team; the Project Team is the Ipsos UK project team, and supplier organisations working on this project such as TakeNote Transcription services.

Ipsos UK will use your personal data and answers solely for research purposes, to produce anonymous research findings for DSIT. This will include the following files delivered to DSIT:

• Ipsos will provide DSIT with a de-identified data file of survey responses for them to carry out their own analysis and quality assurance of the results. Your survey will be combined with answers from hundreds of other respondents. Your personal data (including any contact information) will not be included in this data file.

• This de-identified data file will be deposited onto the UK Data Archive (UKDA) in an anonymous format. There is no information in the data that can be used to identify you. Any analysis is done on the whole sample, and results will be quoted in terms of specific percentages of people, and are not reported as individual answers. The collected survey responses are made available, through the UKDA Service, to academic researchers who must register with UKDA to be able to use the data.

• We will share anonymised extracts of qualitative interviews with DSIT. This includes anonymised verbatim quotes. Any details that could identify you or someone in your business will be removed.

7. Who will Ipsos UK share your data with?

Ipsos UK will be using certain supplier organisations to assist us with running the qualitative research and we will need to disclose your personal data to these supplier organisations for that purpose. These supplier organisations include:

• Paton Williamson Consultancy – this is to set up follow-up interviews with the individuals and organisations that have given their consent for this within the survey.

• TakeNote Limited – this is to transcribe interviews (where necessary) to extract quotes and carry out further analysis.

• Large Language Models (Artificial Intelligence, e.g. Open AI) using a secure Ipsos-dedicated environment.

8. How will Ipsos UK ensure my personal information is secure?

Ipsos UK takes its information security responsibilities seriously and applies various precautions to ensure your information is protected from loss, theft or misuse. Security precautions include appropriate physical security of offices and controlled and limited access to computer systems.

Ipsos UK has regular internal and external audits of its information security controls and working practices and is accredited to the International Standard for Information Security, ISO 27001.

9. How long will Ipsos UK retain my personal data and identifiable responses?

• Ipsos UK will only retain any personal data and identifiable answers for as long as is necessary to support this research. In practice, this means that once we have reported the final anonymous research findings to DSIT, we will securely remove any personal data from our systems.

• For this project, we will securely remove your personal data from our systems within three months of project closure (expected to be Friday 26 June 2026).

• If you agree to be recontacted, your contact details will be stored by Ipsos UK in data centres and servers within the United Kingdom, for the timeframe agreed when you gave permission.

10. Your rights

This section sets out your rights to the personal data that Ipsos UK holds about you, and the contact information you need to exercise your rights.

• You have the right to access your personal data within the limited period that Ipsos UK holds it.

• Providing responses to this survey is entirely voluntary and is done with your consent. You have the right to withdraw your consent at any time whilst we hold your personal data at an identifiable level.

• You also have the right to request from us the deletion or erasure of the personal information we hold about you.

• You also have the right to rectify any incorrect or out-of-date personal data about you which we may hold.

• If you want to exercise your rights, please contact us at the below Ipsos UK address.

• If you have any complaints, we will appreciate if you give us an opportunity to resolve any issue first, by contacting us as set out below. You have the right to lodge a complaint with the UK’s Information Commissioner’s Office (ICO), if you have concerns on how we have processed your personal data. You can find details about how to contact the Information Commissioner’s Office at https://ico.org.uk/make-a-complaint/

• If instead you want to contact DSIT, who commission the research, to exercise your rights about any data they may hold about you, please contact them using the details provided below.

11. Where will my personal data be held and processed?

All of your personal data used and collected for this research will be stored by Ipsos UK in data centres and servers within the United Kingdom.

If you participate via MS Teams, to be able to invite you to take part in the Microsoft Teams camera call and screen presenting, your email address will be processed on Microsoft servers located in the European Economic Area (EEA). Your interview responses will not be processed or stored on Microsoft servers.

12. How can I contact Ipsos UK and DSIT about this project and/or about my personal data?

If you have any questions or require further information our privacy policy, our compliance with data protection laws or information we hold about you, please contact our Compliance Department. They can be contacted by email sent to compliance@ipsos.com with 25-014864-01 DSIT Cyber Skills & Sector Research (2026) as the subject line.

Or by letter sent to:

Ref: 25-014864-01 DSIT Cyber Skills & Sector Research (2026) – Compliance Department 
Market and Opinion Research International Limited 
3 Thomas More Square 
London
E1W 1YW 
United Kingdom

You can email DSIT at dataprotection@dsit.gov.uk with 25-014864-01 DSIT Cyber Skills & Sector Research (2026) as the subject line.

Or reach DSIT by letter sent to:

Ref: 25-014864-01 DSIT Cyber Skills & Sector Research (2026) 
DSIT Data Protection Officer 
Department for Science, Innovation and Technology 
22 Whitehall
London 
SW1A 2EG 
United Kingdom

13. Changes to this privacy policy

We keep our privacy policy under regular review. This policy was created on 11 July 2025.

14. Useful links

• Ipsos UK: www.ipsos.com

• Information Commissioners Office: www.ico.org.uk

• Market Research Society: www.mrs.org.uk