Privacy notice: how we use your data
Last update: 8 September 2021
GOV.UK Platform as a Service (PaaS) is a cloud hosting platform for government departments, agencies and crown bodies. Our users (‘tenants’) access the platform to deploy and run their services in the cloud. These services are then used by the general public (‘end users’). In order to make GOV.UK PaaS secure and available we need to collect, process and store personal data both from tenants and end users. The data we collect from tenants is different from the data we collect from end users, so this document lists them separately.
GOV.UK PaaS is provided by the Government Digital Service (GDS), part of the Cabinet Office.
The Cabinet Office is the data controller for the account information of staff of tenant organisations. The tenant organisation will be the data controller for any data that they collect and you should look at the Privacy Notice provided by the relevant site to understand how they use your personal data. The Cabinet Office acts as a data processor for personal data processed by tenants.
What data we collect from tenants
The personal data we collect from you as a tenant will include:
- your name
- your email address
- your mobile telephone number
- your organisational role
- your IP address
We need this information to provide a service that is in the public interest, as some of the apps we host on GOV.UK PaaS are used by the public to access government services.
Why we need data from tenants
We use this information to:
- create and manage user accounts on GOV.UK PaaS
- identify you while you use it
- keep the platform secure from unauthorised access
What we do with tenants’ data
We store the data you provide to:
- get in contact to reply to your queries
- make your user account function correctly
- manage your user account
- send you service related updates and notices
- send you value-add emails but only with your consent
We will not:
- sell or rent your data to third parties
- share your data with third parties for marketing purposes
We will share your data if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.
How long we keep data from tenants
We will only retain your personal data for as long as:
- the law requires us to
- we need to provide this service
In general, this means that we will only hold your personal data for a minimum of 1 year and a maximum of 2 years.
We will delete your personal data when you ask us to remove your user account. It might take up to 35 days for your data to be completely cleared from our logs and back-ups.
What data we collect from end users
The personal data we collect from end users will include:
- their IP address
- any cookies that are set by your service
We need this information to provide a service that is in the public interest, as some of the apps we host on GOV.UK PaaS are used by the public to access government services.
Why we need your end users’ data
We need this information to make sure the platform can meet the demand created by end users who access the services hosted on it.
What we do with your end users’ data
We use the data provided to:
- ensure the security of your service if any cookie you set has that purpose
- monitor the load placed on the platform
- monitor the security of GOV.UK PaaS
We will not:
- sell or rent your end users’ data to third parties
- share your end users’ data with third parties for marketing purposes
We will share your end users’ data if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.
How long we keep your end users’ data
We will only retain your end users’ personal data for as long as:
- the law requires us to
- we need to provide this service
In general, this means that we will only hold their personal data for a minimum of 1 day and a maximum of 30 days.
Where your data is processed and stored
We design, build and run our systems to make sure that your data is as safe as possible at any stage, both while it’s processed and when it’s stored.
We use Mailchimp, an IT platform provider, to send you service related updates and notices.
Your personal data may be transferred outside the United Kingdom while being processed by GOV.UK PaaS. If this happens, we’ll make sure you’re given the same level of technical and legal protection as you are within the United Kingdom through standard contract clauses.
How we protect your data and keep it secure
We are committed to doing all that we can to keep your data secure. We set up systems and processes to prevent unauthorised access or disclosure of the data we collect about you – for example, we protect your data using varying levels of encryption. All third parties who process personal data for GDS are required to keep that data secure.
Children’s privacy protection
Our services are not designed for, or intentionally targeted at, children who are 13 years or younger. We do not intentionally collect or maintain data about anyone under the age of 13.
Your rights
You have the right to request:
- information about how your personal data is processed
- a copy of that personal data - this copy will be provided in a structured, commonly used and machine-readable format
- that anything inaccurate in your personal data is corrected immediately
You can also:
- raise an objection about how your personal data is processed
- request that your personal data is erased if there is no longer a justification for it
- ask that we only process your personal data in certain circumstances
If you have any of these requests, get in contact with our Privacy Team - you can find their contact details below.
Changes to this notice
We may change this privacy notice. In that case the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, GDS will take reasonable steps to make sure you know.
Questions and complaints
Contact the Privacy Team if you either:
- have any questions about anything in this document
- think that your personal data has been misused or mishandled
- want to make a subject access request (SARS)
Email: gds-privacy-office@digital.cabinet-office.gov.uk
The contact details for our Data Protection Officer are:
Data Protection Officer
DPO@cabinetoffice.gov.uk
Cabinet Office
70 Whitehall
London
SW1A 2AS
The Data Protection Officer provides independent advice and monitoring of our use of personal information.
You may also make a complaint to the Information Commissioner, who is an independent regulator set up to uphold information rights.
Information Commissioner's Office
icocasework@ico.org.uk
0303 123 1113
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF