Privacy notice: how we use your data

Last update: 25 May 2018

GOV.UK Platform as a Service (PaaS) is a cloud hosting platform for government departments, agencies and crown bodies. Our users (‘tenants’) access the platform to deploy and run their services in the cloud. These services are then used by the general public (‘end users’). In order to make GOV.UK PaaS secure and available we need to collect, process and store personal data both from tenants and end users. The data we collect from tenants is different from the data we collect from end users, so this document lists them separately.

GOV.UK PaaS is provided by the Government Digital Service (GDS).

What data we collect from tenants

The personal data we collect from you as a tenant will include:

  • your name
  • your email address
  • your mobile telephone number
  • your organisational role
  • your IP address

We need this information to provide a service that is in the public interest, as some of the apps we host on GOV.UK PaaS are used by the public to access government services.

Why we need data from tenants

We use this information to:

  • create and manage user accounts on GOV.UK PaaS
  • identify you while you use it

  • keep the platform secure from unauthorised access

What we do with tenants’ data

We store the data you provide to:

  • get in contact to reply to your queries
  • make your user account function correctly
  • manage your user account
  • send you updates and notices


We will not:

  • sell or rent your data to third parties
  • share your data with third parties for marketing purposes

We will share your data if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.

How long we keep data from tenants

We will only retain your personal data for as long as:

  • the law requires us to
  • we need to provide this service


In general, this means that we will only hold your personal data for a minimum of 1 year and a maximum of 2 years.

We will delete your personal data when you ask us to remove your user account. It might take up to 35 days for your data to be completely cleared from our logs and back-ups.

What data we collect from end users

The personal data we collect from end users will include:

  • their IP address
  • any cookies that are set by your service

We need this information to provide a service that is in the public interest, as some of the apps we host on GOV.UK PaaS are used by the public to access government services.

Why we need your end users’ data

We need this information to make sure the platform can meet the demand created by end users who access the services hosted on it.

What we do with your end users’ data

We use the data provided to:

  • ensure the security of your service if any cookie you set has that purpose
  • monitor the load placed on the platform
  • monitor the security of GOV.UK PaaS

We will not:

  • sell or rent your end users’ data to third parties
  • share your end users’ data with third parties for marketing purposes


We will share your end users’ data if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.

How long we keep your end users’ data

We will only retain your end users’ personal data for as long as:

  • the law requires us to
  • we need to provide this service


In general, this means that we will only hold their personal data for a minimum of 1 day and a maximum of 30 days.

Where your data is processed and stored

We design, build and run our systems to make sure that your data is as safe as possible at any stage, both while it’s processed and when it’s stored.

Your personal data may be transferred outside the European Economic Area (EEA) while being processed by GOV.UK PaaS. If this happens, we’ll make sure you’re given the same level of technical and legal protection as you are within the EEA.

How we protect your data and keep it secure

We are committed to doing all that we can to keep your data secure. We set up systems and processes to prevent unauthorised access or disclosure of the data we collect about you – for example, we protect your data using varying levels of encryption. All third parties who process personal data for GDS are required to keep that data secure.

Children’s privacy protection

Our services are not designed for, or intentionally targeted at, children who are 13 years or younger. We do not intentionally collect or maintain data about anyone under the age of 13.

Your rights

You have the right to request:

  • information about how your personal data is processed
  • a copy of that personal data - this copy will be provided in a structured, commonly used and machine-readable format
  • that anything inaccurate in your personal data is corrected immediately


You can also:

If you have any of these requests, get in contact with our Data Protection Officer - you can find their contact details below.

Changes to this notice

We may change this privacy notice. In that case the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, GDS will take reasonable steps to make sure you know.

Questions and complaints

Contact the Data Protection Officer (DPO) if you either:

  • have any questions about anything in this document
  • think that your personal data has been misused or mishandled
  • want to make a subject access request (SARS)
Data Protection Officer
DPO@cabinetoffice.gov.uk

Cabinet Office
70 Whitehall
London
SW1A 2AS

You may also make a complaint to the Information Commissioner, who is an independent regulator set up to uphold information rights.

Information Commissioner's Office
casework@ico.org.uk
0303 123 1113

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF