Research and analysis

DSIT privacy notice: cyber security breaches survey 2025

Updated 3 September 2024

This notice sets out how we will process your personal data, and your rights. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).  

Cyber security breaches survey 2025, which surveys businesses and charities about their cyber security, is conducted by Ipsos Ltd. (Ipsos) on behalf of the Department for Science, Innovation and Technology (DSIT) and the Home Office (HO). 

DSIT, HO and Ipsos act as the joint controllers of this survey, which is jointly commissioned by DSIT and HO. Ipsos has provided their own privacy notices for businesses and charities, to explain how they processes your personal data.

For the purposes of this survey, Ipsos will not share or transfer any of your personal data to DSIT and/or HO

1. Your data 

Where personal data has not been obtained from the data subject  

For charities based in Scotland that are contacted for this survey, personal data was obtained by DSIT from the Office of the Scottish Charities (OSCR), and provided to Ipsos for the purposes of inviting you to participate in this survey. DSIT and/or HO processed your personal data through a duly managed transfer request, from OSCR directly to Ipsos.

All other processing of personal data for this survey will be done by Ipsos. Ipsos will then provide DSIT and/or HO with completely anonymised notes and reports.   

Ipsos will provide DSIT and/or HO with an anonymous data file of survey responses to allow for analysis and quality assurance of the results. This anonymous file may be made available to other approved government departments, partner organisations or researchers for statistical research purposes only. 

Ipsos privacy notice  

Ipsos is the processor of the data and has provided their own privacy notices.  

The Ipsos privacy notice explains:

  • the purpose of the survey
  • how they process your personal data
  • their legal basis for processing
  • who they may share your data with
  • who they may transfer your personal data to
  • how long they may retain your personal data 

2. Purpose 

The purpose(s) for which we are processing your personal data is:  

  • to allow our contracted partner, Ipsos, to invite you to participate in this cyber security breaches survey

The legal basis for processing your personal data under Article 6 of the UK GDPR is:  

1(e)Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, which entails understanding the cyber attacks and cyber crimes experienced by UK businesses, charities and educational institutions, and their policies, processes and approach to cyber security. 

4. Recipients 

Your personal data will not be shared directly with DSIT and/or HO.  

Details are provided in Ipsos’ privacy notices.

5. Retention  

Your personal data will be transferred directly by OSCR to Ipsos and will not be retained by DSIT and/or HO

6. Automated decision making 

Your personal data will not be subject to automated decision making.  

7. International transfers  

Your personal data will be processed in the UK. 

8. Your rights 

You have the right to request information about how your personal data are processed, and to request a copy of that personal data.  

You have the right to request that any inaccuracies in your personal data are rectified without delay.  

You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.  

You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.  

You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.  

You have the right to object to the processing of your personal data. 

9. Contact details 

You can contact the DSIT data protection officer at:  

DSIT data protection officer  
Department for Science, Innovation &Technology  
22-26 Whitehall  
London  
SW1A 2EG 

Email: [email protected] 

If you are unhappy with the way we have handled your personal data, please write to the department’s data protection officer in the first instance using the contact details above.  

10. Complaints 

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator.  The Information Commissioner can be contacted at:  

Information Commissioner’s Office 
Wycliffe House 
Water Lane 
Wilmslow 
Cheshire 
SK9 5AF 

Telephone: 0303 123 1113 

https://ico.org.uk/make-a-complaint/  

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.  

11. Updates to this notice 

If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change. 

If these changes affect how your personal data is processed, we will take reasonable steps to let you know. 

Last updated: 31 July 2024