Guidance

Freedom of Information request and Data Subject request privacy notice

Updated 24 September 2021

This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the General Data Protection Regulation (GDPR).

Your data

Purpose

The purposes for which we are processing your personal data are to:

  • record and respond to freedom of information requests and data subject requests received by the department
  • provide cross-government advice, support and coordination in responding to freedom of information requests, and in particular to those requests which are sent to two or more public authorities

The data

We will process the following personal data:

  • your name
  • address
  • email address
  • your request

We may also process other personal data if you volunteer it.

In responding to data subject requests we may process identity verification documents and any data on you held by the department.

In responding to subject access requests we may process any data on you held by the department.

In relation to responding to freedom of information and data subject requests, the legal basis for processing your personal data is that it is necessary to comply with a legal obligation placed on us as the data controller.

In relation to providing cross-government advice, support and coordination in responding to freedom of information requests, the legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this case the task is providing advice, support and coordination in responding to freedom of information requests.

Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Although we do not collect any sensitive personal data, we may process this in responding to a subject access request. We may also process data about criminal convictions in responding to a subject access request.

The legal basis for processing your sensitive personal data, or data about criminal convictions, is that processing is necessary for reasons of substantial public interest for the exercise of a function of the Crown, a Minister of the Crown, or a government department (paragraph 6, schedule 1, Data Protection Act 2018). The function is meeting our legal obligations to answer subject access requests.

Recipients

In relation to freedom of information requests, where it appears to us that your request has been made to two or more public authorities, we will share your name and request with other government departments and some public bodies. This is in order that we can provide cross-government advice, support and coordination in responding to freedom of information requests sent to multiple public bodies.

As your personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide email, and document management and storage services. Requests will also be shared with our supplier of case management software.

Retention

Personal data held in relation to FOI and data subject requests and Internal reviews will be kept by the department for up to two years from the date the case has been closed on our system, unless the case has escalated to the Information Commissioner’s Office (ICO). In the event of the latter, we shall retain your data for three years from the date the ICO case has been closed on our system in order to maintain an appropriate record in case of further appeals.

Where personal data has not been obtained from you

Your personal data were obtained by us from another government department or public body to whom you made a freedom of information request.

Your rights

You have the right to:

  • request information about how your personal data are processed, and to request a copy of that personal data
  • request that any inaccuracies in your personal data are rectified without delay
  • request that any incomplete personal data are completed, including by means of a supplementary statement
  • request that your personal data are erased if there is no longer a justification for them to be processed
  • in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted
  • object to the processing of your personal data where it is processed for direct marketing purposes
  • object to the processing of your personal data

International transfers

As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision, or the use of Standard Contractual Clauses.

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

Email: [email protected]

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Contact details

The data controller for your personal data is the Cabinet Office. The contact details for the data controller are:

Cabinet Office
70 Whitehall
London
SW1A 2AS

Telephone: 0207 276 1234

Email: [email protected]

For requests relating to the Government Digital Service, please contact: [email protected]

The contact details for the data controller’s Data Protection Officer are: [email protected]

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.