Privacy notice: how we use your data

Last updated: 22 July 2024

GOV.UK Forms is a platform provided by the Government Digital Service (GDS), which is part of the Cabinet Office. The GOV.UK Forms platform lets UK government teams create online forms to collect information from people and organisations.

This privacy notice sets out what data we collect from you when you use the GOV.UK Forms platform, the GOV.UK Forms website (www.forms.service.gov.uk) and the services associated with them (together ‘GOV.UK Forms’). It also sets out what we do with that data.

Data we collect from your users

Your organisation is the data controller for any data you collect through forms you publish using GOV.UK Forms. Cabinet Office - through GDS - is a data processor, collecting data on your behalf.

This privacy notice does not cover how we use data we collect from people who fill in forms you create with GOV.UK Forms.

How we use that data is covered in the standard privacy notice that’s created automatically when you publish a form, and linked to from the form’s footer. You’re also required to provide a link to information about what you do with user’s data once you receive it from GOV.UK Forms. Here’s an example showing how it works - the privacy notice for the ‘Request an exemption from using the GOV.UK website’ form.

Data we collect from you

This privacy notice explains what personal data the Cabinet Office collects from you, as someone using GOV.UK Forms - for example, to create and publish forms. Cabinet Office is the data controller for this data. Read the Cabinet Office’s entry in the Data Protection Public Register for more information.

The legal basis for processing this data is:

  • it’s necessary to perform a task in the public interest
  • it’s necessary in the exercise of our functions as a government department
  • consent (when you sign up to the GOV.UK Forms mailing list)

Data we collect when you use the GOV.UK Forms website

When you use GOV.UK forms website, your device sends information such as your:

  • IP address
  • web browser and version number
  • time zone and language settings

We use this information to:

  • give you the information and web pages you request
  • monitor the use of the site for security threats
  • monitor the performance of the site to identify inefficiencies and JavaScript errors

We collect this information in system logs. These logs are stored in Amazon Web Services in the UK. We move some of this information to the security and network monitoring tools we use to keep the GOV.UK Forms service secure. These tools are hosted in the EU.

We may also use this information to produce anonymised reports about GOV.UK Forms. This helps us understand where we can make improvements. We may share this anonymised information with other organisations in government so they can improve how they create forms.

When you create an account with GOV.UK Forms

If you create an account to use GOV.UK Forms, we’ll collect your:

  • name
  • email address
  • organisation

We may share these details with people at your organisation or related organisations involved in monitoring access to specific technologies, or in managing form creation or website publishing. We do this to help manage access to GOV.UK Forms and to ensure that only legitimate users have access.

We use the Auth0 service to authenticate your email address when you sign in to use GOV.UK Forms. This involves us sharing your email address with Auth0 as a data processor. For more information you can read about how Auth0 processes data.

We will send you updates about GOV.UK Forms, and may ask you to share your views and experiences of using GOV.UK Forms - for example, by responding to a survey.

When you subscribe to our mailing list

If you subscribe to the GOV.UK Forms mailing list we’ll collect your:

  • email address
  • organisation
  • job title

We may use the Mailchimp platform to send these updates and requests. This involves us sharing your email address with the platform provider, Intuit, as a data processor.

Intuit also collects some personal data via the Mailchimp platform as a data controller in their own right. For example, technical information about your device. For more information, you can read Mailchimp’s cookie statement and the Intuit privacy statement.

When you contact us

If you contact us about GOV.UK Forms we’ll collect your name, email address and any other personal information you choose to include in your message.

Performance analysis and cookies

We also carry out performance analysis to see how you use the GOV.UK Forms website and how well the site performs on your device during your visit - we do this to make sure it’s meeting the needs of its users and to improve it.

The legal basis for performing web analytics is your consent. When you first visit this website you will be asked whether you consent to optional analytics cookies. If you do not give your consent, you will still be able to use the website. If you do give consent and change your mind, you can update your cookie settings at any time.

For more information you can read about the cookies we use.

How long we keep your data

We will only keep your personal data for as long as:

  • the law requires us to
  • we need it for the purposes listed above

This means that we will only hold your personal data for one year.

If you consent to analytics cookies on the GOV.UK Forms website, your personal data will be retained for 14 months.

If you have a GOV.UK Forms account, account details - including personal data - are deleted after they’ve been inactive for 12 months.

If you sign up to our mailing list, your personal data will only be retained while you choose to remain on the list.

Where your data is processed and stored

Your personal data may be transferred outside the United Kingdom while being processed by GDS. If this happens, we’ll make sure you’re given the same level of technical and legal protection as you are within the United Kingdom by relying on the UK Government’s data adequacy decisions or by including clauses in contracts that require the recipient to protect the data in accordance with UK standards.

How we protect your data and keep it secure

We are committed to doing all that we can to keep your data secure. To prevent unauthorised access or disclosure we have put in place technical and organisational procedures to secure the data we collect about you – for example, we protect your data using varying levels of encryption. We also make sure that any third parties that we deal with have an obligation to keep all personal data they process on our behalf secure.

We will not:

  • sell or rent your data to third parties
  • share your data with third parties for marketing purposes

We will share your data if we are required to do so by law – for example, by court order - or where doing so would help to prevent fraud or other crime.

Children’s privacy protection

We understand the importance of protecting children’s privacy online. Our services are not designed for, or intentionally targeted at, children 13 years of age or younger. It is not our policy to intentionally collect or maintain data about anyone under the age of 13.

What your rights are

You have the right to request:

  • information about how your personal data is processed
  • a copy of that personal data - this copy will be provided in a structured, commonly used and machine-readable format
  • that anything inaccurate in your personal data is corrected immediately

You can also:

  • raise an objection about how your personal data is processed
  • request that your personal data is erased if there is no longer a justification for it
  • ask that the processing of your personal data is restricted in certain circumstances

If you have any of these requests, get in contact with our Data Protection Officer - you can find their contact details below.

Changes to this notice

We may modify or amend this privacy notice at our discretion at any time. When we make changes to this notice, we will amend the last modified date at the top of this page. Any modification or amendment to this privacy notice will be applied to you and your data as of that revision date. We encourage you to periodically review this privacy notice to be informed about how we are protecting your data.

Questions and complaints

Contact gds-privacy-office@digital.cabinet-office.gov.uk if you either:

  • have questions about anything in this document
  • think that your personal data has been misused or mishandled

You can also contact the Cabinet Office Data Protection Officer.

DPO@cabinetoffice.gov.uk
Data Protection Officer
Cabinet Office
70 Whitehall
London SW1A 2AS

If you have a complaint, you can also contact the Information Commissioner’s Office.

Information Commissioner’s Office
icocasework@ico.org.uk
0303 123 1113
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF