Add privacy notice

[vickytnz]

We need to add a privacy notice similar to https://prototype-kit.service.gov.uk/docs/privacy-notice or https://service-manual.nhs.uk/your-privacy

[vickytnz]

Comment to compile existing related privacy notices

NHS service manual privacy notice

This site has the following things similar to the NHS prototype kit:

• uses cookies to save session date for redirection
• is managed by NHS England
• uses platforms to support contributions

It has these things different from the NHS prototype kit

• has analytics cookies
• mentions promotion on social media

Your privacy (NHS service manual)

Your privacy is important to us. This privacy policy covers what we collect and how we use, share and store your information.

This page tells you:

• about the information we may collect
• how we keep your data secure
• who we share your data with
• about your rights to see or change information we hold about you

Information we may collect

You can leave feedback on some pages of the website or on a user survey. You can choose to share your email address if you want a reply. Otherwise, we collect and store feedback anonymously

Cookies

Our website uses cookies. These are small files saved on your phone, tablet or computer when you visit a website. They store information about how you use the website, such as the pages you visit.

The law says that we can store cookies on your device if they are strictly necessary to make our website work. For all other types of cookies we need your permission before we can use them on your device.

We like to use analytics cookies which measure how you use our website and help us improve our service for future users but we only use these cookies if you say it's OK.

Read our cookie policy to find out more about the cookies we use and tell us if we can put analytics cookies on your device.

We sometimes use tools on other organisations' websites to collect data or to ask for feedback. These tools set their own cookies.

Social media

We use the following social media platforms to interact with our users:

• Twitter
• YouTube

How we collect and store your data

If you interact with us on social media, we may receive some personally identifiable data about you, which is supplied by the channel you are using (for example, Twitter or YouTube). This may include:

• your name
• social media handles (such as Twitter account name)
• location history (where you are contacting us from)
• images (such as your profile picture)

We will process and store your data in accordance with the terms and conditions and privacy policy of the platform in question. You should be aware that your use of these platforms is governed by the terms and conditions agreed between you and the platform, rather than with us.

We will not remove, duplicate or transfer your personal data from or between any of the social platforms that we use, except for when you give us explicit permission to do so or when we believe that we need to in order to respond to an urgent risk to health.

For example, if you interact with us in a way that raises serious concerns about your mental health, we may share your personal details with local NHS services to make sure that you are offered appropriate support.

You should be aware that social networks may control some of the data associated with interactions between you (the user) and us (the NHS digital service manual) on their platforms. For example, we will be able to delete our own records of a private message conversation if you ask us to do so, but social networks may store a copy of this conversation that we are unable to access.

We recommend using the privacy tools built into the social networks in question to make sure you are able to exercise your rights appropriately.

Understanding how social networks use your data

Social networks use information about your online activity to build a profile of you. This data is then used (anonymously) to send you targeted adverts across various digital platforms.

You should be aware that interacting with accounts such as ours may help build the profile of you that social networks maintain, and that could potentially result in you receiving adverts about related issues.

This process of collecting data for advertising purposes is not controlled by the NHS digital service manual, and we do not have access to the profiling data stored by social networks about you.

Keeping your personal data secure

We convert your data into secure code (encrypt it) and store it on secure servers in England. A partner organisation is providing hosting services but has no say in how the information is used. There are no legal ways for their employees to see the data. Only approved people in the NHS digital service manual team can see it.

If you shared your email with us as part of a survey, we will delete it after 2 years. At that point no one can identify you in the survey data.

Data sharing

NHS England may share anonymous information on how the service is used with the Department of Health and Social Care, integrated care boards (ICBs), and national governance groups.

Legal powers

When you give us personal information, we may pass it on if the law says we must.

If you make a claim against us, we and other third parties such as our solicitors may need to look at this information.

We will not share your personal information with anyone else without your permission for any other reason.

Your rights

You can:

• find out what information we hold about you, ask us to correct it if it's wrong, or delete it by emailing [email protected]
• contact the Information Commissioner's Office, Wycliffe House Water Lane, Wilmslow SK9 5AF if you want to make a complaint about how we have managed your data

NHS Digital (NHS England), 1 Trevelyan Square, Boar Lane, Leeds, LS1 6AE is the Data Controller for the NHS digital service manual under data protection legislation. We will process your data in line with data protection legislation.

Updated: April 2023

GOV.UK prototype kit privacy notice

This site has the following things similar to the NHS prototype kit:

• uses cookies to save session date for redirection
• is managed by a public sector department
• uses platforms to support contributions

It has these things different from the NHS prototype kit

• has analytics cookies
• has a mailing list

Privacy notice (GOV.UK prototype kit)

The GOV.UK Prototype Kit is provided by the Government Digital Service (GDS), which is part of the Cabinet Office. The data controller for GDS is the Cabinet Office — a data controller determines how and why personal data can be processed.

Read the Cabinet Office’s entry in the Data Protection Public Register for more information.

What data we collect from you

We collect certain information and data about you when you use the GOV.UK Prototype Kit.

We collect your user profile if you interact with us on collaboration tools and platforms

If you sign up to our mailing list, we’ll collect your:

• name
• email address and business contact details

Why we need your data

For a number of the activities that we undertake to complete our function, we need to process personal data. We collect certain personal data when you use the GOV.UK Prototype Kit.

We collect your data so that we can:

• tell you about work and updates on the Prototype Kit
• work with you on contributions, where you’ve proposed to add or improve part of the Prototype Kit
• support you, including both the provision of support and responses to user enquiries
• gather feedback, including gathering it to improve our services, and responding to it, if you have asked us to
  invite you to take part in user research

Our legal basis for processing your data

The legal basis for processing this data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This is because the GOV.UK Prototype Kit brings together research, design and development from across government to make sure it’s representative and relevant for its users.

The legal basis for sending you updates through our mailing list is consent.

How long we keep your data

We will only keep your personal data for as long as:

• the law requires us to
• we need for the purposes listed above

This means that we will only hold your personal data for a minimum of 1 year and a maximum of 7 years.

If you have signed up to our mailing list, your email address will only be retained while you choose to remain on the list. At regular intervals we will draw your attention to your right to unsubscribe.

Where your data is processed and stored

We design, build and run our systems to make sure that your data is as safe as possible at any stage, both while it’s processed and when it’s stored.

Your personal data may be transferred outside the United Kingdom while being processed by GDS. If this happens, we’ll make sure you’re given the same level of technical and legal protection as you are within the United Kingdom.

Providers we use

As part of GOV.UK Prototype Kit we share your personal data with data processors who provide us with:

• software collaboration platforms when you share research, feedback or make a contribution
• mailing list providers when you sign up to receive emails from us
• support providers when you contact us for assistance
• web analytics services

We share a mailing list provider with the GOV.UK Design System. This means your data is part of the same system as the GOV.UK Design System mailing list.

View the GOV.UK Design System privacy notice.

We will not:

• sell or rent your data to third parties
• share your data with third parties for marketing purposes

We will share your data if we’re required to do so by law — for example, by court order, or to prevent fraud or other crime.

How we protect your data and keep it secure

We are committed to doing all that we can to keep your data secure. We set up systems and processes to prevent unauthorised access to or disclosure of the data we collect about you – for example, we protect your data using varying levels of encryption. All third parties that process personal data for GDS are required to keep that data secure.

Your rights

You have the right to request:

• information about how your personal data is processed
  a copy of that personal data
• that anything inaccurate in your personal data is corrected without undue delay

You can also:

• raise an objection about how your personal data is processed
• request that your personal data is erased if there is no longer a justification for it
• ask that the processing of your personal data is restricted in certain circumstances

If your personal data is processed on the basis of consent, you have the right to:

• withdraw consent to the processing of your personal data at any time
• request a copy of your personal data — this copy will be provided in a structured, commonly used and machine-readable format

Find out more information about your rights .

Questions and complaints

Contact the GDS Privacy Office if you:

• have any questions about anything in this document
  think that your personal data has been misused or mishandled
• want to make a subject access request (SAR)

The contact details for the data controller are: Cabinet Office (Government Digital Service), White Chapel Building, 10 Whitechapel High Street, London, E1 8QS, or [email protected].

The contact details for the data controller’s Data Protection Officer are: Stephen Jones, Data Protection Officer, Cabinet Office, 70 Whitehall, London, SW1A 2AS, or [email protected]>.

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or 0303 123 1113, or [email protected].

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Changes to this notice

We may change this privacy notice. When we make changes to this notice, the ‘last updated’ date at the bottom of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, GDS will take reasonable steps to make sure you know.

Last updated: 12 September 2022

[vickytnz]

Suggested page based on combining both with key points:

• we do not have analytics cookies - they are required cookies only to make the document site work
• we do not have a mailing list
• we do not capture analytics data when people install the kit
• we do manage things using Github (like the GOV.UK Prototype Kit)

Your privacy (NHS prototype kit)

Your privacy is important to us. This privacy policy covers what we collect and how we use, share and store your information.

This page tells you:

• about the information we may collect
• how we keep your data secure
• who we share your data with
• about your rights to see or change information we hold about you

Information we may collect

You can leave feedback on some pages of the website or on a user survey. You can choose to share your email address if you want a reply. Otherwise, we collect and store feedback anonymously

Cookies

Our website uses cookies. These are small files saved on your phone, tablet or computer when you visit a website. They store information about how you use the website, such as the pages you visit.

The law says that we can store cookies on your device if they are strictly necessary to make our website work. For all other types of cookies we need your permission before we can use them on your device.

Read our cookie policy to find out more about the cookies we use.

We sometimes use tools on other organisations' websites to collect data or to ask for feedback. These tools set their own cookies.

Why we need your data

For a number of the activities that we undertake to complete our function, we need to process personal data. We collect certain personal data when you use the NHS prototype kit.

We collect your data so that we can:

• tell you about work and updates on the kit
• work with you on contributions, where you’ve proposed to add or improve part of the kit
• support you, including both the provision of support and responses to user enquiries
• gather feedback, including gathering it to improve our services, and responding to it, if you have asked us to
  invite you to take part in user research

We collect your user profile if you interact with us on collaboration tools and platforms.

Keeping your personal data secure

We convert your data into secure code (encrypt it) and store it on secure servers in England. A partner organisation is providing hosting services but has no say in how the information is used. There are no legal ways for their employees to see the data. Only approved people in the NHS digital service manual team can see it.

If you shared your email with us as part of a survey, we will delete it after 2 years. At that point no one can identify you in the survey data.

Data sharing

As part of NHS prototype kit we share your personal data with data processors who provide us with:

• software collaboration platforms when you share research, feedback or make a contribution
• support providers when you contact us for assistance

NHS England may share anonymous information on how the service is used with the Department of Health and Social Care, integrated care boards (ICBs), and national governance groups.

Legal powers

When you give us personal information, we may pass it on if the law says we must.

If you make a claim against us, we and other third parties such as our solicitors may need to look at this information.

We will not share your personal information with anyone else without your permission for any other reason.

Your rights

You can:

• find out what information we hold about you, ask us to correct it if it's wrong, or delete it by emailing [email protected]
• contact the Information Commissioner's Office, Wycliffe House Water Lane, Wilmslow SK9 5AF if you want to make a complaint about how we have managed your data

NHS Digital (NHS England), 1 Trevelyan Square, Boar Lane, Leeds, LS1 6AE is the Data Controller for the NHS digital service manual under data protection legislation. We will process your data in line with data protection legislation.

Updated: November 2024

[vickytnz]

Added:

• link in footer to privacy page
• privacy page

This is based on the service manual privacy review but probably also needs a legal review.

[sarawilcox]

Hi @vickytnz, thanks for doing this. It looks good to me. I'm going to see if I can find a legal person to review it.

The only 2 things I think we need to update are:

• the ICO's office - it's probably best if people make a complaint to them online now at https://ico.org.uk/make-a-complaint/data-protection-complaints/. I can't find their postal address.
• NHSD (NHSE) - we should probably just say that NHSE is the Data Controller, not mentioning NHSD. According to NHSE's website, the address is: NHS England, PO Box 16738, Redditch, B97 9PT.

[sarawilcox]

Policy doc sent to legal. I've asked them to get back to us by mid-January.

[sarawilcox]

I've been asked to get IG approval so I've sent it to the PTT team.