GCHQ Privacy Notice
- This Privacy Notice sets out how the Government Communications Headquarters (GCHQ) processes personal data and the rights individuals have under the data protection legislation within which GCHQ operates. NCSC (the National Cyber Security Centre) is a part of GCHQ and is covered by this Notice.
- GCHQ's processing of personal data is subject to the Data Protection Act 2018 (DPA 2018) Part 4 (Intelligence Services processing) and not the EU General Data Protection Regulation (GDPR). Part 4 of the DPA 2018 establishes separate requirements for data processing by the Intelligence Services. As such, the information we provide in this Notice and the rights available under Part 4, will differ from the information and rights available to individuals in respect of organisations that are subject to the GDPR.
- GCHQ's contact details are set out at the end of this Notice.
Legal basis and purposes for processing personal data
- GCHQ - along with SIS and MI5 - is one of the UK Intelligence Services. The way in which we operate and function is governed by a series of legislative measures (our governing statutory framework): namely the Intelligence Services Act 1994 (ISA 1994), Regulation of Investigatory Powers Act 2000 (RIPA 2000), Investigatory Powers Act 2016 (IPA 2016) and the Human Rights Act 1998 (HRA 1998).
- The legal basis governing our processing of personal data is set out in Part 4, Schedule 9 and (if required) Schedule 10 of the DPA 2018; this would normally be in accordance with paragraphs 5 (c), (d), or (e), and/or paragraph 6 (1) of Schedule 9. The DPA also allows for certain exemptions to safeguard National Security, in accordance with Part 4, and reflects the highly classified nature of much of our work.
- The purposes for which we process personal data are determined in accordance with our statutory function, as set out in ISA 1994.
What categories of personal data do we process and why?
- The personal data that we process may be received in connection with the general work that we do, (pursuant to our statutory functions under ISA 1994), including data received in the course of our purchasing, personnel / human resources and recruitment activities, and the normal administration of a government department. Personal data may be received by us in a number of ways. For example:
- Individuals may contact GCHQ directly;
- Individuals may wish to attend one of our conferences or other events;
- Individuals may apply for a job with us;
- Individuals may visit our premises;
- We may purchase goods or services from a supplier.
- We have CCTV coverage of our sites and may monitor activity in the vicinity for security reasons.
How long do we keep personal data?
- We keep personal data only for as long as it is necessary for us to do so for the purposes for which the data is processed, and in accordance with the strict requirements imposed by ISA 1994, RIPA 2000, IPA 2016 and the Public Records Act 1958.
Sharing personal data
- As an intelligence service, we may share personal data that we receive with others or transfer it outside the UK, but only where this is lawful because it is necessary and proportionate for the proper discharge of our statutory functions.
- As data controllers, we may also use third parties who provide various services to us to process personal data on our behalf. Such data processors are only permitted to process personal data in accordance with our instructions. They are required to hold it securely and retain it only for the period we specify. We will only use data processors who will handle data in accordance with the requirements of Part 4 of the DPA 2018.
- We sometimes share responsibility for processing data with one or both of the other Intelligence Services. In such cases, we will be a "joint data controller" with the other service(s) in accordance with Part 4 of the DPA.
- We would only share information of an individual with third parties for direct marketing purposes where we have your agreement to do so.
Individual's data protection rights
- Under the data protection legislation, individuals have certain rights over their personal data, as outlined in DPA 2018 Part 4. These rights will be subject to the exemptions in the DPA 2018, which apply where this is required to safeguard national security. This means that some of the rights outlined below will not apply where it is necessary to safeguard National Security.
- The right of access (also known as a subject access request) provides that data subjects have the right to ask for copies of their personal data. We make a £10 charge for each request.
- Automated decision making. Data subjects have the right to object to any decisions that have affected them significantly, if they consider these decisions to have been made without any meaningful human input.
- The right to object to processing provides that individuals have the right to ask us to restrict the processing of their personal data in certain circumstances.
- The right to rectification and erasure - individuals have the right to ask us to rectify or delete personal data that they think is inaccurate.
- In order to exercise the rights listed above (but subject to the exemption for safeguarding National Security) individuals should contact us at the address below.
- If an individual feels we haven't handled their personal data appropriately or wish to lodge a complaint, they can contact the Information Commissioner's Office at the address provided below.
- To contact GCHQ about any aspect of our data protection policy please write or email to:
Data Protection Officer
Mail Drop 13
- To contact the Information Commissioner's Office:
The Office of the Information Commissioner
Telephone: 0303 123 1113
Online contact forms: https://ico.org.uk/global/contact-us/email/
We collect certain information or data about you when you use www.gchq.gov.uk.
- questions, queries or feedback you leave, including your email address if you send an email to our website
- your IP address from which you access our website, and details of which version of web browser and operating system you used
- the date and time of your visit
- clickstream data, which is information on how you use our website, using cookies and page tagging techniques to help us improve our website
- the website address of the website from which you accessed our website
- details to allow you to access government services and transaction, e.g. an email address (you’ll always be told when this information is being collected, and it will only be used for the purpose you provide it for)
This helps us to:
- improve our website by monitoring how you use it
- respond to any feedback you send us, if you’ve asked us to
Unless you voluntarily submit personal information to us (for example, by completing the Contact us form), we can’t personally identify you using your data.
Where your data is stored
We store your data on secure servers in the Republic of Ireland.
Your data can only be viewed by our staff or our suppliers.
By submitting your personal data, you agree to this.
Keeping your data secure and disclosing your information
Transmitting information over the internet is generally not completely secure, and we can’t guarantee the security of your data.
Any data you transmit to us is at your own risk.
We have procedures and security features in place to exercise due diligence in keeping your data secure once we receive it.
Links to other websites
Following a link to another website
Following a link to our website from another website