DSIT privacy notice: cyber security breaches survey 2025
Updated 3 September 2024
© Crown copyright 2024
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: [email protected].
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at /government/publications/cyber-security-breaches-survey/dcms-privacy-notice-for-the-cyber-security-breaches-survey-2023
This notice sets out how we will process your personal data, and your rights. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).ÌýÌý
Cyber security breaches survey 2025, which surveys businesses and charities about their cyber security, is conducted by Ipsos Ltd. (Ipsos) on behalf of the Department for Science, Innovation and Technology (DSIT) and the Home Office (HO).Ìý
DSIT, HO and Ipsos act as the joint controllers of this survey, which is jointly commissioned by DSIT and HO. Ipsos has provided their own , to explain how they processes your personal data.
For the purposes of this survey, Ipsos will not share or transfer any of your personal data to DSIT and/or HO.Ìý
1. Your dataÌý
Where personal data has not been obtained from the data subjectÌýÌý
For charities based in Scotland that are contacted for this survey, personal data was obtained by DSIT from the Office of the Scottish Charities (OSCR), and provided to Ipsos for the purposes of inviting you to participate in this survey.ÌýDSIT and/or HO processed your personal data through a duly managed transfer request, from OSCR directly to Ipsos.
All other processing of personal data for this survey will be done by Ipsos. Ipsos will then provide DSIT and/or HO with completely anonymised notes and reports.ÌýÌýÌý
Ipsos will provide DSIT and/or HO with an anonymous data file of survey responses to allow for analysis and quality assurance of the results. This anonymous file may be made available to other approved government departments, partner organisations or researchers for statistical research purposes only.Ìý
Ipsos privacy noticeÌýÌý
Ipsos is the processor of the data and has provided their own .ÌýÌý
The Ipsos privacy notice explains:
- the purpose of the survey
- how they process your personal data
- their legal basis for processing
- who they may share your data with
- who they may transfer your personal data to
- how long they may retain your personal dataÌý
2. ±Ê³Ü°ù±è´Ç²õ±ðÌý
The purpose(s) for which we are processing your personal data is:ÌýÌý
- to allow our contracted partner, Ipsos, to invite you to participate in this cyber security breaches survey
3. Legal basis of processingÌýÌý
The legal basis for processing your personal data under Article 6 of the UK GDPR is:ÌýÌý
1(e)Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, which entails understanding the cyber attacks and cyber crimes experienced by UK businesses, charities and educational institutions, and their policies, processes and approach to cyber security.Ìý
4. ¸é±ð³¦¾±±è¾±±ð²Ô³Ù²õÌý
Your personal data will not be shared directly with DSIT and/or HO.ÌýÌý
Details are provided in .
5. ¸é±ð³Ù±ð²Ô³Ù¾±´Ç²ÔÌýÌý
Your personal data will be transferred directly by OSCR to Ipsos and will not be retained by DSIT and/or HO.Ìý
6. Automated decision makingÌý
Your personal data will not be subject to automated decision making.ÌýÌý
7. International transfersÌýÌý
Your personal data will be processed in the UK.Ìý
8. Your rightsÌý
You have the right to request information about how your personal data are processed, and to request a copy of that personal data.ÌýÌý
You have the right to request that any inaccuracies in your personal data are rectified without delay.ÌýÌý
You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.ÌýÌý
You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.ÌýÌý
You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.ÌýÌý
You have the right to object to the processing of your personal data.Ìý
9. Contact detailsÌý
You can contact the DSIT data protection officer at:ÌýÌý
DSIT data protection officer Ìý
Department for Science, Innovation &Technology Ìý
22-26 Whitehall Ìý
London Ìý
SW1A 2EGÌý
Email: [email protected]Ìý
If you are unhappy with the way we have handled your personal data, please write to the department’s data protection officer in the first instance using the contact details above.ÌýÌý
10. ComplaintsÌý
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator.Ìý The Information Commissioner can be contacted at:ÌýÌý
Information Commissioner’s OfficeÌý
Wycliffe HouseÌý
Water LaneÌý
WilmslowÌý
CheshireÌý
SK9 5AFÌý
Telephone: 0303 123 1113Ìý
ÌýÌý
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.ÌýÌý
11. Updates to this noticeÌý
If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updatedâ€� date at the bottom of this page will also change.Ìý
If these changes affect how your personal data is processed, we will take reasonable steps to let you know.Ìý
Last updated: 31 July 2024