Privacy Statement

Date Updated: February 2025

Contact: D2S Security Team

Version Control

AuthorVersionDescriptionDate
Paul Williams0.2DraftJanuary 2025
Paul Williams1.0Initial releaseFebruary 2025

Introduction

This Privacy Policy provides details of the way in which D2S processes and protects Personal Data.

Personal Data must be processed in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) and UK Data Protection Act 2018 (together the “Data Protection Regulations”).

The Privacy Policy defines specific duties and responsibilities regarding the protection of Personal Data and the provision of information to those affected.

D2S endeavours to handle all such Personal Data appropriately, with due care and in accordance with Data Protection Regulations.

It does so in line with MOD policies, including: https://www.gov.uk/government/publications/ministry-of-defence-privacy-notice/ (opens in new tab) .

Reference should also be made to the D2S Legal & Regulatory Plan (opens in new tab).

Responsibilities for managing Personal Data

Where D2S controls Personal Data (by deciding why and how that Personal Data is processed), D2S will be the Data Controller.

Any entity that processes Personal Data controlled by D2S and does so on behalf of D2S, is a Data Processor.

Data Processors may include third party service providers engaged by D2S. When D2S appoints a Data Processor, D2S must ensure that appropriate contractual protections are in place between D2S and such Data Processor.

Application teams developing and operating on D2S are the Data Controller for the Personal Data used by the application.

Purposes of Processing Personal Data

D2S only Processes Personal Data for the purpose(s) for which it is collected. These purposes should be specified and individuals informed at the point of collection.

D2S collects Personal Data from:

  • When individuals enquire about D2S services
  • When users onboard to the service via the D2S Portal
  • Information submitted by individuals or others when requesting D2S Services, including use of the Digital Foundry Support Centre and D2S provided tooling such as Slack, Google Workspace, etc.
  • When individuals or teams join D2S events online or in person

D2S only Processes Personal Data if it has legitimate grounds under Data Protection Regulations to do so.

Examples of some of the more commonly relied upon legal bases for processing of Personal Data are:

  • It is in the public interest to do so; or for official purposes; or in the exercise of a function of the Crown, a minister of the Crown, or GLD as a government department
  • It is necessary for the purposes of the legitimate interests pursued by D2S or by a third party
  • There is a need to comply with a legal obligation
  • It is necessary for performing a contract
  • D2S have informed consent

Where D2S processes Personal Data outside of the scope of Section 3, affected individuals will be consulted beforehand.

Types of Personal Data Processed by D2S

Personnel and Contractors

D2S collects and otherwise Processes Personal Data in relation to its personnel, contractors engaged by D2S, as well as former personnel and former contractors.

Such Personal Data could include but is not restricted to:

  • Name and title
  • Usernames
  • Telephone numbers
  • Corporate email addresses
  • Dates of birth
  • Gender

Suppliers and Customers

D2S may collect and otherwise process Personal Data in relation to its Suppliers and Customers who are individuals. The types of Personal Data that may be processed is outlined within Annex II (opens in new tab).

Third Party Data Processors

D2S operates using Google Workspace, which aligns with Google’s Data Processing Amendment (opens in new tab) (DPA). This means that Google acts as a processor of the D2S personal data that is submitted, stored, sent, or received by D2S via Google Workspace services. Google only processes personal data according to, and within the restrictions, of the agreement with D2S.

If Personally Identifiable Information (PII) is stored within Google Drive, it is the user's responsibility to manage the risk and disposal of that data.

Other D2S SaaS tools are also used and act as Data Processors:

  • Slack
  • Atlassian (Jira, Confluence, JSM, Trello)
  • Conceptboard
  • Figma

GitHub is not a Data Processor as users create their own account and this is associated with the Defence Digital GitHub Organisation.

Special Categories of Personal Data

D2S does not process Special Categories of Personal data such as health or Protected Categories such as ethnicity or religious beliefs.

Application Teams using the D2S Service may store Special Categories of Personal Data for their own service and will therefore need to ensure their own adherence to Data Protection Regulations and meet relevant MOD assurance requirements.

Data Subject Rights

Individuals have certain rights under Data Protection Regulations, as outlined below. Requests in accordance with an individual's rights should be made in writing to the D2S Service Owner, however any Crown representative can be requested to provide information. Individuals receiving requests under this section should seek advice from MOD’s Data Protection team prior to processing requests.

Request access to your personal information

An individual can apply to D2S requesting a summary and a copy of their Personal Data.

Request for correction of the personal information held

An individual can request D2S correct information held if it is inaccurate or incomplete.

Request erasure of personal information

An individual can request D2S to delete or remove personal information.

Objection by the Data Subject

An individual can object to the processing of their Personal Data if D2S is relying on “legitimate interest” to process it.

For more information on an individual’s rights refer to MOD Privacy Notice (https://www.gov.uk/government/publications/ministry-of-defence-privacy-notice/ (opens in new tab))

Disclosing Personal Data to Third Parties

From time to time, D2S may disclose Personal Data to third parties, or allow third parties to access Personal Data processed by D2S.

All third party service providers are required to take appropriate security measures to protect personal information in line with D2S policies. D2S do not allow third party service providers to use personal data for their own purposes. D2S only permits them to process personal data for specified purposes and in accordance with D2S defined instructions.

Data Retention

D2S will keep Personal Data only for as long as the retention of such Data is necessary.

Retention periods for Personal Data followed by D2S align with the Defence records management policy and procedures, specified in JSP 441 (opens in new tab).

The D2S SaaS Data Retention Policy (opens in new tab) specifies how data is retained within the SaaS tooling operated by D2S.

Roles and Responsibilities

As a Data Controller D2S is responsible for the Processing of Personal Data.

While the Defence Digital CIO has overall responsibility for D2S’ compliance with Data Protection Regulations this is also the responsibility of the MOD Data Protection Officer.

All D2S personnel must comply with the most up to date version of this Privacy Policy, as published from time to time.

Complaints Procedure

Individuals can raise a query or make a complaint about compliance with this Privacy Policy and/or the Processing of their Personal Data by contacting the MOD Data Protection Officer at cio-dpa@mod.gov.uk. The MOD will acknowledge a complaint within 7 working days and send a full response within 1 month.

Annex I - Glossary of Terms

In this Privacy Policy, the terms below have the following meaning:

Data Protection Regulations means the General Data Protection Regulation (Regulation (EU) 2016/679) and UK Data Protection Act 2018.

Data Controller means an entity that controls Personal Data by deciding why and how the Personal Data is Processed.

Data Processor means an entity that Processes Personal Data on behalf of the Data Controller. A Data Processor may include service providers.

Data Subject means the living individual to whom the Personal Data relates.

Personal Data is any information relating to a living individual which allows the identification of that individual. Personal Data can include a name, an identification number, details about an individual’s location, or any other detail(s) that is specific to that individual.

Processing includes collecting, using, recording, organising, altering, disclosing, destroying, or holding Personal Data in any way. Processing can be done either manually or by using automated systems such as information technology systems and “Process”, “Processing”, and “Processes” shall be interpreted accordingly.

Special Categories of Personal Data are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data can also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation, and any Personal Data relating to criminal convictions or offences.

Annex II - Types of Personal Data

This Annex contains additional information in respect of the types of Personal Data that D2S or applications teams using D2S may process.

Personal Data Processed

  • Personal contact information, for example: name, title, addresses, telephone numbers, and personal email addresses
  • Dates of birth, marriage, and divorce
  • Gender
  • Start date, leaving date
  • Location of employment or workplace
  • Recruitment information (including copies of right to work documentation, references, and other information included in a CV or cover letter or as part of the application process)
  • Secondary employment and volunteering information
  • Information about use of D2S information and communications systems
  • Sounds or visual images (for example, photographs, videos)
  • Evidence of how nationality requirements are met and confirmation of security clearance. This can include passport details, nationality details, and information about convictions/allegations of criminal behaviour

Special Categories of Personal Data Processed

  • Information about race or ethnicity, religious beliefs, sexual orientation, and political opinions
  • Trade union membership
  • Information about health, including any medical condition, health and sickness records. This may also include the health records of other family members
  • Genetic information and biometric data (including physical identifiers such as DNA, fingerprints, all other iris scanning data, and other genetic samples)
  • Information about criminal convictions/allegations and offences

Annex III - D2S Privacy Statement - Short Version

Your privacy is important to D2S. This privacy statement explains what Personal Data D2S collects, how it is used, and your rights regarding your data.

  1. Data Collection: D2S collects Personal Data such as your name, email address, and any other information you, or others on your behalf, provide directly to us.

  2. Data Usage: D2S uses your data to provide and improve our services, communicate with you, and comply with legal obligations.

  3. Data Sharing: D2S does not share Personal Data with third parties except as necessary to provide our services or comply with legal requirements.

  4. Data Security: We implement appropriate technical and organisational measures to protect your Personal Data from unauthorised access, use, or disclosure.

  5. Your Rights: You have the right to access, correct, or delete your Personal Data. You can also object to or restrict our processing of your data.

  6. Contact Us: If you have any questions or concerns about this privacy statement or our data practices, please contact us at: UKStratComDD-Foundry- DSO-Engage@mod.gov.uk