Privacy notice

Last updated: 22 October 2019

Who we are

GOV.UK Verify is built and run by the Government Digital Service (GDS), which is part of the Cabinet Office.

GOV.UK Verify allows you to prove your identity when using digital government services, like the service you use to file your Self Assessment tax return.

GOV.UK Verify also meets the eIDAS regulation, which lets users with digital identities from some EU countries access government services in the UK. It also lets users who have proved their identity with GOV.UK Verify access services in some EU countries.

GOV.UK Verify has been designed to meet the Identity Assurance Principles, written by the Cabinet Office Privacy and Consumer Advisory Group.

You can find more detailed information about GOV.UK Verify on the GOV.UK Verify blog.

This privacy notice explains what data we might collect, how it's used and how it's protected.

What data we collect

We collect personal data from you when you:

  1. sign in to a service with GOV.UK Verify
  2. sign in to a service with a digital identity from an EU country
  3. send us questions or feedback

When you sign in with GOV.UK Verify

GOV.UK Verify provides a 'hub' between services and companies that prove users' identities on behalf of the government. These companies have met government and industry standards to check and prove users' identities as part of GOV.UK Verify.

After the company proves your identity, they send limited personal data they collect to the hub. The hub will then send it to the service you want to use.

This personal data might include your:

  1. name (including any previous names)
  2. address (including any previous addresses)
  3. date of birth
  4. age range
  5. gender (this is usually optional)
  6. IP address
  7. persistent identifier (PID) - this is given to you by the company that proved your identity

If you use GOV.UK Verify to sign in to a service in an EU country, the hub will send limited personal data it collects to the service you want to use.

This personal data might include your:

  1. family name
  2. first name
  3. date of birth
  4. PID

When you sign in with a digital identity from an EU country

After you've signed in, we'll collect your personal data and send it to the government service that you want to use. We do this to help protect your identity when you use government services.

This personal data might include your:

  1. family name
  2. first name
  3. date of birth
  4. PID

When you send us a question or feedback

We keep any questions or feedback you send about GOV.UK Verify, as well as details about what we've done to help. We'll also keep some personal data, such as your name and email address.

Cookies and analytics

We use Matomo to collect information about how you use GOV.UK Verify.

Matomo stores information about:

  1. which pages you visit
  2. how long you spend on each page
  3. how you got to the site
  4. what you click on while you're visiting the site

We also use Google Analytics to share this information within GDS. This information helps us to improve UK government digital services. It is anonymised before we process it.

We do not store your personal data (such as your name or address) on our analytics system or share it with Google Analytics. We make sure this information is not used, or combined with other datasets, to identify who you are.

GOV.UK Verify puts small files (known as 'cookies') onto your computer. Read our full cookie notice to find out how we use cookies.

To protect GOV.UK Verify from crime and fraud, we might sometimes share your personal data with:

  1. law enforcement agencies
  2. public sector organisations, for example the Cabinet Office, Home Office and others
  3. relevant private sector organisations

This personal data might include your:

  1. family name
  2. first name
  3. date of birth
  4. PID
  5. phone number
  6. biometric information
  7. email addresses
  8. address

What we do with your data

We might share the data we collect with:

  1. other government departments and agencies
  2. the company who verified your identity
  3. other public bodies

We will not:

  1. sell your data to third parties
  2. share your data with third parties for marketing purposes

The legal basis for processing your personal data is that it's necessary to perform a task in the public interest.

Sometimes, you will need to give your consent before any personal data is processed. In that case, you have the right to withdraw your consent at any time.

How long we keep your data for

We will only keep your personal data for as long as:

  1. it's needed for the purposes set out in this privacy notice
  2. the law requires us to

Who controls your data

Cabinet Office is the data controller for the data processed by GOV.UK Verify. A data controller determines how and why personal data is processed. For more information, read the Cabinet Office's entry in the Data Protection Public Register.

Where your data is stored

GOV.UK Verify stores your personal data in the European Economic Area (EEA).

Your rights

You have the right to request:

  1. information about how your personal data is processed
  2. a copy of any personal data you've given to us
  3. that anything inaccurate in your personal data is corrected immediately
  4. that any incomplete personal data is completed - you can do this by sending us a 'supplementary statement' that explains what's wrong with the data we've collected
  5. that your personal data is deleted if there's no longer a reason for us to hold it
  6. that the processing of your personal data is restricted in certain circumstances, for example if we've collected inaccurate information

GOV.UK Verify is one of the services on GOV.UK and has links to other websites.

This privacy notice only applies to GOV.UK Verify and doesn't cover other government services, companies or digital identity schemes that we link to. Read their own terms and conditions, privacy policies and data controllers if you want to find out how they process your personal data.

Children's privacy protection

We understand the importance of protecting children's privacy online. GOV.UK Verify is not designed for or intentionally targeted at children that are 13 or younger. We will not intentionally collect or keep data about anyone under the age of 13.

How we protect your data and keep it secure

We're committed to doing all that we can to keep your data secure. We have set up systems and processes to prevent unauthorised access or disclosure of your data. For example, we protect your data using varying levels of encryption.

We also make sure that any third parties that we deal with have an obligation to keep all personal data they process on our behalf secure.

Changes to this notice

We may change this privacy notice. In that case, the 'last updated' date at the bottom of this page will change. Any changes to this privacy notice will apply to you and your data as of that date.

We encourage you to review this privacy notice regularly to find out how we are protecting your data.

Contact us or make a complaint

You can contact the GOV.UK Verify Privacy Team at verify-privacy@digital.cabinet-office.gov.uk if you:

  1. have a question about anything in the privacy notice
  2. think that your personal data has been misused or mishandled

Contact an independent body

You can contact the Cabinet Office Data Protection Officer (DPO), which provides independent advice and monitoring of our use of personal data.

Cabinet Office Data Protection Officer
DPO@cabinetoffice.gov.uk

Data Protection Officer
Cabinet Office
70 Whitehall
London
SW1A 2AS

You can also make a complaint to the Information Commissioner's Office (ICO), who is an independent regulator.

ICO
casework@ico.org.uk
Telephone: 0303 123 1113
Textphone: 01625 545 860
Monday to Friday, from 9am to 4:30pm

Find out about call charges

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF