Privacy notice

Last updated: 18 June 2019

Who we are

GOV.UK Verify is built and run by the Government Digital Service (GDS), which is part of the Cabinet Office.

GOV.UK Verify allows you to prove your identity when using digital government services, like the service you use to sign in and file your Self Assessment tax return.

GOV.UK Verify has now been extended to comply with the eIDAS regulation, which lets users with digital identities from some EU countries access government services in the UK. It also lets users who have proved their identity with GOV.UK Verify access services in some EU countries.

This privacy notice explains what data we might collect, how it’s used and how it’s protected.

What data we collect

We process information about you when you use GOV.UK Verify. This may include any of the following.

How personal data is used when signing in with GOV.UK Verify

GOV.UK Verify provides a ‘hub’ between services and companies which verify users’ identities on behalf of the government. These are known as ‘certified companies’. They have met government and industry standards to provide identity assurance services as part of GOV.UK Verify.

After you’ve been verified by a company, they will send your personal data to the hub. The hub will then send it to the government service that you want to use.

This personal data might include your:

  1. name (including previous names)
  2. address (which may include previous addresses)
  3. date of birth
  4. age (range)
  5. gender (optional)
  6. IP address
  7. personal identifier (PID)

How personal data is used when signing in with a digital identity from another EU country

After your digital identity from another EU country has been authenticated, we’ll collect your personal data and pass it on to the government service that you want to use. We do this to help you to transact securely with government services.

This personal data might include your:

  1. family name
  2. first name
  3. date of birth
  4. personal identifier (PID)

How personal data is used when signing in with GOV.UK Verify to access services across EU Member States

After your digital identity from GOV.UK Verify has been authenticated, we’ll send your personal data to the services across the EU Member States that you want to use.

This personal data might include your:

  1. family name
  2. first name
  3. date of birth
  4. personal identifier (PID)

User support questions and feedback

We process questions or feedback you send to user support, including your name and email address, details of your query, and what we’ve done to help.

Technical information

We might automatically collect other non-personal information like:

  1. your IP address (this could be a static or dynamic IP address and will sometimes point to a specific computer or device)
  2. which browser and operating system you’re using
  3. how long you’ve spent on a particular page
  4. which website you came from
  5. which website you went to next

This information helps us understand how you use GOV.UK Verify. We use it to find out ways we can improve GOV.UK Verify to make sure it works for the people who need it.

Cookies and analytics

You can read our full cookie notice to find out how we use cookies.

What we do with your data

We might share the data we collect with:

  1. other government departments and agencies
  2. the company who verified your identity
  3. other public bodies

We process some personal data to help prevent fraud in government services. We do this to make sure GOV.UK Verify meets the UK government’s identity standards.

We will not:

  1. sell or rent your data to third parties
  2. share your data with third parties for marketing purposes

We will share your data if we’re required to do so by law, for example by court order, or to prevent fraud or other crime.

How long we keep your data for

We will only retain your personal data for as long as:

  1. the law requires us to
  2. we need to provide this service

Certified companies, digital identity schemes in other European countries and government organisations

Cabinet Office is the data controller for the data processed by GOV.UK Verify. Where these pages link out to services provided by other government organisations, digital identity schemes in other EU countries and companies that we partner with, their own privacy policies will apply. These are managed by each service provider and they are the data controllers for the data they collect. These purposes are not described in this privacy notice. Read their privacy policies to find out how they process your data and how to exercise your rights around how they do it.

A data controller determines how and why personal data is processed. For more information, read the Cabinet Office’s entry in the Data Protection Public Register.

Where your data is stored

GOV.UK Verify processes your personal data in the European Economic Area (EEA)

Your rights

You have the right to request:

  1. information about how your personal data is processed and to request a copy of the personal data you’ve given to us
  2. that any inaccuracies about your personal data be corrected without delay
  3. that any incomplete personal data is completed, including by means of a supplementary statement
  4. that your personal data is erased if there is no longer a justification for us to hold it
  5. that the processing of your personal data is restricted in certain circumstances, for example when accuracy is contested

If your personal data is processed on the basis of consent, then you have the right to withdraw your consent at any time.

GOV.UK Verify is one of the services on GOV.UK and has links to other websites.

This privacy notice only applies to GOV.UK Verify and doesn’t cover other government services and transactions that we link to.

Identity Assurance Principles when signing in with GOV.UK Verify

GOV.UK Verify has been designed to comply with the Identity Assurance Principles prepared by the Cabinet Office Privacy and Consumer Advisory Group.

You can also find more detailed information about the service on the GOV.UK Verify blog.

Children’s privacy protection

We understand the importance of protecting children’s privacy online. GOV.UK Verify is not designed for, or intentionally targeted at, children that are 13 years of age or younger. It is not our policy to intentionally collect or maintain data about anyone under the age of 13.

How we protect your data and keep it secure

We’re committed to doing all that we can to keep your data secure. To prevent unauthorised access or disclosure we have put in place technical and organisational procedures to secure the data we collect about you. For example, we protect your data using varying levels of encryption.

We also make sure that any third parties that we deal with have an obligation to keep all personal data they process on our behalf secure.

Changes to this notice

We may change this privacy notice. In that case, the ‘last updated’ date at the bottom of this page will change. Any changes to this privacy notice will apply to you and your data as of that date.

We encourage you to review this privacy notice regularly to stay informed about how we are protecting your data.

How to contact us or make a complaint

You can contact the Verify Privacy Team at verify-privacy@digital.cabinet-office.gov.uk if you:

  1. have a question about anything in the privacy notice
  2. think that your personal data has been misused or mishandled

You can also contact the Cabinet Office Data Protection Officer (DPO) at DPO@cabinetoffice.gov.uk.

Or by post at:

Data Protection Officer
Cabinet Office
70 Whitehall
London SW1A 2AS

The DPO provides independent advice and monitoring of our use of personal information.

You can make a complaint to the Information Commissioner’s Office (ICO), who is an independent regulator.

ICO
casework@ico.org.uk
Telephone: 0303 123 1113
Textphone: 01625 545 860
Monday to Friday, from 9 am to 4:30 pm

Find out about call charges.

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

GOV.UK VERIFY