Privacy notice

The National Cyber Security Centre (NCSC) is a part of the Government Communications Headquarters (GCHQ). The NCSC is covered by and processes personal data in accordance with the GCHQ privacy notice that can be found on the GCHQ website.

In addition to the overarching GCHQ privacy notice, further information about how the NCSC processes personal data can be found below.

Privacy Notice for the NCSC website

The NCSC collects certain information or data (such as that listed below) about individuals where they use the www.ncsc.gov.uk website or other websites operated by or on behalf of the NCSC (together, the “Websites”).

This Website Privacy Notice applies in addition to the GCHQ External Privacy Notice to individuals who use the Websites and/or email us using an email address listed on the Websites.

The data that the NCSC may collect when you use the Websites includes:

• questions, queries, feedback or responses to surveys that individuals provide, including email addresses if an email is sent to an address listed on one or more of the Websites
• information sent to us via email
• information entered when using search facilities on the Websites
• IP addresses from which an individual accesses the Websites, and details of which version of web browser and operating system were used
• the date and time of visits to the Websites
• clickstream data, which is information on how individuals use the Websites, using cookies and page tagging techniques
• the address of the website from which individuals are directed to our Websites
• information that may be submitted to us anonymously where users of our Websites are not signed into our Websites

The NCSC uses and processes this data to enable it to carry out its statutory functions, including but not limited to the following purposes:

• responding to any feedback sent to us
• operating and enhancing the Websites
• the purposes for which such data was sent to us
• exercising our statutory functions

Further information about our statutory functions can be found in the GCHQ External Privacy Notice.

When you visit the Websites we may collect personal data from you using cookies. How we use cookies is set out in our Cookies Policy. 

Further to Part 4 and Schedule 9 of the Data Protection Act 2018 (the ‘DPA’), the NCSC’s lawful basis for processing personal data that is collected when individuals use the Websites is that such processing is necessary:

• for the exercise of functions conferred on it by statute (DPA Schedule 9, paragraph 5(c)
• for the exercise of the functions of a government department (DPA Schedule 9, paragraph 5(d)
• for the purposes of legitimate interests pursued by the NCSC (DPA Schedule 9, paragraph 6(1)

The NCSC will only retain an individual’s personal data for as long as it is necessary for the purposes set out in this Website Privacy Notice and for as long as the law requires us to. 

Transmitting information over the internet is generally not completely secure, and the NCSC cannot guarantee the security of an individual’s data. Any data an individual transmits to the NCSC is sent at their own risk.

The NCSC does however have procedures and security features in place to keep data secure once we receive it.

Where the NCSC uses third parties to process personal data it has arrangements in place to make sure that any such third parties keep personal data secure and only process it in accordance with its instructions.

The NCSC won’t share an individual’s information with any other organisations for marketing, market research or commercial purposes.

The NCSC works with various government departments, law enforcement bodies, and other organisations and may share personal data with these bodies where doing so complies with the law and is necessary and proportionate for the proper discharge of our statutory functions. For example, where you report something to us that suggests suspicious activity, we may pass this to law enforcement partners.

Our Websites may contain links to and from other websites. This privacy notice only applies to our Websites. 

If an individual goes to another website from the Websites, including any websites (including government websites) that the NCSC links to, they should read the privacy notice on that website to find out what that website owner does with their information. The NCSC is not responsible for how websites other than the Websites covered by this Privacy Notice process or use personal data.

If an individual goes to another website from the Websites, some information about that individual may be made available to the destination website, such as information about the Website page from which they were directed to the destination website from.

If an individual comes to our Websites from another website, we may receive personal information about them from the other website. Individual’s should read the privacy notice of the website they came from to find out more about this. 

We may change this privacy notice at any time. In that case, the ‘last updated’ date at the bottom of this page will also change. Any changes to this privacy notice will apply to any individuals using the Websites, and their data, immediately. 

The NCSC collects certain information or data about individuals where they interact with the NCSC in order to access various services that may be provided to an organisation they are part of. Services may be provided via the www.ncsc.gov.uk website, other websites operated by or on behalf of the NCSC, or via software applications distributed by the NCSC (the ‘Online Services’). This privacy notice applies to individuals where they use the Online Services.

This privacy notice applies in addition to the GCHQ External Privacy Notice and other NCSC privacy notices as relevant.

The types of data that the NCSC may collect where you use the Online Services includes:

• name and contact details for individuals
• organisation details such as details of the organisation that individuals work for and their role within that organisation
• login credentials where individuals sign up for access to the Online Services
• logs of use of the Online Services, which may directly or indirectly contain information relating to you
• any information or material that may be made available to us through accessing of the Online Services

The NCSC uses and processes this data to enable it to carry out its statutory function, and in particular including but not limited to the following purposes:

• administration and provision of the Online Services
• responding to queries or requests
• to monitor use of and further develop the Online Services
• exercising our statutory functions

Further information about our statutory functions can be found in the GCHQ External Privacy Notice.

Further to Part 4 and Schedule 9 of the Data Protection Act 2018 (the ‘DPA’), the NCSC’s lawful basis for processing personal data that is collected when individuals use the Online Services is that such processing is necessary:

• for the exercise of functions conferred on it by statute (DPA Schedule 9, paragraph 5(c)
• for the exercise of the functions of a government department (DPA Schedule 9, paragraph 5(d)
• for the purposes of legitimate interests pursued by the NCSC (DPA Schedule 9, paragraph 6(1)

The NCSC only retains personal data for as long as it is necessary for the purposes set out in this document and for as long as the law requires. 

For further information on rights that individuals have over their personal data, please refer to the GCHQ External Privacy Notice. 

Transmitting information over the internet is generally not completely secure, and NCSC cannot guarantee the security of an individual’s data. Any data an individual transmits to NCSC is sent at their own risk.

The NCSC does however have procedures and security features in place to keep data secure once we receive it.

Where the NCSC uses third parties to process personal data it has arrangements in place to make sure that any such third parties keep personal data secure and only process it in accordance with its instructions.

The NCSC works with various government departments, law enforcement bodies, and other organisations and may share personal data with these bodies where doing so complies with the law and is necessary and proportionate for the proper discharge of our statutory functions.

We may change this privacy notice at any time. In that case, the ‘last updated’ date at the bottom of this page will also change. Any changes to this privacy notice will apply to any individuals using the Online Services, and their data, immediately.

You can see previous versions of this page on the National Archives website.

Last updated: 07/01/2021