Question to the Department for Digital, Culture, Media & Sport:

To ask the Secretary of State for Digital, Culture, Media and Sport, what privacy, data sharing and data safeguarding obligations, in addition to GDPR, there are on private data firms providing services to Government Departments who require access to public sector data.

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) regulate the obtaining, holding, use and disclosure of personal data. All organisations must comply with the requirements of the GDPR and the DPA which provide numerous safeguards and limitations on the how data is used and held by both controllers and processors. The DPA also sets out the Information Commissioner’s powers of investigation and enforcement.

Where a private company is acting as a processor of data on behalf of the government, contracts will be in place that set out the obligations that the organisation will have to data protection which will be governed by the GDPR and DPA. If a private company is acting as a controller then they will be governed by the general principles of the GDPR.

Outside of the GDPR, the Data Ethics Framework provides guidance for public sector organisations on how to use data appropriately and responsibly when planning, implementing, and evaluating a new policy or service, which would need to be taken into consideration when working with private organisations. More information on the framework can be found here - https://www.gov.uk/government/publications/data-ethics-framework.