Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government what steps they are taking to ensure sufficient protections are in place to keep the public’s data private and secure following the announcement of partnerships between the Civil Service and technology companies.

All government departments must comply with UK Data Protection legislation when partnering with technology companies, as they remain the data controllers for the personal data they hold. Departments are responsible for ensuring their technology partners meet high standards in line with UK GDPR principles. Each department must appoint an adequately resourced Data Protection Officer (DPO) to assess partner compliance and advise on Data Protection Impact Assessments (DPIAs) to identify and mitigate risks.

The Government Digital Service (GDS) has published principles for securing personal data in government services, including actions departments must take to ensure compliance. These include robust commercial agreements, assigned liabilities, risk assessments, audits, monitoring, and oversight of data processing terms, along with seeking assurance from suppliers.

Additionally, the Government Security Group and GDS have introduced the Security by Design Policy, which sets out how departments should manage security risks arising from third-party technology products.