Last updated: 22 May 2025
+ + + ++ This is a memorandum of understanding (“MOU”) between the Government Digital Service (“GDS”) and your organisation (together the + “Parties”). The single MOU covers all the forms an organisation publishes using GOV.UK Forms. +
+This MOU shall be interpreted in accordance with the Annexes.
++ This MOU is not intended to be legally binding and no legal obligations or legal rights shall arise between the Parties from the + provisions of the MOU. For the avoidance of doubt, GDS shall not be liable for any Loss arising from, or in connection with a breach + of this MOU. However, the Parties enter into the MOU intending to honour their obligations. Any dispute will be escalated to + appropriately senior officers of GDS and your organisation for resolution. +
++ GOV.UK Forms + is a web-based platform owned and operated by GDS, which is used for easily creating online forms on GOV.UK. +
++ The GOV.UK Forms team within GDS develops, maintains and runs the GOV.UK Forms platform. Your organisation gets access to the GOV.UK + Forms platform, where form creators can create and manage online forms. +
++ When your organisation creates online forms, at your request, GOV.UK Forms collects information from members of the public and + businesses. As GOV.UK Forms processes the Personal Data from members of the public and businesses on behalf of your organisation, GDS + is a Data Processor for your organisation. +
++ When GOV.UK Forms processes completed forms, GDS transfers the Personal Data of members of the public and businesses to your + organisation using the delivery method configured for the form. This MOU covers this transfer. +
++ This agreement starts when your organisation has ‘Organisation Admin’ accounts on the GOV.UK Forms platform. Either GDS or your + organisation can end this agreement by giving three months’ notice by email. +
++ The agreement covers all users within the organisation that will use GOV.UK Forms. The agreement can be agreed by multiple users in + the same organisation, who will be informed of changes as per below. +
++ Any updates to this agreement will be emailed to the person who agreed on behalf of your organisation (or the first account in your + organisation that is still active). This will happen 30 calendar days before any change is due to be made, along with a summary of the + changes. The changes will then take effect on the date specified in the notification email. No action is required by your organisation + if you accept the changes. +
+If your organisation doesn’t wish to accept the change, you must notify GDS and this MOU will terminate with immediate effect.
++ GDS reserves the right to refuse to host, or to cease hosting forms and to delete them from the platform and remove links from GOV.UK, + where in GDS’s reasonable opinion publishing the forms would: +
+
+ For this agreement, the main point of contact for GDS is:
+ govuk-forms@digital.cabinet-office.gov.uk
+
+ For your organisation, the main point of contact will be the user who agrees on behalf of your organisation, which may be more than + one user. +
++ When agreed, the details of the agreer (along with the date and time agreed) will be stored in a database within GOV.UK Forms in order + to inform the agreer of updates and for auditing purposes. It will also be used to inform the platform that your organisation members + can be upgraded to Organisation Admins. +
+The GOV.UK Forms team will both supervise and process personal data within GDS.
++ There is currently no cost for using GOV.UK Forms or for the hosting of forms made on the platform. This is intended to help reduce + the barriers to lower volume services using GOV.UK Forms that would otherwise require significant procurement effort. This will help + drive greater digitisation of government services and promote channel shift, saving money and time for our users. +
++ If this pricing structure should change in the future, GDS will inform your organisation at least six months before any price changes + so that you can decide whether to continue using the product. +
+You must not use GOV.UK Forms to handle data classified above OFFICIAL.
++ You are responsible for deciding whether or not GOV.UK Forms is suitable to handle the information you wish to collect using online + forms. A description of the measures GDS has taken to protect data is described in Annex E. +
+You must ensure that your users of GOV.UK Forms follow good security practices when accessing the service, including:
++ using end-user devices that are being managed in accordance with the requirements of + The Cyber Security Standard + (and its successor standards) +
+not connecting their end-user devices to untrusted WiFi networks, such as those found in public places like cafes and hotels
++ using a secure email inbox to set up an account and access GOV.UK Forms login codes, with MFA (known as “2SV” or “2 step + verification”) to access the inbox or device +
+If it is suspected that a user’s GOV.UK Forms account has been compromised you shall immediately notify the GOV.UK Forms team.
++ You shall ensure that the GOV.UK Forms team is promptly notified when a user in your organisation no longer requires access to the + Forms administration interface. +
++ You are responsible for managing the security of the mail server you will use to receive form responses. Before using GOV.UK Forms you + must ensure that this meets the + government secure email policy, including: +
++ supporting + Transport Layer Security Version 1.2 + (TLS v1.2) or later +
++ publishing a Mail Transfer Agent Strict Transport Security (MTA-STS) policy + for all of your domains that receive email +
+implementing spam and malware filtering
+enforcing DMARC on inbound email
+setting up DMARC and TLS reporting (TLS-RPT) and reviewing the data regularly
++ Note: The NCSC’s + Mail Check + service can be used for assessing email security compliance. If your mail server does not support the use of TLS, form response data + could be transmitted in plain text across the Internet. +
++ You are responsible for managing the security of the designated mailbox(es) used to receive form response data. Anyone with access to + the mailbox(es) will potentially be able to see the form response data. +
++ You may want to implement rules on your mail server to restrict who or what can send emails to the mailbox. For example, you could + configure it to only accept messages sent from the GOV.UK Forms service. +
++ You should also bear in mind that email addresses provided by users (in a submission) have not been validated, so may not be correct + addresses. +
+Submission emails from GOV.UK Forms can not be replied to.
++ Parties should report any messages received by this mailbox that are outside of the email output expected from the GOV.UK Forms + service (e.g. incorrect content format, incorrect sender or bulk messages sent through the service), to the GOV.UK Forms team (see + contact at item 13). +
+You are responsible for checking that form response data received from GOV.UK Forms is safe before you consume it.
++ The online forms are unauthenticated and could be completed by anyone. You are responsible for including identification and + authentication mechanisms within your downstream processes if these are required. +
++ The parties agree that for GOV.UK Forms User Personal Data and GOV.UK Forms Filler Technical Device Data processed under this MoU, GDS + shall be a Data Controller. GDS shall ensure compliance with applicable Data Protection Legislation at all times during the Term of + this MoU in relation to this data. +
++ The Parties agree that for the purpose of GOV.UK Form Filler Personal Data processed under this MOU, GDS shall be a Data Processor and + your organisation shall be a Data Controller. This MOU is intended to comply with GDPR Article 28 and/or DPA 2018 section 59, in + accordance with section 209(3) of the DPA 2018. +
+Your organisation as a Data Controller is responsible for ensuring that:
+ +it is permitted by Law to transfer Personal Data to GDS as its data processor;
++ it has the Data Subject’s consent, where necessary, to use GDS to collect personal data and for GDS and its sub-processors to send + messages to your organisation and users; +
++ it complies with the Data Protection Legislation for each of the Data Subjects. This will include ensuring the Personal Data is + kept up to date, and only retained for as long as required; and +
+The contact details of your organisation’s Form Processor remains accurate and up to date; and
+that privacy notices for any of your services using GOV.UK Forms are accessible to those service’s Data Subjects.
++ GDS will not disclose GOV.UK Forms User or Filler Personal Data to any outside organisation other than as set out in this MOU unless + required by Law. +
++ GDS shall notify your organisation immediately if it considers that any of your instructions infringe the applicable Data Protection + Legislation (but any such notification does not constitute legal advice, and your organisation remains solely responsible for + determining the legality of its instructions). +
++ GDS shall provide all reasonable assistance to your organisation in the preparation of any Data Protection Impact Assessment required + under applicable Data Protection Legislation, prior to commencing any Processing. Such assistance may, at the discretion of your + organisation, include: +
+ +a systematic description of the envisaged Processing operations and the purpose of the Processing;
+an assessment of the necessity and proportionality of the Processing operations;
+an assessment of the risks to the rights and freedoms of Data Subjects; and
++ the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of + Personal Data. +
+GDS shall, in relation to the GOV.UK Forms User Personal Data:
+ ++ process that Personal Data only in accordance with the Schedule of Processing, Personal Data and Data Subjects (Annex D) unless + GDS is required to do otherwise by Law. If it is so required GDS shall promptly notify your organisation before Processing the + Personal Data unless prohibited by Law; +
++ ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which your + organisation may reasonably reject (but failure to reject shall not amount to approval by your organisation of the adequacy of the + Protective Measures), having taken account of the: +
+ +nature of the data to be protected;
+harm that might result from a Data Loss Event;
+state of technological development; and
+cost of implementing any measures;
+GDS shall ensure that:
+ ++ Processor Personnel do not Process Personal Data except in accordance with this MOU (and in particular the Schedule of Processing, + Personal Data and Data Subjects); +
++ it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal + Data and ensure that they: +
+ +are aware of and comply with the GDS duties under this paragraph;
+are subject to appropriate confidentiality undertakings with GDS or any Sub-Processor;
++ are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data + to any third party unless directed in writing to do so by your organisation or as otherwise permitted by this MOU; and +
+have undergone adequate training in the use, care, protection and handling of Personal Data; and
++ Where the GOV.UK Forms User and Filler Personal Data is subject to the UK GDPR, it will not transfer Personal Data outside of the + United Kingdom unless either: +
+ +the transfer is in accordance with Article 45 of the UK GDPR or section 17A of DPA 2018; or
+the prior written consent of your organisation has been obtained and the following conditions are fulfilled:
+ ++ GDS or your organisation has provided appropriate safeguards in relation to the transfer (whether in accordance with + Article 46 of the UK GDPR or section 75 of DPA 2018) as determined by your organisation (which could include relevant + parties entering into the International Data Transfer MOU or International Data Transfer MOU Addendum to the European + Commission’s SCCs as published by the Information Commissioner’s Office), as well as any additional measures determined by + your organisation; +
+the Data Subject has enforceable rights and effective legal remedies;
++ GDS complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to + any Personal Data that is transferred; and +
++ GDS complies with any reasonable instructions notified to it in advance by your organisation with respect to the + Processing of the Personal Data; and +
++ where the Personal Data is subject to the EU GDPR, it will not transfer such Personal Data outside of the European Union unless + either: +
+ +the transfer is in accordance with Article 45 of the EU GDPR; or
+the prior written consent of your organisation has been obtained and the following conditions are fulfilled:
+ ++ GDS or your organisation has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of + the EU GDPR as determined by your organisation which could include relevant parties entering into Standard Contractual + Clauses in the European Commission’s decision 2021/914/EU set out in Annex 3 to Schedule 31 (Processing Personal Data) or + such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as + well as any additional measures determined by GDS; +
+the Data Subject has enforceable rights and effective legal remedies;
++ GDS complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to + any Personal Data that is transferred; and +
+ ++ GDS complies with any reasonable instructions notified to it in advance by your organisation with respect to the + Processing of the Personal Data; +
++ at the written direction of your organisation, delete or return Personal Data (and any copies of it) to your + organisation on termination of the MOU unless GDS is required by Law to retain the Personal Data. +
++ GDS shall notify your organisation promptly (and in any event in sufficient time for your organisation to comply with its own + obligations under applicable Data Protection Legislation) if it: +
+ +receives a Data Subject Request (or purported Data Subject Request);
+receives a request to rectify, block or erase any Personal Data;
++ receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection + Legislation; +
++ receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data + Processed under this MOU; +
++ receives a request from any third party for disclosure of Personal Data where compliance with such request is required or + purported to be required by Law; or +
+becomes aware of a Data Loss Event.
++ Taking into account the nature of the Processing, GDS shall provide your organisation with full assistance in relation to either + party’s obligations under Data Protection Legislation and any complaint, communication or request made (and insofar as possible within + the timescales reasonably required by your organisation) including by promptly providing: +
+ +your organisation with full details and copies of the complaint, communication or request;
++ such assistance as is reasonably requested by your organisation to enable your organisation to comply with a Data Subject Request + within the relevant timescales set out in the Data Protection Legislation; +
+your organisation, at its request, with any Personal Data it holds in relation to a Data Subject;
+such assistance as is reasonably requested by your organisation following any Data Loss Event;
++ such assistance as is reasonably requested by your organisation with respect to any request from the Information Commissioner’s + Office or any other regulatory authority, or any consultation by your organisation with the Information Commissioner’s Office or + any other regulatory authority. +
++ GDS shall maintain complete and accurate records and information to demonstrate its compliance with this clause and make these + available on request to the Controller. +
++ You may want to consider providing your organisation’s Data Protection Officer (DPO) with Organisation Admin account access in order + to see all forms and data being collected across the organisation. Please inform the GOV.UK Forms team if this is something your DPO + would be interested in getting. +
++ GDS shall allow for audits of its Data Processing activity by your organisation or your organisation’s designated auditor, provided + always that: +
+ ++ your organisation gives GDS a minimum of 30 calendar days’ written notice of its intention to audit (other than in the event of a + Personal Data Breach or where required by a regulator, when your organisation shall give as much notice as is reasonably possible + in the circumstances); +
++ your organisation to the extent reasonably possible conducts its audit through the written submission of requests for information + about its Processing operations to the GDS and reliance on GDS’s written responses, unless it has reasonable cause to question the + accuracy of such responses or the intended scope of its audit cannot reasonably be achieved in such a manner; +
+your organisation to the extent reasonably possible minimises the impact of its audit on the operations of the GDS;
++ your organisation does not conduct more than one audit annually (other than in the event of a Personal Data Breach or where + required by a regulator); and +
++ where your organisation appoints a third party auditor, that third party auditor signs an appropriate confidentiality agreement on + terms acceptable to GDS acting reasonably, prior to the start of the audit. +
+GDS has a designated Data Protection Officer as required by the Data Protection Legislation.
+The contact is:
+
+ DSIT Data Protection Officer
+ Department for Science, Innovation and Technology
+ 22-26 Whitehall
+ London
+ SW1A 2EG
+
Your organisation consents to the use of the Sub-Processors set out in Annex B.
++ GDS may change its Sub-Processors from time to time. Before allowing a Sub-Processor to Process any Personal Data related to this MOU, + GDS must: +
+ +have undertaken an information security assessment of the Sub-Processor to ensure compliance with all aspects of this MOU;
+have a written MOU with the Sub-Processor which commits them to continued compliance with all aspects of this MOU;
+notify your organisation in writing of the new Sub-Processor and type of Processing they will undertake; and
+provide your organisation with such information regarding the Sub-Processor as your organisation may reasonably require.
++ GDS shall email your organisation’s appointed representative named, of intended changes concerning the addition or replacement of a + Sub-Processor, at least 15 calendar days before the change takes effect. +
++ If your organisation wishes to object to the Sub-Processor change, they must raise this by sending an email to GDS. Any proposed + concerns need to be discussed and resolved by both Parties within these 15 days. Resolution may include not proceeding with the change + to the Sub-Processor. +
+If the Parties cannot resolve the objections raised by your organisation, then your organisation must commence termination.
++ The Parties agree to take account of any non-mandatory published guidance issued by the Information Commissioner’s Office. Your + organisation may request that this MOU is updated to comply with any guidance issued by the Information Commissioner’s Officer within + 30 calendar days of request to GDS. +
++ GDS agrees to Process the GOV.UK Forms User and Filler Personal Data in accordance with the requirements of this MOU, and in + particular GDS agrees that it shall: +
+ +process the GOV.UK Forms User and Filler Personal Data only as set out in this MOU;
++ process the GOV.UK Forms User and Filler Personal Data only to the extent, and in such manner, as is necessary to deliver the + GOV.UK Forms service; +
++ comply with obligations of the applicable Data Protection Legislation and in particular implement appropriate technical and + organisational measures to protect the GOV.UK Forms User and Filler Personal Data against unauthorised or unlawful Processing and + against accidental loss, destruction, damage, alteration or disclosure. These measures shall ensure a level of security + appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to + the GOV.UK Forms User and Filler Personal Data and having regard to the nature of the GOV.UK Forms User and Filler Personal Data + which is to be protected; +
++ take reasonable steps to ensure the reliability of any personnel who have access to the GOV.UK Forms User and Filler Personal + Data; +
++ transfer the GOV.UK Forms User and Filler Personal Data only to those Sub-Processors listed in Annex A or subsequently notified to + your organisation; +
++ ensure that all personnel required to Process the GOV.UK Forms User and Filler Personal Data are informed of GDS’s obligations + under this MOU with regard to the security and protection of GOV.UK Forms User and Filler Personal Data and that those obligations + are complied with; +
++ ensure that no personnel publish, disclose or divulge any of the GOV.UK Forms User and Filler Personal Data to any third party + unless directed in writing to do so by each of the Parties; +
++ if it receives a Data Subject Request under the applicable Data Protection Legislation, or any complaint in relation to GOV.UK + Forms, to inform the complainant or requester that your organisation is the Data Controller and ask the User to contact your + organisation DPO where appropriate. +
++ Both GDS and your organisation agree to work with each other in order to comply with Requests For Information in line with the Law. +
++ When GDS or your organisation receives a request for information covered by this MOU, we agree to inform the respective main point of + contact as soon as possible. +
++ Before responding to the requester, our organisations agree to consult with each other and share all information which we propose to + disclose at least five working days before disclosure. +
+In this MOU the following words and phrases shall have the following meanings, unless expressly stated to the contrary:
+ ++ Data Controller, Data Processor, Data Subject, Personal Data, + Personal Data Breach, Data Protection Officer take the meaning given in the UK GDPR; +
+Clauses means the main body of this MOU excluding Annexes;
++ Data Loss Event: any event that results, or may result, in unauthorised access to Personal Data held by the Processor + under this MOU, and/or actual or potential loss and/or destruction of Personal Data in breach of this MOU, including any Personal Data + Breach; +
++ Data Protection Impact Assessment (DPIA) means an assessment by the Controller on the impact of the envisaged Processing + on the protection of Personal Data; +
+Data Protection Legislation means:
+ +the UK GDPR as amended from time to time;
+the DPA 2018 to the extent that it relates to the processing of personal data and privacy;
+(to the extent that it applies) the EU GDPR; and
+all applicable Law relating to the processing of personal data and privacy;
++ Data Subject Request: a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to + the Data Protection Legislation; +
+DPA 2018: Data Protection Act 2018;
++ Environmental Information Regulations means the Environmental Information Regulations 2004, as amended, or Environmental + Information Regulations (Scotland) 2004 (as appropriate), together with any guidance and/or codes of practice issued by the Information + Commissioner or relevant Government Department in relation to such regulations; +
++ EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection + of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection + Regulation) as it has effect in EU law; +
+FOIA means the Freedom of Information Act 2000, as amended;
+FOISA means the Freedom of Information (Scotland) Act 2002;
++ Form Processor means the individual or business unit within your organisation that will receive forms completed using + GOV.UK Forms; +
++ GOV.UK Forms User Personal Data means all personal and technical device data transferred from a user of the Forms + platform (i.e. those creating forms) to GDS pursuant to the GOV.UK Forms services made available under this MOU; This includes personal + data required to set up a GOV.UK Forms Account, technical data about Form User’s devices such as IP address, web browsers and operating + systems, and data about Form Users’ interactions with GOV.UK Forms which are captured in system logs. +
++ GOV.UK Forms Filler Personal Data means all personal data transferred when members of the public or businesses fill out + and submit a form built by the GOV.UK Forms service, and transferred to your organisation to process. +
++ GOV.UK Forms Filler Technical Data means all technical device data, such as IP address, web browsers and operating + systems, transferred when members of the public or businesses use and submit a form built by the GOV.UK Forms service. +
++ IAO means Information Asset Owner, namely the individual occupying the position of Information Asset Owner within your + organisation organisation, who has asset ownership obligations in relation to the GOV.UK Forms Personal Data; +
++ Law: means any law, subordinate legislation within the meaning of Section 21(1) of the Interpretation Act 1978, bye-law, + enforceable right within the meaning of Section 2 of the European Communities Act 1972, right within the meaning of the European Union + (Withdrawal) Act 2018 as amended by European Union (Withdrawal MOU) Act 2020, regulation, order, regulatory policy, mandatory guidance or + code of practice, judgement of a relevant court of law, or directives or requirements with which your organisation is bound to comply; +
++ Losses means all losses, liabilities, damages, costs, expenses (including legal fees), disbursements, costs of + investigation, litigation, settlement, judgement, interest and penalties whether arising in contract, tort (including negligence), breach + of statutory duty, misrepresentation or otherwise and "Loss" shall be interpreted accordingly; +
++ Organisation Admin means the person or people within your organisation who carry out administration functions related to + access to the GOV.UK Forms platform; +
++ Processor Personnel: means all directors, officers, employees, agents, consultants and contractors of the Processor + and/or of any Sub-Processor engaged in the performance of its obligations under this MOU; +
++ Protective Measures: appropriate technical and organisational measures which may include: pseudonymising and encrypting + Personal Data, ensuring confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and + access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of + the such measures adopted by it including those outlined in Clause 10; +
++ Request for Information means a request for information or a request under FOIA or the Environmental Information + Regulations; +
+Sub-Processor: any third party appointed to Process Personal Data on behalf of that Processor related to this MOU;
++ UK GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection + of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data + Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the + European Union (Withdrawal) Act 2018, together with the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) + Regulations 2019; +
+Your organisation means the organisation that is consuming the GOV.UK Forms service.
+ +GOV.UK Forms is hosted on Amazon Web Services (AWS) infrastructure in the UK.
+
+ Amazon Web Services (Company Number: 08650665)
+ 1 Principal Place
+ Worship Street
+ London
+ EC2A 2FA
+
+ GDS uses Splunk for application and infrastructure monitoring and alerting to help keep GOV.UK Forms secure and performant. This includes + logging user actions and alerting the GOV.UK Forms team about certain types of activity. +
++ Doing so involves processing some GOV.UK Forms User Data and GOV.UK Form Filler Technical Data, including IP address and user agent. This + data does not include Form Fillers’ answers to form questions. Logs are transferred to the Spunk Cloud service, hosted in the EU. +
+ +
+ Splunk
+ Thames Tower
+ Station Rd.
+ Reading
+ RG1 1LX
+
+ GDS uses the Zendesk customer service platform to manage support requests from users. So we can respond to these requests, we collect + GOV.UK Forms User Personal Data - for example, the names and email addresses of people who request support. This data is processed on + infrastructure hosted in the EU. +
+ +
+ Zendesk (Company Number: 07622459)
+ 30 Eastbourne Terrace
+ London
+ W2 6LA
+
+ GDS uses Okta’s Auth0 service to help keep the platform secure by authenticating form creators. This involves processing the form + creator’s email address. It does not involve processing data from Form Fillers’ answers to form questions. +
+Form creator’s email addresses are processed on infrastructure hosted in the UK.
+ +
+ OKTA EMEA HEADQUARTERS
+ 20 Farringdon Road
+ London
+ EC1M 3HE
+ United Kingdom
+
+ GDS (part of Department for Science, Innovation & Technology)
+ Some GOV.UK Forms User Personal Data (name and email address) is held indefinitely to keep form history and audit changes to forms.
+
+ Form submissions, including Form Filler Personal Data, are retained during the user’s active session. These sessions automatically expire + and are permanently deleted after 20 hours of inactivity. +
++ Data from completed form submissions, including Form Filler Personal Data, are kept for 30 days. This is in case of any technical problems + delivering the data. +
+GOV.UK Forms Filler Technical Data is kept up to a year.
+ ++ Name and email address of the person making the support request is retained for 1-2 years. Non-Personal Data is retained indefinitely. +
+ +Application logs are retained for 12 months.
+ ++ Logs are retained for 2 days. User profile data (email address) is retained until the user’s profile is deleted. User profiles are deleted + after they have been inactive for 12 months. +
+ ++ Annex D provides a general description of how GOV.UK Forms will process Personal Data on behalf of your organisation as controller. The + Annex will be supplemented by the content of the forms your organisation creates using the GOV.UK Forms platform, and this content will + constitute your further documented instructions as to how GDS may process personal data on your behalf for the purposes of Article + 28(3)(a) of UK GDPR. +
+ ++ To support the running of government services, GOV.UK Forms collects Personal and Non-Personal Data from members of the public and + businesses so that your organisation can make decisions about them. +
+ +Processing on the GOV.UK Forms infrastructure takes up to 2 working days (to allow for disaster recovery).
+ +GOV.UK Forms collects Personal Data for the purposes of Processing forms that are submitted by members of the public and businesses.
++ GOV.UK Forms also collects Personal Data for the purposes of monitoring and alerting on application performance and platform security. +
+GOV.UK Forms uses third party suppliers to deliver emails to your organisation and to manage customer support.
+Once the relevant retention period has been reached, GOV.UK Forms Personal Data is deleted by GDS and third party suppliers.
++ The purposes of government forms are many and varied, but generally fall into the categories of licences, permits, registrations, + reporting, taxation, refunds, requesting support, renewals, records changes, exemptions, appeals, correspondence, public engagement and + procurement. +
+ ++ The types of Personal Data collected in government forms will be dependent on the form that has been provided, but generally will include + name, identification number, location data and other data that could identify an individual both directly or indirectly. +
++ Where needed for the service, forms may also collect special category data and information relating to criminal convictions and offences. +
+ +Includes members of the public and people employed by businesses or other organisations.
+ ++ Personal Data is automatically deleted at the end of the data retention period. This is the case as part of routine Processing, and at + termination of this Agreement. +
++ This section provides an overview of the security measures provided by the GOV.UK Forms service. It is intended to assist you with + deciding whether the service is suitable for your needs. +
+ ++ GOV.UK Forms is hosted on AWS in their London Region. All components have built in redundancy and + backups where possible. +
+ ++ GOV.UK Forms has been designed to align with government cyber security standards, including + The Cyber Security Standard, the + Service Standard + and relevant guidance published by the NCSC, the UK’s national authority for cyber security. +
+Threat modelling and risk assessments are used to identify where additional security measures may be necessary.
+ ++ Operations staff within GDS and its supply chain who support GOV.UK Forms are required to successfully complete pre-employment screening + in accordance with the Baseline Personnel Security Standard or an equivalent commercial screening process. +
+ ++ Organisations can only create and edit their own forms, except where an organisation agrees to a member of another organisation creating + and editing forms on its behalf. +
+ +Data will be encrypted in transit as follows:
+Requests between users’ browsers and GOV.UK Forms applications are encrypted with TLS V1.2
+Requests between GOV.UK Forms and its 3rd party processors are encrypted with TLS V1.2
++ Requests between 3rd party processors and the designated mail server for receiving submitted form responses are encrypted by using TLS + V1.2 if the mail server supports this. +
++ Requests between Notify and the mail server for receiving form submission confirmations, by using TLS V1.2 if the mail server supports + this. +
+Form response data will be encrypted at rest.
+ ++ Software code is subject to security testing during the software development process and the production environment is subject to + continuous vulnerability scanning using + NCSC’s Web Check. +
++ The service is subject to independent penetration testing at least annually and prior to major functional feature releases. Any findings + are risk assessed and managed in accordance with GDS’s risk appetite. +
+ ++ GDS generates and retains event logs of the systems and applications that deliver GOV.UK Forms and the service is protectively monitored + for indicators of compromise. +
+ ++ During its development, GOV.UK Forms was subject to independent service assessments. In addition, GDS Information Assurance maintains an + independent information risk assessment of the service, reporting to the GDS Senior Leadership Team. +
+ + diff --git a/app/views/mou_signatures/_mou_version_current.html.erb b/app/views/mou_signatures/_mou_version_current.html.erb index d51faed2a..bab48168c 100644 --- a/app/views/mou_signatures/_mou_version_current.html.erb +++ b/app/views/mou_signatures/_mou_version_current.html.erb @@ -82,8 +82,8 @@- This agreement starts when your organisation has ‘Organisation Admin’ accounts on the GOV.UK Forms platform. Either GDS or your - organisation can end this agreement by giving three months’ notice by email. + This agreement starts when a user agrees to the MOU on behalf of their organisation. Either GDS or your organisation can end + this agreement by giving three months’ notice by email.
Any updates to this agreement will be emailed to the person who agreed on behalf of your organisation (or the first account in your - organisation that is still active). This will happen 30 calendar days before any change is due to be made, along with a summary of the + organisation that is still active). This will happen 7 calendar days before any change is due to be made, along with a summary of the changes. The changes will then take effect on the date specified in the notification email. No action is required by your organisation if you accept the changes.
@@ -132,8 +132,7 @@When agreed, the details of the agreer (along with the date and time agreed) will be stored in a database within GOV.UK Forms in order - to inform the agreer of updates and for auditing purposes. It will also be used to inform the platform that your organisation members - can be upgraded to Organisation Admins. + to inform the agreer of updates and for auditing purposes.
- There is currently no cost for using GOV.UK Forms or for the hosting of forms made on the platform. This is intended to help reduce - the barriers to lower volume services using GOV.UK Forms that would otherwise require significant procurement effort. This will help - drive greater digitisation of government services and promote channel shift, saving money and time for our users. + There is currently no cost for using GOV.UK Forms or for the hosting of forms made on the platform.
You must ensure that your users of GOV.UK Forms follow good security practices when accessing the service, including:
-- using end-user devices that are being managed in accordance with the requirements of - The Cyber Security Standard - (and its successor standards) -
-not connecting their end-user devices to untrusted WiFi networks, such as those found in public places like cafes and hotels
-- using a secure email inbox to set up an account and access GOV.UK Forms login codes, with MFA (known as “2SV” or “2 step - verification”) to access the inbox or device -
-+ You must ensure that users of GOV.UK Forms within your organisation maintain appropriate information security practices including reasonable + administrative, technical and physical safeguards to protect systems, data and access credentials associated with the service. +
If it is suspected that a user’s GOV.UK Forms account has been compromised you shall immediately notify the GOV.UK Forms team.
- You shall ensure that the GOV.UK Forms team is promptly notified when a user in your organisation no longer requires access to the - Forms administration interface. + You are responsible for managing user access to GOV.UK Forms within your organisation, including promptly removing access for users who + no longer require it.
- You are responsible for managing the security of the mail server you will use to receive form responses. Before using GOV.UK Forms you - must ensure that this meets the - government secure email policy, including: + You are responsible for the security and configuration of any system you use to receive form response data including, but not limited to, email + servers, APIs, or cloud storage buckets.
-- supporting - Transport Layer Security Version 1.2 - (TLS v1.2) or later -
-- publishing a Mail Transfer Agent Strict Transport Security (MTA-STS) policy - for all of your domains that receive email -
-implementing spam and malware filtering
-enforcing DMARC on inbound email
-setting up DMARC and TLS reporting (TLS-RPT) and reviewing the data regularly
-- Note: The NCSC’s - Mail Check - service can be used for assessing email security compliance. If your mail server does not support the use of TLS, form response data - could be transmitted in plain text across the Internet. + You are must ensure any mailbox(es) you use to receive form response data meets the + government secure email policy.
- You are responsible for managing the security of the designated mailbox(es) used to receive form response data. Anyone with access to - the mailbox(es) will potentially be able to see the form response data. + You are responsible for managing and securing access to form response data within your organisation and for ensuring that only authorised + individuals or systems can access that data.
- You should also bear in mind that email addresses provided by users (in a submission) have not been validated, so may not be correct - addresses. + You are responsible for validating any form response data, including email addresses, to ensure it is correct and suitable for its intended + purpose.
Submission emails from GOV.UK Forms can not be replied to.
-Parties should report any messages received by this mailbox that are outside of the email output expected from the GOV.UK Forms @@ -600,9 +550,8 @@
- You may want to consider providing your organisation’s Data Protection Officer (DPO) with Organisation Admin account access in order - to see all forms and data being collected across the organisation. Please inform the GOV.UK Forms team if this is something your DPO - would be interested in getting. + You may want to consider ensuring your organisation’s Data Protection Officer (DPO) has appropriate access to GOV.UK Forms so they can + view relevant forms and data being collected across the organisation.
- Organisation Admin means the person or people within your organisation who carry out administration functions related to - access to the GOV.UK Forms platform; -
Processor Personnel: means all directors, officers, employees, agents, consultants and contractors of the Processor and/or of any Sub-Processor engaged in the performance of its obligations under this MOU;