Privacy notice

Last updated: 17 January 2023

Who we are

GOV.UK Pay is a payments service that’s built and maintained by the Government Digital Service, which is part of the Cabinet Office (“GDS”, “we”, “us”, “our”).

Public sector organisations use GOV.UK Pay to take payments online and over the phone. To do that, we collect, process and store certain data about you, acting as a data processor on behalf of these organisations. The organisations using GOV.UK Pay are the data controllers and they will have a privacy notice governing how they process and manage your data.

This privacy notice explains:

  • the kinds of data we collect and process in order to provide the payments service
  • how that data is used
  • how that data is protected
  • how you can find out what rights you have in relation to your data

Read the Cabinet Office’s entry in the Data Protection Public Register for more information.

Why we need your data

When you make a payment to a public sector organisation using GOV.UK Pay, we collect and process data about you in order to process that payment, and to monitor our service to protect against fraud and errors.

What data we need

Contact details

We will collect personal data that includes your:

  • names
  • email addresses
  • billing addresses

Bank card details

We will collect bank card data that includes:

  • name on the relevant credit or debit card
  • card type, like a debit or credit card
  • card expiry date
  • credit or debit card number - we will only keep the first six and last four digits for our records once the payment is made
  • credit or debit card security code - this is not kept after the payment is processed

Payment transaction details

We will collect payment transaction data that includes:

  • payment amounts and frequencies including dates
  • payment statuses
  • payment descriptions
  • payment gateway transaction ID
  • a reference number provided by the public sector organisation
  • IP address of devices used to make payments
  • any additional information provided by the public sector organisation which they wish to associate with your payment

What we do with your data

We will use your data for different purposes.

Taking payments

We use your data to process the payment you have requested.

If you enter into an agreement with a public sector organisation to allow them to take recurring payments, we will process your data in order to facilitate this process. Card details are securely stored for the duration of your agreement by the relevant payment provider that’s connected to the organisation you are paying. Stored card details are then used to process payments when requested by the public sector organisation.

Enabling public sector organisations to manage payments

The public sector organisation who requested your payment will have access to information about these payments through GOV.UK Pay. This is in order to allow them to perform any necessary administration and management such as financial reconciliation, reporting, or as part of delivering and operating their service.

Operation of GOV.UK Pay

Members of the GOV.UK Pay team have access to information about payments and transactions processed on the platform in order to:

  • ensure that GOV.UK Pay operates as expected
  • respond to any queries raised by the organisation or the payment provider in respect of the service

We also collect aggregated anonymised statistics, for example:

  • the number and aggregate value of payments processed by each public sector organisation who use GOV.UK Pay
  • rates of successful and failed payments

We use these for performance, reporting and continuous improvement. We may also share aggregate data with other public sector and government entities.

How long we keep your data

We will only retain your data for as long as:

  • it’s needed for the purposes set out in this document
  • is required by law

In general, this means that we will only hold your personal data for a minimum of 1 year and a maximum of 7 years.

How we protect your data and keep it secure

We design, build and run our systems to make sure that your data is as safe as possible at any stage, both while it’s processed and when it’s stored. We set up systems and processes to prevent unauthorised access or disclosure of the data we collect about you – for example, we protect your data using varying levels of encryption. From time to time we will test the system for security vulnerabilities.

Your personal data may, throughout the course of its processing at GDS, be transferred outside the UK. Where this is the case all appropriate technical and legal safeguards will be put in place to make sure that you are afforded the same level of protection as within the UK. We will only transfer your data to another country if we are sure that there is enough protection in place to make sure that your data is secure.

Who your data might be shared with

There may be times when we need to share your data.

Payment providers

We use payment providers to process your payment.

Your personal data will be provided to the relevant payment provider that’s connected to the public sector organisation you are paying. You can find their privacy notices below:

Legal and regulatory entities

We may have to share your personal data with law enforcement agencies or regulatory bodies if we have to comply with any legal obligation or court order.

We will not:

  • sell or rent your data to third parties
  • share your data with third parties for marketing purposes

Children’s privacy protection

Our services are not designed for, or intentionally targeted at, children 13 years of age or younger. It is not our policy to intentionally collect or maintain data about anyone under the age of 13.

What are your rights

You have the right to request:

  • information about how your personal data is processed
  • a copy of that personal data
  • that anything inaccurate in your personal data is corrected immediately

You can also:

  • raise an objection about how your personal data is processed
  • request that your personal data is erased if there is no longer a justification for it
  • ask that the processing of your personal data is restricted in certain circumstances

If you have any of these requests, get in contact with our Data Protection Officer - the contact details are at the bottom of the page.

Changes to this notice

We may change this privacy notice. In that case the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, GDS will take reasonable steps to make sure you know.

Questions and complaints

Contact if you either:

  • have any questions about anything in this document
  • think that your personal data has been misused or mishandled

You can also contact the Cabinet Office Data Protection Officer.
Cabinet Office
70 Whitehall
London SW1A 2AS

If you have a complaint, you can also contact the Information Commissioner, who is an independent regulator set up to uphold information rights.
0303 123 1113
Wycliffe House
Water Lane
Cheshire SK9 5AF