Privacy notice

Last updated: 14 Apr 2021

Who we are

GOV.UK Pay is a payments service that’s built and maintained by the Government Digital Service, part of the Cabinet Office (“GDS”, “we”, “us”, “our”). We and other public sector organisations use GOV.UK Pay to take payments online and process them efficiently. To do that, we collect, process and store certain data about you.

This privacy notice explains:

  • the kinds of data we collect and process in order to provide the payments service
  • how that data is used
  • how that data is protected
  • how you can find out what rights you have in relation to your data

The data controller for GDS is the Cabinet Office. The data controller determines the purposes and means of processing personal data.

Why we need your data

GOV.UK Pay is a service provided for the benefit of public sector organisations (“government organisations”). We collect and process data about you and connect the government organisations with the payment service providers (“PSPs”). The PSPs process their payments and pass on the relevant information.

The government organisations that we partner with are the data controllers. They will also process your data for their own purposes which might not be set out here. If you’re an individual user making a payment to a government organisation (“payer”), or if you’re a staff member of that government organisation using GOV.UK Pay as part of your role (“staff user”), you should read this privacy notice. Where applicable, you should also read the privacy policies of the relevant government organisation to see how your data is processed and how to exercise your rights in respect of the processing of your personal data.

What data we need from payers

On behalf of our partner government organisations we will collect different types of data from payers.

Contact details

We will collect data that includes:

  • names
  • email addresses
  • billing addresses

Bank card information

We will collect data that includes:

  • name on the relevant credit or debit card
  • card type, like a debit or credit card
  • card expiry date
  • credit or debit card number - we will only keep the first six and last four digits for our records once the payment is made
  • credit or debit card security code - this is not kept after the payment is processed

Payment transaction details

We will collect data that includes:

  • payment amounts and frequencies including dates
  • payment statuses
  • payment descriptions
  • payment gateway transaction ID
  • the reference number of the government organisation
  • IP address of devices used to make payments

What data we need from staff users

We also collect data about authorised staff users.

Contact details

We will collect data that includes:

  • names
  • email addresses
  • contact details
  • photographic identification to enable Stripe integration

Employment details

We will collect data that includes:

  • details about the staff user’s role - for example, what rights a user has to view certain data

The legal basis for processing this data is to carry out our contract with the relevant government organisations.

What we do with your data

We will use your personal data for different purposes.

GOV.UK Pay service and internal processing

To carry out our contract with the relevant government organisation we will need to process data. This will allow us to:

  • ensure that the service operates as expected
  • allow payers to make payments and authorised staff users to log in and administer payments
  • respond to any queries raised by the government organisation or the PSP in respect of the service

Analytics and statistics

As part of our contract with the relevant government organisation we will need to meet reporting obligations.

We will review the service and see how we provide that service to the government organisations where required. For example, to provide statistical details of the total number of card transactions.

Legal obligations

We may share your data or disclose information because of a law, regulation or court order and to protect our interests and legal rights.

We will not:

  • sell or rent your data to third parties
  • share your data with third parties for marketing purposes

How long we keep your data

We will only retain your personal data for as long as:

  • it’s needed for the purposes set out in this document
  • is required by law

In general, this means that we will only hold your personal data for a minimum of 1 year and a maximum of 7 years.

Children’s privacy protection

Our services are not designed for, or intentionally targeted at, children 13 years of age or younger. It is not our policy to intentionally collect or maintain data about anyone under the age of 13.

Who your data might be shared with

There may be times when we need to share your data.


If you are a payer, your personal data will be provided to the relevant PSP that’s connected to the government organisation you are paying.

Third party service providers

We will share your personal data with third parties if they need to know the information so that they can provide us, or the relevant government organisation, with a service. For example, a supplier of IT services like data storage.

Legal and regulatory entities

We might have to share your personal data with law enforcement agencies or regulatory bodies if we have to comply with any legal obligation or court order.

These other entities may be based in the UK or they might be located in other countries that are not in the European Economic Area (“EEA”). Different privacy laws apply across the world. We will only transfer your data to another country if we are sure that there is enough protection in place to make sure that your data is secure.

Where personal data is transferred outside of the EEA to a country that is not considered to have ’adequate protection’, we will ensure that an appropriate data transfer agreement is in place. In the case of transfers to the United States of America we will ensure the company is certified by the EU-US Privacy Shield. You can contact us to ask to view the documentation that provides the safeguard for your data, although some confidential information may be removed.

We design, build and run our systems to make sure that your data is as safe as possible at any stage, both while it’s processed and when it’s stored.

Your personal data may, throughout the course of its processing at GDS, be transferred outside of the European Economic Area (EEA). Where this is the case all appropriate technical and legal safeguards will be put in place to ensure that you are afforded the same level of protection as within the EEA.

How we protect your data and keep it secure

We are committed to doing all that we can to keep your data secure. We set up systems and processes to prevent unauthorised access or disclosure of the data we collect about you – for example, we protect your data using varying levels of encryption. All third parties who process personal data for GDS are required to keep that data secure. From time to time we will test the system for security vulnerabilities.

What are your rights

You have the right to:

  • information about how your personal data is processed
  • a copy of that personal data
  • that anything inaccurate in your personal data is corrected immediately

You can also:

  • raise an objection about how your personal data is processed
  • request that your personal data is erased if there is no longer a justification for it
  • ask that the processing of your personal data is restricted in certain circumstances

If you have any of these requests, get in contact with our Data Protection Officer - the contact details are at the bottom of the page.

Changes to this notice

We may change this privacy notice. In that case the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, GDS will take reasonable steps to make sure you know.

Questions and complaints

The data controller for your personal data is the Cabinet Office.

Contact the Data Protection Officer if you either:

  • have any questions about anything in this document
  • think that your personal data has been misused or mishandled

Data Protection Officer
Cabinet Office
70 Whitehall
London SW1A 2AS

If you have a complaint, you can also contact the Information Commissioner, who is an independent regulator set up to uphold information rights.

Information Commissioner’s Office
0303 123 1113
Wycliffe House
Water Lane
Cheshire SK9 5AF