Privacy notice
Last updated: 17 January 2023
Who we are
GOV.UK Pay is a payments service that’s built and maintained by the Government Digital Service, which is part of the Cabinet Office (“GDS”, “we”, “us”, “our”).
Public sector organisations use GOV.UK Pay to take payments online and over the phone. To do that, we collect, process and store certain data about you, acting as a data processor on behalf of these organisations. The organisations using GOV.UK Pay are the data controllers and they will have a privacy notice governing how they process and manage your data.
This privacy notice explains:
- the kinds of data we collect and process in order to provide the payments service
- how that data is used
- how that data is protected
- how you can find out what rights you have in relation to your data
Read the Cabinet Office’s entry in the Data Protection Public Register for more information.
Why we need your data
When you make a payment to a public sector organisation using GOV.UK Pay, we collect and process data about you in order to process that payment, and to monitor our service to protect against fraud and errors.
What data we need
Contact details
We will collect personal data that includes your:
- names
- email addresses
- billing addresses
Bank card details
We will collect bank card data that includes:
- name on the relevant credit or debit card
- card type, like a debit or credit card
- card expiry date
- credit or debit card number - we will only keep the first six and last four digits for our records once the payment is made
- credit or debit card security code - this is not kept after the payment is processed
Payment transaction details
We will collect payment transaction data that includes:
- payment amounts and frequencies including dates
- payment statuses
- payment descriptions
- payment gateway transaction ID
- a reference number provided by the public sector organisation
- IP address of devices used to make payments
- any additional information provided by the public sector organisation which they wish to associate with your payment
What we do with your data
We will use your data for different purposes.
Taking payments
We use your data to process the payment you have requested.
If you enter into an agreement with a public sector organisation to allow them to take recurring payments, we will process your data in order to facilitate this process. Card details are securely stored for the duration of your agreement by the relevant payment provider that’s connected to the organisation you are paying. Stored card details are then used to process payments when requested by the public sector organisation.
Enabling public sector organisations to manage payments
The public sector organisation who requested your payment will have access to information about these payments through GOV.UK Pay. This is in order to allow them to perform any necessary administration and management such as financial reconciliation, reporting, or as part of delivering and operating their service.
Operation of GOV.UK Pay
Members of the GOV.UK Pay team have access to information about payments and transactions processed on the platform in order to:
- ensure that GOV.UK Pay operates as expected
- respond to any queries raised by the organisation or the payment provider in respect of the service
We also collect aggregated anonymised statistics, for example:
- the number and aggregate value of payments processed by each public sector organisation who use GOV.UK Pay
- rates of successful and failed payments
We use these for performance, reporting and continuous improvement. We may also share aggregate data with other public sector and government entities.
How long we keep your data
We will only retain your data for as long as:
- it’s needed for the purposes set out in this document
- is required by law
In general, this means that we will only hold your personal data for a minimum of 1 year and a maximum of 7 years.
How we protect your data and keep it secure
We design, build and run our systems to make sure that your data is as safe as possible at any stage, both while it’s processed and when it’s stored. We set up systems and processes to prevent unauthorised access or disclosure of the data we collect about you – for example, we protect your data using varying levels of encryption. From time to time we will test the system for security vulnerabilities.
Your personal data may, throughout the course of its processing at GDS, be transferred outside the UK. Where this is the case all appropriate technical and legal safeguards will be put in place to make sure that you are afforded the same level of protection as within the UK. We will only transfer your data to another country if we are sure that there is enough protection in place to make sure that your data is secure.
Who your data might be shared with
There may be times when we need to share your data.
Payment providers
We use payment providers to process your payment.
Your personal data will be provided to the relevant payment provider that’s connected to the public sector organisation you are paying. You can find their privacy notices below:
Legal and regulatory entities
We may have to share your personal data with law enforcement agencies or regulatory bodies if we have to comply with any legal obligation or court order.
We will not:
- sell or rent your data to third parties
- share your data with third parties for marketing purposes
Children’s privacy protection
Our services are not designed for, or intentionally targeted at, children 13 years of age or younger. It is not our policy to intentionally collect or maintain data about anyone under the age of 13.
What are your rights
You have the right to request:
- information about how your personal data is processed
- a copy of that personal data
- that anything inaccurate in your personal data is corrected immediately
You can also:
- raise an objection about how your personal data is processed
- request that your personal data is erased if there is no longer a justification for it
- ask that the processing of your personal data is restricted in certain circumstances
If you have any of these requests, get in contact with our Data Protection Officer - the contact details are at the bottom of the page.
Changes to this notice
We may change this privacy notice. In that case the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, GDS will take reasonable steps to make sure you know.
Questions and complaints
Contact gds-privacy-office@digital.cabinet-office.gov.uk if you either:
- have any questions about anything in this document
- think that your personal data has been misused or mishandled
You can also contact the Cabinet Office Data Protection Officer.
DPO@cabinetoffice.gov.uk
Cabinet Office
70 Whitehall
London SW1A 2AS
If you have a complaint, you can also contact the Information Commissioner, who is an independent regulator set up to uphold information rights.
casework@ico.org.uk
0303 123 1113
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF