1. GPA Data Privacy Notice
Posted on October 5, 2021
The GPA is an executive agency of Her Majesty’s Government, sponsored by the Cabinet Office.
We are responsible for providing departments and independent agencies with great places to work for their public servants, which in turn enables them to provide excellent public services.
More details of our services can be found here: https://www.gov.uk/government/organisations/government-property-agency
This document explains what we mean when we talk about personal data, why we ask for this information about you and what we do with it. It also explains how we store your data, how you can get a copy of the information we have collected about you, and how you can complain if you think we have done something wrong.
What is personal data?
Personal data is information relating to a living natural person who:
- can be identified directly from the processed information
- can be indirectly identified from this information in combination with other information
There are “special categories” of personal data that require additional protection, which refer to;
- racial or ethnic origin
- Political Views
- religious beliefs
- union membership
- genetic and biometric data
- sexual orientation
- sex life
- data on criminal convictions and offenses
Special category data is not processed by GPA under normal circumstances. If necessary, we will inform you in advance and ask for your consent, as well as the reason(s) and the legal basis for doing so.
Why we collect personal data
The Government Property Agency (GPA) is the controller of the personal data we collect and store. We process personal data of individuals in order to be able to carry out the following functions as an executive agency of the Cabinet Office.
- Services to owners
- real estate transaction services (including rental contracts, other payments and accounting services);
- GPA property management data reports;
- provision of real estate advice; and the
- integration of customer domains.
- Workplace Services
- environmental and facilities management;
- security services (video surveillance and security personnel);
- access control systems;
- health and safety and emergency response;
- reception and assistance services;
- room and meeting booking services;
- IT services (WiFi, printing, network services, etc.);
- audiovisual, telecommunications and digital services; and
- catering services.
- Organizational services
- capacity and occupancy management;
- site planning;
- support and manage our staff; and
- customer and supplier management.
When we ask you for personal data
Whenever we ask for information about you, we promise to:
- have a legal basis to do so;
- request only relevant personal information;
- make sure you don’t keep it longer than necessary;
- keep your information safe and ensure that no one can access it without permission;
- share your data with other organizations only for legitimate purposes; and
- consider any request you make to correct, stop storing or delete your personal data.
The personal data we collect
We only process the personal data we need to provide you with specific services.
We strive to minimize the amount of data we process, limited to the required purpose; and only retain personal data for as long as necessary to provide the service(s) [unless we are required by law to retain personal data for a specified time period (e.g. employee remuneration data for tax purposes)].
GPA does not process personal data for other reasons than those authorized and required by our services and does not sell or share personal data with other organizations for financial or other purposes.
The personal data we process and may request may include:
Provision of surrogacy services
- Last name
- employment status
- job title
- e-mail address
- phone number
- security clearance / verification details
- Date of Birth
- site access permissions
- CCTV footage
- location data
- IP adress
- Mac address
- meeting details
- room / office reservations
- discussion on the forum
- payment details (limited to on-site services, such as catering)
- health data (related to site access – health and safety / emergency process)
For GPA employees (in addition to above)
- NI number
- employee number
- references / data from previous employer
- bank/salary details
- training/performance records
- security clearance
- attendance records
- health data (disease, conditions, etc.)
- special category data (with consent)
Sharing your personal data
We share a controlled amount of personal data with other organizations where necessary to perform our functions as an executive agency of the Cabinet Office. Including:
- Other ministries, agencies or public sector bodies;
- GPA supplier organizations (data processors); or with
- Law enforcement agencies, if required to do so by law.
We will only share personal data where necessary, where permitted by the Data Protection Act 2018 (DPA) and other relevant legislation. Personal data is shared in accordance with the requirements of data protection legislation.
Legal basis for processing your personal data
For each personal data processing task, GPA has established a lawful basis to do so under Article 6 of the UK GDPR, consistent with our obligations:
- legitimate interest;
- to perform a task in the public interest;
- the processing is necessary to comply with a legal obligation incumbent upon us as controller; Where
- the processing is necessary to fulfill the terms of a contract.
How we protect your data and keep it safe
We are committed to doing everything possible to ensure the security of your data. We have systems and processes in place to prevent unauthorized access or disclosure of your data – for example, we protect your data using varying levels of encryption.
We also ensure that the third parties we deal with keep any personal data they process on our behalf secure and in accordance with data protection legislation.
Under the UK Data Protection Act (2018), incorporating the UK GDPR, you have the right to:
- request information about how your personal data is processed and request a copy of that personal data;
- request that any inaccuracies in your personal data be rectified without delay;
- request that any incomplete personal data be completed, including by means of a supplementary declaration;
- to request the erasure of your personal data if there is no longer any justification for their processing;
- in certain circumstances (for example, where the accuracy is disputed), request that the processing of your personal data be restricted;
- to object to the processing of your personal data where it is processed for direct marketing purposes, or for any other reason which we then consider; and
- request a copy of any personal data you have provided, and for this to be provided in a structured, commonly used and machine-readable format.
Access your personal information
You can exercise your data rights by making a valid subject access request (SAR) to GPA, which is the controller of your personal data.
Contact the GPA to make a Subject Access Request (SAR) by mail or email.
GPA Data Protection Team
Government real estate agency
23 Stephenson Street
E-mail. [email protected]
Please be specific in your request, explain clearly what you are requesting and ensure that you provide us with the means to positively identify you.
We are prohibited from disclosing personal data to any person unless we are sure it is only the personal data of the person performing the SAR.
We cannot disclose personal data to any third party, organization or family member without prior written consent. We are prohibited from disclosing the personal data of several data subjects to a single person.
We will respond to you within 30 days – unless we contact you with a valid reason why we need to extend this period, within the parameters of data protection legislation.
Please use the GPA contact details (above) for any other questions relating to data protection or how we process your personal data.
If you need further information regarding GPA’s data processing activities, the contact details of GPA’s Data Protection Officer (DPO) are:
Data Protection Officer
The Data Protection Officer provides independent advice and is responsible for monitoring GPA’s use of personal information.
If you believe that your personal data has been misused or improperly processed, you can lodge a complaint with the Information Commissioner, who is the independent regulatory and supervisory authority in the United Kingdom.
The Information Commissioner can be contacted at:
Information Commissioner’s Office
Telephone: 0303 123 1113
Any complaint to the Information Commissioner is without prejudice to your right to seek redress in court.