Privacy notice

Last updated: 17 January 2023

Who we are

GOV.UK Pay is a payments service that’s built and maintained by the Government Digital Service, which is part of the Cabinet Office (“GDS”, “we”, “us”, “our”).

Public sector organisations use GOV.UK Pay to take payments online and over the phone. To do that, we collect, process and store certain data about paying users and public sector users.

People making payments to a public sector organisation should refer to our paying user privacy notice.

If you’re an employee or contractor for a public sector organisation using GOV.UK Pay as part of your role this privacy notice explains:

  • the kinds of data we collect and process in order to provide the payments service
  • how that data is used
  • how that data is protected
  • how you can find out what rights you have in relation to your data

Read the Cabinet Office’s entry in the Data Protection Public Register for more information.

Why we need your data

When a public sector organisation wants to use GOV.UK Pay, you, as the employee will need to create an account on GOV.UK Pay. We collect and process data about you, your colleagues and your organisation in order to facilitate the set up of payment services and the taking and managing of payments from your users.

What data we need from public sector employees

When creating an account on GOV.UK Pay we will collect data that includes:

  • your name
  • your email address
  • your mobile phone number
  • the name of the organisation you work for
  • the IP address you use to access GOV.UK Pay

We also record a user’s permission level which determines the activity and data any invited user has access to. When you request to make your payment service live on GOV.UK Pay, with our payment provider Stripe, we require the following additional information:

  • your organisation’s bank details
  • your organisation’s VAT number (if applicable)
  • your company registration number (if applicable)

If you are an individual who holds a director and/or responsible person role we will also collect the following personal data about you to enable integration with our payment provider Stripe:

  • your name
  • your date of birth
  • your work email address
  • your work telephone number
  • a form of photographic identification (if applicable)

The legal basis for processing this data is ‘public task’ – allowing you to access GOV.UK Pay to take and manage payments from users of your public service.

What we do with your data

To carry out our responsibilities to the public sector organisation that uses GOV.UK Pay, we will need to process data. This will allow us to:

  • ensure that the GOV.UK Pay service operates as expected
  • allow paying users to make one-off single payments to your service and organisation
  • allow paying users to make and manage recurring payments with you service and organisation
  • allow you and other employees to log in and administer payments and refunds
  • respond to any queries raised by the organisation or the payment provider in respect of the service
  • contact employees who are responsible for managing and operating the service about any changes or issues and which may require action from them
  • inform users about changes and new features in GOV.UK Pay

Where you provide your consent, we use Google Analytics cookies to collect information about how you use GOV.UK Pay.

Google Analytics processes information about:

  • the pages you visit on GOV.UK Pay and when logged into the Pay admin tool
  • how long you spend on each page
  • how you got to the site
  • what you click on while you’re visiting the site

We also receive the same information from other government digital services and GOV.UK.

We make sure you cannot be directly identified by Google Analytics data. We do this by using Google Analytics IP address anonymisation feature.

How long we keep your data

We will retain your personal data for as long as:

  • you operate and have access to a service on Pay
  • it’s needed for the purposes set out in this document
  • is required by law

How we protect your data and keep it secure

We design, build and run our systems to make sure that your data is as safe as possible at any stage, both while it’s processed and when it’s stored. We are committed to doing all that we can to keep your data secure. We set up systems and processes to prevent unauthorised access or disclosure of the data we collect about you – for example, we protect your data using varying levels of encryption. All third parties who process personal data for GDS are required to keep that data secure. From time to time we will test the system for security vulnerabilities.

Your personal data may, throughout the course of its processing at GDS, be transferred outside the UK. Where this is the case all appropriate technical and legal safeguards will be put in place to make sure that you are afforded the same level of protection as within the UK. We will only transfer your data to another country if we are sure that there is enough protection in place to make sure that your data is secure.

Who your data might be shared with

There are times when we need to share your data.

Payment providers

Our contracted payment provider is Stripe Payments Europe Limited. If you make use of this contract we will pass data to them to onboard your service and to comply with know your customer (KYC), anti-money laundering, and other legal and compliance requirements. Read Stripe’s privacy policy for more information.

We also work with Government Banking Service and their contracted payment provider is Worldpay. If you make use of this contract we may share data with them on their or your request to facilitate onboarding, operations, support and troubleshooting issues. Read WorldPay’s privacy policy for more information.

Legal and regulatory entities

We may have to share your personal data with law enforcement agencies or regulatory bodies if we have to comply with any legal obligation or court order.

We will not:

  • sell or rent your data to third parties
  • share your data with third parties for marketing purposes

Children’s privacy protection

Our services are not designed for, or intentionally targeted at, children 13 years of age or younger. It is not our policy to intentionally collect or maintain data about anyone under the age of 13. User’s can only create an account on Pay if they hold and have access to a public sector email address.

What are your rights

You have the right to request:

  • information about how your personal data is processed
  • a copy of that personal data
  • that anything inaccurate in your personal data is corrected immediately

You can also:

  • raise an objection about how your personal data is processed
  • request that your personal data is erased if there is no longer a justification for it
  • ask that the processing of your personal data is restricted in certain circumstances

If you have any of these requests, get in contact with our Data Protection Officer - the contact details are at the bottom of the page.

Changes to this notice

We may change this privacy notice. In that case the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, GDS will take reasonable steps to make sure you know.

Questions and complaints

Contact gds-privacy-office@digital.cabinet-office.gov.uk if you either:

  • have questions about anything in this document
  • think that your personal data has been misused or mishandled

You can also contact the Cabinet Office Data Protection Officer.

Data Protection Officer
DPO@cabinetoffice.gov.uk
Cabinet Office
70 Whitehall
London SW1A 2AS

If you have a complaint, you can also contact the Information Commissioner, who is an independent regulator set up to uphold information rights.

casework@ico.org.uk
0303 123 1113
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF