Skip to main content

Data Protection: Public Sector

Question for Department for Digital, Culture, Media and Sport

UIN 103508, tabled on 14 October 2020

To ask the Secretary of State for Digital, Culture, Media and Sport, what privacy, data sharing and data safeguarding obligations, in addition to GDPR, there are on private data firms providing services to Government Departments who require access to public sector data.

Answered on

20 October 2020

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) regulate the obtaining, holding, use and disclosure of personal data. All organisations must comply with the requirements of the GDPR and the DPA which provide numerous safeguards and limitations on the how data is used and held by both controllers and processors. The DPA also sets out the Information Commissioner’s powers of investigation and enforcement.

Where a private company is acting as a processor of data on behalf of the government, contracts will be in place that set out the obligations that the organisation will have to data protection which will be governed by the GDPR and DPA. If a private company is acting as a controller then they will be governed by the general principles of the GDPR.

Outside of the GDPR, the Data Ethics Framework provides guidance for public sector organisations on how to use data appropriately and responsibly when planning, implementing, and evaluating a new policy or service, which would need to be taken into consideration when working with private organisations. More information on the framework can be found here -

Named day
Named day questions only occur in the House of Commons. The MP tabling the question specifies the date on which they should receive an answer. MPs may not table more than five named day questions on a single day.