Data protection and privacy

How to ensure your form is compliant with data protection policies and procedures and keep your users’ data secure.

Contents

Your data protection responsibilities
Registering your data processing activity
Designing and building your form
Preparing a privacy notice
How your forms are secured
Session duration

Your data protection responsibilities

As you design a new form or make any substantial changes to an existing form, you will need to:

  1. register your data processing activity with the appropriate data protection team
  2. think about how and why you are asking for personal information
  3. prepare a privacy notice to include in the footer of your form

These steps will help ensure that you comply with standards and best practice around the lawful capture and ongoing protection of any personal data that you collect with your forms. Your responsibilities include:

  • ensuring that you only collect the minimum amount of personal data necessary and relevant for the purposes of the activity
  • making it as easy as possible for users to understand why you are collecting personal data and how you will use it
  • establishing the most appropriate lawful basis for the personal data capture
  • the security and safe storage of the personal data captured after it has been submitted and who is authorised to view or access it
  • ensuring that the personal data is only used for the purposes for which it is captured
  • destroying or de-identifying the personal data once the purpose for which it has been captured expires, in line with your organisation's retention schedules

For more information on your responsibilities, read the guide to data protection on the MoJ intranet or contact your organisation's data protection team.

Back to top

Registering your data processing activity

If you are planning on using a form to collect personal information, you also need to consider how you will use and manage that information. Collectively, this is known as a data processing activity.

All data processing activities should go through a data protection impact assessment (DPIA) screening. This will help identify and minimise any data protection risks involved and ensure that the activity is registered with the data protection team.

You should do this if you are making significant changes to an existing data processing activity as well when establishing a new one.

If MoJ is your data controller, you will need to contact your information assurance lead or the data protection team (dataprotection@justice.gov.uk) to initiate this process.

The process may vary in departments and agencies that use a different data controller. Contact your organisation’s data protection team for guidance.

Back to top

Designing and building your form

When designing your form, ensure that:

  • you only ask for the information you need to perform your activity - for example, to perform a data protection check or contact the user in the event of a query
  • you are clear with users why you are asking for something
  • users can understand what you will do with their information

To help you work out what to ask, you can carry out a question protocol.

You should also prepare a privacy notice.

For more guidance on designing and building your form, read the Service Manual guidelines on collecting personal information.

Back to top

Preparing a privacy notice

All forms are created with a privacy page in the footer section which comes pre-populated with a template privacy notice. There are sections in the notice that you must fill in with details specific to your team and form. These are indicated in square brackets - [like this].

If you are updating an existing form, you will need to check your privacy notice against the latest version of the template as some sections may have changed.

Privacy notice template

This notice is based on the MoJ template for general processing from the Transparency Toolkit on the intranet. It is for any department or agency that uses MoJ as data controller.

The Toolkit also includes a different privacy notice template for law enforcement processing as well as guidance notes on preparing your notice.

If you work in a department or agency with a different data controller, your privacy notice will need to include different details and may need a different template. Contact your organisation’s data protection team for guidance.

Back to top

How your forms are secured

The Digital and Technology team is responsible for the technical security of the MoJ Forms platform.

We take every precaution with user data as users enter it. User data is saved during a session and protected with high levels of encryption (we use AES 256-bit encryption).

User data cannot be accessed or retrieved by anyone after it has been submitted or the session has ended (for example, by closing the browser before submission).

Users of forms with save for later enabled may choose to save their work before submitting it. This data can be retrieved by the user within 28 days using a one-off email link and a user-set security answer.

All saved data is securely deleted 28 days after submission or from when it was last saved. This timer is reset when data is retrieved using save for later.

You can learn more about how MoJ Forms is structured in our Tech Docs.

Back to top

Session duration

For security reasons, MoJ Forms has a session duration of 30 minutes. This is refreshed every time a user enters some information or interacts with a button or feature on the page so they can take as long as they need to complete the form.

If nothing happens on a page for 25 minutes, the form will warn the user that the form is about to reset. If the user acknowledges the message, the session will refresh to 30 minutes. If nothing continues to happen for another 5 minutes, the form will reset. Any information entered into the form up to that point will be deleted and the user will need to start again.

To minimise the risk of users losing their progress, you could consider:

  • letting users know on the start page what information they will need to hand
  • structuring your form to ask one thing per page
  • allowing users to upload files if you require a detailed answer to a question
  • limiting the length of textarea questions using the validation settings
  • enabling 'save for later', which allows users to save their progress on a form a return to complete it later

Back to top