The recently renamed National Security Online Information Team has published an official privacy notice, revealing overseas cloud storage arrangements and claims that data is deleted after three months, where possible
Government’s controversial anti-disinformation unit has published formal privacy documents outlining policies including the anonymisation of personal data and deletion records after three months where possible.
The recently rechristened National Security Online Information Team (NSOIT) – formerly known as the Counter-Disinformation Unit – has this week released its privacy notice on GOV.UK. The transparency notice sets out how and why the unit will process personal data, as well as explaining its legal basis for doing so and the rights of affected citizens.
The notice explains that its publication is a requirement of data-protection laws and adds: “In the unlikely event that the NSOIT receives or processes personal data, the purpose of this privacy notice is to explain how that personal data would be processed when we have not obtained personal data directly from you.”
The document states that NSOIT collects only “publicly available information, typically from social media websites”.
It stresses that “it is important to note we do not collect or review private online information – i.e. material that is not made available on a public page”.
The notice adds: “Whilst… data is anonymised wherever possible, the content we review may incidentally include personal data – for example, usernames, social media handles, contact information, or personal data embedded within comments or metadata – that may be embedded within material that you or others may have published on those sites. In some cases, such content may include special categories of personal data, such as political or philosophical opinions.”
NSOIT, which is based in the Department for Science, Innovation and Technology, asserts that “we do not use your data for automated decision making or profiling”.
Related content
- Government comms unit taps into tech tool to track Russian social disinformation
- Is government’s anti-disinformation unit protecting or persecuting citizens?
- EXCL: Government buys £700k software to monitor death threats against ‘high-profile individuals’ involved in vaccine rollout
The anti-disinformation unit claims that it “will only retain your personal data for as long as it is needed in accordance with the purposes for which it was collected”. Depending on such purposes, the standard timeframe for retaining citizens’ information may vary from a matter of weeks up to two years – and some data may be held for longer than this, where required.
“Where raw data samples are collected to generate narrative analysis either by DSIT or a third party, it will typically be held for a period of up to three months,” the notice says. “The overall products and outputs of NSOIT will be held for no more than two years, in line with DSIT’s retention policy. NSOIT will anonymise data wherever possible when undertaking its analysis and producing its products and reports. There will be exceptions to the data retention periods set out above where, for example, the law requires us to keep the information for longer, such as for a public inquiry.”
The unit says that it “may share our analysis with other government departments whose work is impacted by disinformation” but that, in doing so, “personal identifiers will be redacted where possible”.
If officials determine that an online post “may infringe the moderation policies” of social media sites – such as Twitter, Facebook, TikTok or Instagram – then data may also be shared with these companies.
“The information NSOIT shares with social media providers is limited to sending links to content of concern, or aggregated overarching trends,” the notice says. “The platform will decide whether to take any action consistent with their policies.”
Since August 2023, NSOIT has also worked with Resolver, a tech firm whose software “gathers all risk data and analyses it in context”, according to the company website. DSIT’s £350,000 contract with Resolver – which is owned by US-based risk and security consultancy Kroll – is intended “to help conduct analysis of social media platforms”.
“Any access [the company] may have to personal data will be strictly controlled in accordance with the requirements under UK GDPR”, according to the privacy notice.
Data may also be provided to DSIT’s cloud-hosting providers – who may then store information in facilities based overseas.
The notice says: “As your personal data is stored on our IT infrastructure and shared with our data processors Microsoft and Amazon Web Services, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision, the use of Standard Contractual Clauses or a UK International Data Transfer Agreement.”
Right of reply
Any citizens that believe NSOIT has collected or processed their person data has various rights, the privacy document explains.
This includes the right to: ask for a copy of their data and details of how it is being processed; formally object to the processing and, in some cases, request that processing restricted.; request the immediate rectification of inaccuracies or incomplete information; and request erasure of data where its processed is no longer justified.
NSOIT’s legal basis for processing personal information – including extra-sensitive special category data – is that doing so is “necessary for us in our work as a public body and in the public interest”, according to the notice.
“In this case there is substantial public interest in protecting the UK from harmful mis- and disinformation which could adversely impact public safety or national security,” it adds.
The privacy notice is one of only a small number of formal documents proactively published by government related to the work of NSOIT, which began operating in the early days of the coronavirus crisis.
Over the past four years, the unit has been the subject of a growing amount of controversy and criticism. This includes public rebuke from senior Conservative, Labour and Green politicians who have claimed their own online posts critcising the government have been monitored and flagged for deletion – despite containing no factual inaccuracies.
Despite the denials of ministers that this has taken place, criticism persists, including in a recent and robust parliamentary debate in which DSIT minister Viscount Camrose fended off enquiries about the “worrying overreach” of NSOIT.
Others have taken issue with the perceived opacity of the unit and its work, with ministers and officials having repeatedly declined to answer questions from parliamentarians – and from PublicTechnology – seeking even outline operational details.
