GPA Data Privacy Notice – GOV.UK


1. GPA Data Privacy Notice

Published 5th October 2021


The GPA is an executive agency of HM Government, sponsored by the Cabinet Office.

We’re responsible for providing Government Departments and arms-length bodies with great places to work for their civil servants, which in turn enables them to provide excellent public services.

More details of our services can be found here:

This document explains what we mean when we talk about personal data, why we ask for this information about you and what we do with it. It also explains how we store your data, how you can get a copy of the information we have collected about you and how you can complain if you think we have done something wrong.

What is personal data?

Personal data is information relating to a living individual who:

  • can be identified directly from the information being processed
  • can be indirectly identified from that information in combination with other information

There are ‘Special Categories’ of personal data which require additional protection, that refer to;

  • racial or ethnic origin
  • political opinions
  • religious beliefs
  • trade union membership
  • genetic and biometric data
  • sexual orientation
  • sex life
  • criminal conviction and offenses data

Special category data is not processed by the GPA in normal circumstances. Where it is necessary, we will inform you in advance and ask your consent, plus explain the reason(s) and lawful basis for doing so.

Why we collect personal data

The Government Property Agency (GPA) is the data controller for the personal information we collect and store. We process personal data about individuals so we can carry out the following functions as an executive agency of the Cabinet Office.

  • Landlord Services
    • property transactional services (including rental agreements, other payments and accounting services);
    • GPA estate management data reporting;
    • provision of property advice; and the
    • on-boarding of client estates.
  • Workplace Services
    • environment and facilities management;
    • security services (CCTV and security personnel);
    • access control systems;
    • health and safety, and emergency response;
    • reception and helpdesk services;
    • meeting and room booking services;
    • IT services (WiFi, print, network services, etc);
    • audio visual, telecommunications and digital services; and
    • catering facilities.
  • Organizational Services
    • capacity and occupancy management;
    • location planning;
    • supporting and managing our staff; and
    • client and supplier management.

When we ask you for personal data

Whenever we ask for information about you, we promise to:

  • have a lawful basis for doing so;
  • ask for relevant personal information only;
  • make sure we don’t keep it longer than needed;
  • keep your information safe and make sure nobody can access it unless authorized;
  • only share your data with other organizations for legitimate purposes; and
  • consider any request you make to correct, stop storing or delete your personal data.

The personal data we collect

We only process the personal data we need to provide specific services to you.

We strive to minimise the amount of data we process, limited to the purpose required; and only hold personal data for as long as necessary to provide the service(s) [unless we are required by law to retain personal data for a specified time period (e.g. employee remuneration data for tax purposes)].

The GPA does not process personal data for any other reasons than our services allow and require and does not sell or share personal data with other organizations for financial gain or other purposes.

Personal data we process, and may ask for, can include:

Provision of GPA Services

  • name
  • employer
  • employment status
  • job title
  • email address
  • phone number
  • security clearance / vetting details
  • date of birth
  • photograph
  • site access permissions
  • CCTV images
  • location data
  • IP Address
  • MAC address
  • meeting details
  • room / desk bookings
  • forum discussions
  • payment details (restricted to onsite services, such as catering)
  • health data (related to site access – health and safety / emergency processes)

For GPA employees (in addition to above)

  • address
  • NI number
  • employee number
  • references / previous employer data
  • bank / salary details
  • qualifications
  • training / performance records
  • security clearance
  • attendance records
  • health data (illness, conditions, etc)
  • special category data (with consent)

Sharing your personal data

We share a controlled amount of personal data with other organizations where necessary to exercise our functions as an executive agency of the Cabinet Office. Including:

  • Other Government Departments, agencies or public sector bodies;
  • GPA supplier organizations (data processors); or with
  • Law Enforcement bodies, if obliged to do so by law.

We will only share personal data when necessary, if the Data Protection Act 2018 (DPA) and any other relevant legislation allows. Personal data is shared in line with data protection legislation requirements.

For each personal data processing task, the GPA has established a lawful basis for doing so under Article 6 of the UK GDPR, in line with our obligations:

  • legitimate interest;
  • to perform a task in the public interest;
  • processing is necessary to comply with a legal obligation on us as a data controller; or
  • processing is necessary to meet the terms of a contract.

How we protect your data and keep it secure

We are committed to doing all that we can to keep your data secure. We have set up systems and processes to prevent unauthorized access or disclosure of your data – for example, we protect your data using varying levels of encryption.

We also make sure that any third parties that we deal with keep all personal data they process on our behalf secure and in line with data protection legislation.

Your rights

Under the UK Data Protection Act (2018), incorporating the UK GDPR, you have the right:

  • to request information about how your personal data is processed, and to request a copy of that personal data;
  • to request that any inaccuracies in your personal data are rectified without delay;
  • to request that any incomplete instances of personal data are completed, including by means of a supplementary statement;
  • to request that your personal data is erased if there is no longer a justification for it to be processed;
  • in certain circumstances (for example, where accuracy is contested), to request that the processing of your personal data is restricted;
  • to object to the processing of your personal data where it is processed for direct marketing purposes, or any other reason and that we will then consider; and
  • to request a copy of any personal data you have provided, and for this to be provided in a structured, commonly used and machine-readable format.

Accessing your personal information

You can action your data rights by making a valid Subject Access Request (SAR) to the GPA, who are the data controller of your personal data.

Contact the GPA to action a Subject Access Request (SAR) via post or email.

GPA Data Protection Team

Government Property Agency

23 Stephenson Street


B2 4BH


Please be specific in your request, clearly explaining what you are asking for and ensure that you provide means for us to positively identify you.

We are prohibited from releasing personal data to any individual, unless we are sure it is the personal data of the individual actioning the SAR.

We may not release personal data to a third party, organization or family member without prior written consent. We are prohibited to release personal data of multiple data subjects to one individual.

We will respond within 30 days – unless we contact you to indicate a valid reason why we need to extend this period, in line with data protection legislation parameters.

Contact details

Please use the contact details for the GPA (above) for any other queries relating to data protection or how we process your personal data.

If you require further information regarding the GPA’s data processing activities, the contact details for the GPA’s Data Protection Officer (DPO) are:

Data Protection Officer
Cabinet Office
70 Whitehall

The Data Protection Officer provides independent advice and is charged with monitoring the GPA’s use of personal information.


If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is the UK’s independent regulator and Supervisory Authority.

The information Commissioner can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Telephone: 0303 123 1113

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Leave a Comment

Your email address will not be published.