Security

GOV.UK Notify is built for the needs of government services. It has processes in place to:

  • protect user data
  • keep systems secure
  • manage risks around information

Data

On Notify, data is encrypted:

  • when it passes through the service
  • when it’s stored on the service

Any user data you upload is only held for 7 days.

The Cabinet Office acts as data processor for Notify. Your organisation is the data controller.

Data Protection Act

Notify complies with the Data Protection Act. To make sure it stays compliant, there are regular legal reviews of the service’s:

  • privacy policy
  • terms of use
  • approach to data sharing

Technical security

Other technical security controls on Notify include:

  • protective monitoring to record activity, and raise alerts about any suspicious activity
  • using JSON Web Tokens, to avoid sending API keys when your service talks to Notify

User permissions

You can set different user permissions in Notify. This lets you control who in your team has access to certain parts of the service.

Information risk management

Our approach to information risk management follows National Cyber Security Centre (NCSC) guidance. It assesses:

  • how Notify is built
  • the infrastructure Notify is built upon
  • support for the Notify service

This approach also applies to the service providers Notify uses to send messages.

How we manage risks on Notify

Things we do to manage risks on Notify include:

  • formal risk assessments based on ISO 2700:2011 and National Cyber Security Centre guidance
  • CHECK-based testing, both annually and when any major changes are made to Notify
  • residual risk statement preparation and active management of the risk treatment plan
  • regular updates to the Privacy Impact Assessment
  • security impact assessments

Cabinet Office approval

Notify has been assessed and approved by the Cabinet Office Senior Information Risk Officer (SIRO). The SIRO checks this approval once a year.

Notify also has approval from the Office of the Government’s SIRO to host data within the EEA.

Classifications and security vetting

Any information in Notify is classified as ‘OFFICIAL’ under the Government Security Classifications Policy.

All system administration staff working on Notify are cleared to Security Check (SC) level by United Kingdom Security Vetting.