Digital
GDPR and mygov.scot
June 12, 2017 by Jono Ellis No Comments | Category Digital Public Services, mygov.scot
Our user’s data is really important to us. New legislation, the General Data Protection Regulation (GDPR), will impact sites and services which collect and make use of user’s data. GDPR comes into force in May 2018, with the UK expected to finalise any derogations to the GDPR under Article 23 final specification for how sites comply to GDPR being in November of this year. Here are some of the things we’ve been working on to ensure our data protection is robust and meets with the new GDPR regulations.
What data do we gather from mygov.scot users
We have several areas where we gather data from mygov.scot users through a number of sources:
- Google Analytics – how users navigate our site’s content, search and forms
- Mouseflow – how users interact with elements on individual pages and forms on our site
- Feedback – collected on via the footer of all content items on our site
Google Analytics
We use Google Analytics (via Google Tag Manager) to help us analyse how users navigate our site’s content and we already had in place some strong controls to ensure that no personal data is gathered to Google Analytics. The first is some industry standard code which removes the last part of a user’s IP address in order to protect their identity. We haven’t tied in any advertising products which would allow advertisers (but not us) to track users across the internet. Our form fields are set up to record certain data – such as when people hit the button to submit the form but the form fails for some reason – but we don’t collect any data from fields designed for personally identifying information (such as the user’s name or address). Some of our users do sometimes mistakenly put data into a form field not intended for that purpose – such as searching for their Blue Badge number – but as no other identifying information is gathered along with these infrequent mistakes the data that we collect is still considered non personally identifying.
Mouseflow
It’s important that our website metrics come from a number of different sources and cover a range of needs. We collect data about how users interact with our site though Mouseflow – a tool which records where the user’s mouse has gone on the page. An example of the data we gather is how far users scroll through web pages – if only 50% of users were reaching key content then we may need to rewrite the content. As with Google Analytics, we can record how users progress through forms and we ensure that only relevant fields are recorded (again, not addresses or personally identifying info). Only partial IP addresses are presented in the Mouseflow interface, to prevent personal identification.
Feedback
All article and guide pages on our site feature a feedback box. These fields are anonymous and no additional data is collected about a user (such as their IP address or browser signature). We have an issue that some users do share personally identifying information, including names or telephone numbers. We appreciate that this is something that we need to address and so we’ve updated the text on the page and restricted who accesses this personal, unredacted data internally. Longer term we’ll incorporate features into our feedback tool and processes to make sure that, even if someone shares personal information, we will comply with GDPR for that data.
We will be managing this information via our new Information Asset Register, which is due out later this year.
Tags: GDPR
Leave a comment