6. Evaluate what user data and information the digital service will be providing or storing and address the security level, legal responsibilities, privacy issues and risks associated with the service.

The purpose of this point is to evaluate what user data and information the digital service will be providing or storing and address the security level, legal responsibilities, privacy issues and risks associated with the service.

Legally you must comply with The Data Protection Act which details how data can be gathered, used and stored. Key considerations are to only collect what data you need and to ensure that any data hosted on the cloud is not transferred outside the European Economic Area without adequate protection.

If you are changing the way you process or store user data you should complete a Privacy Impact Assessment which will highlight the risks and mitigation. Your data governance team should have a process in place for this. More guidance is available within the ICO PIA Code of Practice.

You need to consider what security measures are in place for both physical (site) security as well as digital, including encryption and password management. Cloud computing is not necessarily less secure than on-premise. If your organisation is Public Services Network accredited you will need to ensure that your network and infrastructure continue to stay compliant.


The Standard was launched on 7 April 2016.

This guidance was last amended on 17 June 2016 as part of Service Standard Sprint #1.

You can read more about the Standard here.

All content in this guide is available under the Open Government Licence v3.0, except where otherwise stated.