From b5eecd8e62efdff0f98a9409ee1de7539eda4334 Mon Sep 17 00:00:00 2001 From: Kevin Etchells Date: Thu, 13 Feb 2025 15:46:00 +0000 Subject: [PATCH 1/2] Update privacy policy and add cookie notice --- django_app/frontend/src/css/general.scss | 8 ++ .../redbox_app/redbox_core/views/__init__.py | 8 +- .../redbox_core/views/info_views.py | 5 + django_app/redbox_app/templates/base.html | 1 + django_app/redbox_app/templates/cookies.html | 45 ++++++++ .../redbox_app/templates/privacy-notice.html | 106 ++++++++++++------ django_app/redbox_app/urls.py | 1 + 7 files changed, 136 insertions(+), 38 deletions(-) create mode 100644 django_app/redbox_app/templates/cookies.html diff --git a/django_app/frontend/src/css/general.scss b/django_app/frontend/src/css/general.scss index 8e104d308..53cfc49b4 100644 --- a/django_app/frontend/src/css/general.scss +++ b/django_app/frontend/src/css/general.scss @@ -105,6 +105,14 @@ body { .govuk-link:visited { color: var(--iai-product-colour); } +@media (max-width: 1019px) { + .iai-footer__list { + margin-top: 0.5rem; + } + .iai-footer__list-item { + margin-top: 0.25rem; + } +} @import "./profile.scss"; diff --git a/django_app/redbox_app/redbox_core/views/__init__.py b/django_app/redbox_app/redbox_core/views/__init__.py index 947f030af..6a6e9ea1c 100644 --- a/django_app/redbox_app/redbox_core/views/__init__.py +++ b/django_app/redbox_app/redbox_core/views/__init__.py @@ -17,7 +17,12 @@ file_status_api_view, remove_doc_view, ) -from redbox_app.redbox_core.views.info_views import accessibility_statement_view, privacy_notice_view, support_view +from redbox_app.redbox_core.views.info_views import ( + accessibility_statement_view, + cookies_view, + privacy_notice_view, + support_view, +) from redbox_app.redbox_core.views.misc_views import SecurityTxtRedirectView, health, homepage_view from redbox_app.redbox_core.views.signup_views import Signup1, Signup2, Signup3, Signup4 @@ -38,6 +43,7 @@ "privacy_notice_view", "accessibility_statement_view", "support_view", + "cookies_view", "sign_in_view", "sign_in_link_sent_view", "signed_out_view", diff --git a/django_app/redbox_app/redbox_core/views/info_views.py b/django_app/redbox_app/redbox_core/views/info_views.py index df4741474..98ca88587 100644 --- a/django_app/redbox_app/redbox_core/views/info_views.py +++ b/django_app/redbox_app/redbox_core/views/info_views.py @@ -20,6 +20,11 @@ def privacy_notice_view(request): ) +@require_http_methods(["GET"]) +def cookies_view(request): + return render(request, "cookies.html", {}) + + @require_http_methods(["GET"]) def support_view(request): return render( diff --git a/django_app/redbox_app/templates/base.html b/django_app/redbox_app/templates/base.html index b56b7b51f..b47efd2fd 100644 --- a/django_app/redbox_app/templates/base.html +++ b/django_app/redbox_app/templates/base.html @@ -96,6 +96,7 @@ {% set footer_links = [ {'text': 'Privacy', 'url': url('privacy-notice') }, + {'text': 'Cookies', 'url': url('cookies') }, {'text': 'Accessibility', 'url': url('accessibility-statement') }, {'text': 'Support', 'url': url('support') }, {'text': 'Sitemap', 'url': url('sitemap') } diff --git a/django_app/redbox_app/templates/cookies.html b/django_app/redbox_app/templates/cookies.html new file mode 100644 index 000000000..412b87df1 --- /dev/null +++ b/django_app/redbox_app/templates/cookies.html @@ -0,0 +1,45 @@ +{% extends "base.html" %} + +{% set pageTitle = "Cookies" %} + +{% set departmental_owner = "DSIT" %} +{% set department_address = "DSIT Data Protection Officer, Department for Science, Innovation & Technology, 22-26 Whitehall, London, SW1A 2EG, Email dataprotection@dsit.gov.uk" %} +{% set last_updated = "13th February 2025" %} + +{% block content %} + +
+
+ +

Redbox Cookies Notice

+
+

The Department for Science and Innovation (DSIT) is the controller and is responsible for the processing of your Personal Data as described in this Privacy Policy.

+ + + + + + + + + + + + + + + + + + + + + + +
Cookies
NamePurposeExpires
csrftokenPrevent cross-site request forgery (CSRF) attacks364 days
sessionidKeeps track of the signed-in user’s session21 hours
+ +
+
+
+ +{% endblock %} diff --git a/django_app/redbox_app/templates/privacy-notice.html b/django_app/redbox_app/templates/privacy-notice.html index 46023ab06..4f044d948 100644 --- a/django_app/redbox_app/templates/privacy-notice.html +++ b/django_app/redbox_app/templates/privacy-notice.html @@ -1,75 +1,107 @@ {% extends "base.html" %} -{% set pageTitle = "Privacy notice" %} - -{% if waffle_flag(request, "uktrade") %} - {% set departmental_owner = "Department for Business and Trade" %} - {% set department_address = "Department for Business and Trade, Old Admiralty Building, Admiralty Place, London, SW1A 2DY" %} - {% set last_updated = "21st June 2024" %} -{% else %} - {% set departmental_owner = "Cabinet Office" %} - {% set department_address = "Cabinet Office, 70 Whitehall, London, SW1A 2AS, or 0207 276 1234, or publiccorrespondence@cabinetoffice.gov.uk" %} - {% set last_updated = "16th April 2024" %} -{% endif %} +{% set pageTitle = "Privacy Policy" %} + +{% set departmental_owner = "DSIT" %} +{% set department_address = "DSIT Data Protection Officer, Department for Science, Innovation & Technology, 22-26 Whitehall, London, SW1A 2EG, Email dataprotection@dsit.gov.uk" %} +{% set last_updated = "13th February 2025" %} {% block content %}
-

Privacy notice for Redbox

+

Redbox Privacy Policy

This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).

+

Data Controller

+

The Department for Science and Innovation (DSIT) is the controller and is responsible for the processing of your Personal Data as described in this Privacy Policy.

+

Your data

Purpose

The purposes for which we are processing your personal data are:

-
    -
  • enabling login to the platform
    • -
  • information will be aggregated and used for anonymous further analysis
    • +
      +
    • Enabling login to the platform
      • +
    • Information will be aggregated and used for anonymous further analysis
      • +
    • To contact you to take part in research into how to improve the service if you have opted in to research in the Redbox Terms and Conditions
      • +
    • To contact you when maintenance, changes to terms or other changes are being made that may affect your use of Redbox

    The data

    +

    Personal data you provide

    We will process the following personal data:

    -
      -
    • organisational email address
      • +
        +
      • + Information gathered at Signup +
          +
        • work email address
          • +
        • grade
          • +
        • profession
          • +
        • business unit
          • +
        • department
          • +
        +
        • +
      • As stipulated in the Terms and Conditions the use of personal data is not permitted as part of any user input into Redbox, either in content loaded or through chat. However; there is no way with current technology to prevent if personal data is inputted into Redbox through content or chat (this is further laid out in the Retention section of this Policy, it will be deleted after 30 days.)
        • +
      • The Content (both Inputs and Outputs) may be referred to for research purposes
        • +
      +

      Personal Data We Receive from Your Use of the Services

      +

      When you visit, use, or interact with the Services, we receive the following information about your visit, use, or interactions:

      +

      Via Plausible Analytics the following information is gathered:

      +
        +
      • Browser type and settings
        • +
      • Device information
        • +
      • Page URL
        • +
      • HTTP Referrer
        • +
      • Operating system
        • +
      • Country, region
        • +
      • Internet Protocol (IP) address
      +

      Plausible Analytics collects anonymous analytics data about user use of Redbox. IP address is collected but mixed with other data to disguise individual identity. Analytics data is wiped at the end of each day so no history is retained about an individual’s use of Redbox. You can view more information on how Plausible uses this data.

      +

      “Essential cookies” are captured as they are required for essential functionality and security. Please read our cookies notice for further information

      +

      If you change role or department you can tell the product team for your details to be changed to keep them up to date.

      +

      Legal basis of processing

      The legal basis for processing your personal data is:

      -
        -
      • data subject consents
        • +
          +
        • Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, to provide appropriate tools and systems to support civil servants to summarise documents and develop briefings.

        Recipients

        -

        Your personal data will be shared by us with analysts/researchers within the {{ departmental_owner }} if you have consented to be contacted further about Redbox.

        -

        As your personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide email and document management and storage services.

        +

        Your personal data will be shared by us with analysts/researchers within the {{ departmental_owner }} Incubator for Artificial Intelligence (i.AI) if you have opted to take part in research.

        +

        As your personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide email and document management and storage services. As part of the existing contracts with the Large Language Model (LLM) they will not use any data inputted to train the models. These LLMs are treated as Third Party services and as such their respective Terms of Use and Terms of Conditions, found on their websites, will apply.

        Retention

        -

        Your personal data will be retained for 12 months after account inactivity. At that point we will delete your email address, depersonalising the data we hold. If you have provided us consent to contact you, we will retain your email until and continue sharing it with evaluators so they can conduct research on the long term impact of Redbox.

        +

        Your personal data will be retained for 12 months after account inactivity. At that point we will delete your email address, depersonalising the data we hold.

        +

        Redbox stores your content for 30 days. Content that you delete is archived but accessible for Freedom of Information requests (FOIs) for 30 days.

        +

        Documents will automatically be deleted when a chat is deleted.

        +

        All data is stored in Cabinet Office AWS and Elastic.

        Your rights

        -

        You have the right to request information about how your personal data are processed, and to request a copy of that personal data.

        -

        You have the right to request that any inaccuracies in your personal data are rectified without delay.

        -

        You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.

        -

        You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.

        -

        You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.

        -

        You have the right to object to the processing of your personal data where it is processed for direct marketing purposes.

        -

        You have the right to withdraw consent to the processing of your personal data at any time.

        +
          +
        • You have the right to request information about how your personal data are processed, and to request a copy of that personal data.
          • +
        • You have the right to request that any inaccuracies in your personal data are rectified without delay.
          • +
        • You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.
          • +
        • You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.
          • +
        • You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
          • +
        • You have the right to object to the processing of your personal data where it is processed for direct marketing purposes.
          • +
        • You have the right to withdraw consent to the processing of your personal data at any time.
          • +
        +

        You will be asked to re-accept Terms and Conditions every 1 year as well as every time the Terms and Conditions are updated.

        International transfers

        -

        As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision or reliance on Standard Contractual Clauses.

        - -

        Complaints

        -

        If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or 0303 123 1113, or icocasework@ico.org.uk. Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

        +

        Redbox personal data is stored on our IT infrastructure in the UK. However, Redbox chat data is processed where it is subject to equivalent legal protection as the UK through an adequacy decision.

        Contact details

        -

        The data controller for your personal data is the {{ departmental_owner }}. The contact details for the data controller are: {{ department_address | safe }}.

        -

        The contact details for the data controller's Data Protection Officer are: dpo@cabinetoffice.gov.uk.

        -

        The Data Protection Officer provides independent advice and monitoring of {{ departmental_owner }}'s use of personal information.

        +

        The data controller for your personal data is {{ departmental_owner }}. The contact details for the data controller are: {{ department_address | safe }}.

        +

        If you are unhappy with the way we have handled your personal data, please write to the department’s Data Protection Officer in the first instance using the contact details above.

        + +

        Complaints

        +

        If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or 0303 123 1113, or icocasework@ico.org.uk.

        Changes to this notice

        -

        We may change this privacy notice. When we make changes to this notice, the "last updated" date at the bottom of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, {{ departmental_owner }} will take reasonable steps to make sure you know.

        +

        We may change this privacy notice. When we make changes to this notice, the "last updated" date at the bottom of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, {{ departmental_owner }} will take reasonable steps to make you aware of the changes.

        Last updated: {{ last_updated }}

diff --git a/django_app/redbox_app/urls.py b/django_app/redbox_app/urls.py index ddf9792c5..161053ddc 100644 --- a/django_app/redbox_app/urls.py +++ b/django_app/redbox_app/urls.py @@ -34,6 +34,7 @@ info_urlpatterns = [ path("privacy-notice/", views.info_views.privacy_notice_view, name="privacy-notice"), + path("cookies/", views.cookies_view, name="cookies"), path( "accessibility-statement/", views.accessibility_statement_view, From a504d64e8a0545d5aedf133923ee6e3cb64780fa Mon Sep 17 00:00:00 2001 From: Kevin Etchells Date: Thu, 13 Feb 2025 16:00:08 +0000 Subject: [PATCH 2/2] Update page titles and tests linting --- django_app/redbox_app/templates/cookies.html | 2 +- django_app/redbox_app/templates/privacy-notice.html | 4 ++-- tests/pages.py | 8 +++++++- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/django_app/redbox_app/templates/cookies.html b/django_app/redbox_app/templates/cookies.html index 412b87df1..508360071 100644 --- a/django_app/redbox_app/templates/cookies.html +++ b/django_app/redbox_app/templates/cookies.html @@ -11,7 +11,7 @@
-

Redbox Cookies Notice

+

Redbox cookies notice

The Department for Science and Innovation (DSIT) is the controller and is responsible for the processing of your Personal Data as described in this Privacy Policy.

diff --git a/django_app/redbox_app/templates/privacy-notice.html b/django_app/redbox_app/templates/privacy-notice.html index 4f044d948..ac9ab111c 100644 --- a/django_app/redbox_app/templates/privacy-notice.html +++ b/django_app/redbox_app/templates/privacy-notice.html @@ -1,6 +1,6 @@ {% extends "base.html" %} -{% set pageTitle = "Privacy Policy" %} +{% set pageTitle = "Privacy policy" %} {% set departmental_owner = "DSIT" %} {% set department_address = "DSIT Data Protection Officer, Department for Science, Innovation & Technology, 22-26 Whitehall, London, SW1A 2EG, Email dataprotection@dsit.gov.uk" %} @@ -11,7 +11,7 @@
-

Redbox Privacy Policy

+

Redbox privacy policy

This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).

diff --git a/tests/pages.py b/tests/pages.py index bda25c347..7aaa4e6dd 100644 --- a/tests/pages.py +++ b/tests/pages.py @@ -456,7 +456,13 @@ def back_to_chat(self) -> ChatsPage: class PrivacyPage(BasePage): @property def expected_page_title(self) -> str: - return "Privacy notice - Redbox" + return "Privacy policy - Redbox" + + +class CookiesPage(BasePage): + @property + def expected_page_title(self) -> str: + return "Cookies - Redbox" class AccessibilityPage(BasePage):