Merge pull request #489 from alphagov/terms-of-use

Updated terms of use in line with feedback received via security assu…
2026-04-03 09:00:53 -04:00 · 2016-04-25 10:54:28 +01:00
parent 84c9f4de97 31bc602d0f
commit 2a6af4ffad
1 changed files with 24 additions and 17 deletions
--- a/app/templates/views/terms-of-use.html
+++ b/app/templates/views/terms-of-use.html
@@ -35,7 +35,6 @@ Terms of use – GOV.UK Notify
        <li><a href="#you-agree-not-to-send-marketing">not to use GOV.UK Notify to send marketing messages</a></li>
        <li><a href="#you-agree-to-send-messages-consistent-with-our-guidelines">to send messages consistent with our design patterns, style guide and information security principles</a></li>
        <li><a href="#you-agree-to-use-delivery-data-to-improve">to use GOV.UK delivery data to continuously improve the quality of your contact data</a></li>
-        <li><a href="#you-agree-not-to-exceed-your-estimated-sending-volumes">not to exceed your estimated sending volumes by more than ten percent</a></li>
      </ul>

      <p>Before you can send real messages:</p>
@@ -70,9 +69,13 @@ Terms of use – GOV.UK Notify
        We agree to keep your data secure
      </h3>

-      <p>GOV.UK Notify only stores personal data for the time it takes to process it and report back to you &ndash; less than 24 hours. After this time, we delete all personal data. We keep some non-personal data for logging and reporting.</p>
+      <p>GOV.UK Notify (as a whole, including subcontractors) currently store personal data for up to 1 year, and non-personal data indefinitely.</p>

-      <p>GOV.UK Notify is security accredited by the Cabinet Office Senior Information Risk Officer (siro). We maintain appropriate technical and organisational measures to protect data. We make sure our subcontractors follow the same procedures.</p>
+      <p>GOV.UK Notify has been through an information assurance process to assess information risks, to determine appropriate treatments for those risks and to obtain risk acceptance from the Cabinet Office Senior Information Risk Officer (SIRO). This work includes the completion of a Privacy Impact Assessment to ensure compliance with the Data Protection Act.</p>
+
+      <p>We do not conduct, or enable, analysis of when the same recipient (mobile number, email or postal address) is contacted by multiple Government organisations. We may do so if required by law enforcement.</p>
+
+      <p>We maintain appropriate technical and organisational measures to protect data. We make sure our subcontractors follow the same procedures.</p>

      <p>Cabinet Office act as data processor, as parent organisation of GOV.UK Notify. Your organisation remains the data controller.</p>

@@ -83,6 +86,9 @@ Terms of use – GOV.UK Notify
      </h3>

      <p>We’ll email you if you need to change these terms. We’ll tell you clearly what is changing and when the change will come into effect.</p>
+
+      <p>This includes when any of our email, text message or postal providers change.</p>
+
    </section>

    <section id="your-side">
@@ -94,12 +100,14 @@ Terms of use – GOV.UK Notify
        You agree not to compromise the security of GOV.UK Notify
      </h3>

-      <p>You agree to get your service accredited by your organisation’s Senior Information Risk Officer (siro). You don’t need to include accreditation of GOV.UK Notify or our delivery partners, since we’ve already done that.</p>
+      <p>You agree to get your service assured through your organisation’s information assurance (security) process. You don’t need to include assurance of GOV.UK Notify or our delivery partners, since we’ve already done that - we can share the work we’ve done.</p>

      <p>You must tell us immediately if you have any security breaches. This is so we can make sure other services are not affected.</p>

      <p>You must follow industry best practices for keeping your API keys secure.</p>

+      <p>You must ensure you have obtained correct levels of consent - both to send messages but also for how data is shared in order to do so.</p>
+
      <p>You must not perform any load testing on GOV.UK Notify, since we’ve already done it.</p>

      <h3 class="heading-small" id="you-agree-not-to-send-marketing">
@@ -113,7 +121,7 @@ Terms of use – GOV.UK Notify
      <ul class="list list-bullet">
        <li>The user completed a transaction, you send them a confirmation email</li>
        <li>The user got an MOT a year ago, you remind them that it’s about to expire</li>
-        <li>The user signed up for email alerts, you send them said email alerts</li>
+        <li>The user signed up for email alerts, you send them email alerts</li>
      </ul>

      <p>You don’t need to ask permission to send messages that directly relate to a transaction. By using a transaction, a user is implicitly agreeing to receive messages about that transaction.</p>
@@ -126,9 +134,9 @@ Terms of use – GOV.UK Notify
        <li>Continuing to update someone about a service they no longer use</li>
      </ul>

-      <p>You agree not to use GOV.UK Notify to send marketing messages.</p>
+      <p>You must agree not to use GOV.UK Notify to send marketing messages.</p>

-      <p>If you attempt to use GOV.UK Notify for marketing, your templates won’t pass our content review.</p>
+      <p>If you do use GOV.UK Notify to send marketing messages, we may refuse to accept further messages for delivery.</p>

      <h3 class="heading-small" id="you-agree-to-send-messages-consistent-with-our-guidelines">
        You agree to send messages consistent with our design patterns, style guide and information security guidelines
@@ -136,25 +144,20 @@ Terms of use – GOV.UK Notify

      <p>Your messages must follow our <a href="https://designpatterns.hackpad.com/Notifications-5vuitmNqIjZ" rel="external">design patterns</a>, <a href="https://www.gov.uk/topic/government-digital-guidance/content-publishing" rel="external">style guide</a> and <a href="https://docs.google.com/document/d/15-OjaEqDBy31uDU7nLZCpYIQOnzSCJR63-cp3cQI9G8" rel="external">information security guidelines</a>.</p>

+      <p>Your messages must not contain any personal, or otherwise sensitive, information.</p>
+
      <h3 class="heading-small" id="you-agree-to-use-delivery-data-to-improve">
        You agree to use GOV.UK Notify delivery data to continuously improve the quality of your contact data
      </h3>

      <p>When you send messages through GOV.UK Notify, we provide feedback on the status of every text message, email and letter.</p>

-      <p>You agree to use our delivery data to remove bounced email addresses, mobile numbers and postal addresses from your database.</p>
+      <p>You agree to use our delivery data to check (and potentially remove) bounced email addresses, mobile numbers and postal addresses from your database.</p>
+      
+      <p>You agree to ensure your user’s personal data is kept accurate and up to date, in line with Data Protection Act principles.</p>

      <p>If you have consistently high bounce rates, we will investigate and may refuse to accept further messages for delivery. This is to protect delivery rates for other services using GOV.UK Notify.</p>

-      <h3 class="heading-small" id="you-agree-not-to-exceed-your-estimated-sending-volumes">
-        You agree not to exceed your estimated sending volumes by more than ten percent
-      </h3>
-
-      <p>As part of requesting to go live, you must estimate how many text messages, emails and letters you plan to send each year, including any spikes or seasonal variation.</p>
-
-      <p>If you exceed your sending limits by more than ten percent, we may refuse to accept further messages for delivery. This is to protect delivery rates for other services using GOV.UK Notify.</p>
-
-      <p>If you need to increase your sending limits, <a href="https://docs.google.com/forms/d/1AL8U-xJX_HAFEiQiJszGQw0PcEaEUnYATSntEghNDGo/viewform">let us know</a>.</p>
    </section>

    <section id="requesting-to-go-live">
@@ -166,6 +169,7 @@ Terms of use – GOV.UK Notify

      <ul class="list list-bullet">
        <li>you must tell us approximately how many text messages, emails and letters you plan to send</li>
+        <li>you must ensure you have obtained consent to both send messages themselves, but also share data in order to do so</li>
        <li>if you plan to send more than 250,000 text messages per year or any number of letters, your organisation must agree to pay any costs you run up using GOV.UK Notify</li>
        <li>we will check the messages you plan to send to make sure they meet our guidelines</li>
      </ul>
@@ -199,6 +203,9 @@ Terms of use – GOV.UK Notify
      </h2>

      <p>You can remove your service from GOV.UK Notify at any time. <a href="{{ url_for('main.feedback') }}">Contact us</a> and we’ll delete your account.</p>
+      
+      <p>Any data that you have processed through GOV.UK Notify will be deleted as part of the existing data deletion processes.</p>
+
    </section>

  </div>