digitalmarketplace-manual

1.0.0

Digital Marketplace background

History: From G-Cloud 5 to G-Cloud 8
Finding Things
User Journeys on the Digital Marketplace
GDPR

Developing the Digital Marketplace

Accessing the API
Adding a new repository
Application architecture
Apply to Supply
Browser and accessibility support
Environments
Developer setup
Repositories
Recording decisions on the Digital Marketplace
Digital Marketplace Runner (‘dmrunner’)
Nix Environments
Data model
Development and deployment process
Migrating the Digital Marketplace frontend
Moving data between environments
URLs
Users
Google Analytics
Load testing
Automated testing
Splitting or adding a frontend application
Database migrations
Docker strategies
Frontend assets and tools
Python typing strategy
Guidelines for accessing production data and systems
Managing database backups for the NFT environment

Content and frameworks

Preparing to add a new framework
Framework lifecycle for developers
How suppliers apply to a framework
Framework agreements
Contract variations
Adding a new form field type
Finding content
Changing content
Testing supplier applications
Useful API endpoints for frameworks

Infrastructure

The Antivirus API
AWS accounts and access
AWS Resources
Code backups
Database backups
Domains
Email integration
OpenSearch
Jenkins
GitHub Actions
Logging, monitoring and alerting
Maintenance Mode
Python environments
What is PaaS?
Deploying Digital Marketplace apps to GOV.UK PaaS
Rate Limiting
Upgrading backend services
Session Management

Managing People and Secret Things

Credentials and secrets
Adding and removing access for new starters / leavers
Requirements for access to production environments

2nd Line Runbook

Incidents
Logging in to databases
Resetting brief data with conduit
IP Restrictions
Upgrading Jenkins
Rebuilding Jenkins from scratch
Rotating API keys
Debugging PaaS App Instances
Vulnerability scanning
Novations
Support Tasks
Responding to Cloudwatch alerts
Buyer Domain Allow List

What is this?

README

digitalmarketplace-manual

GDPR
Edit on GitHub

GDPR¶

What is the GDPR?¶

In 2018 GDPR (General Data Protection Regulation) was a big deal. They were a new set of rules laid out by the European Parliament that enshrined the responsibilities of parties that collect, store and/ or process personal data in law.

In a policy sense, the GDPR aimed to place the burden of these responsibilities unequivocally with those data processors/ data controllers, rather than allowing companies to defer that responsibility to the individual referred to in the data.

To this end the GDPR provided a mandate to EU member states’ data protection/ regulation organisations to levy very significant fines for the misuse/ or poor handling of an individuals personal data.

In short; if an organisation leaks data, emails a person that hasn’t asked to be emailed, or shares an individuals data without permission, then rather than saying ‘well if they didn’t want us to do that they shouldn’t have given us their data’, that organisation could be fined the greater of €10m or 2% of global annual turnover.

The Digital Marketplace as a Data Processor¶

In the terms of the GDPR it was decided that we best fit the category of a data processor. Because we process and store data on behalf of CCS (the data controller).

We then used the GDPR legislation to determine what our responsibilities were and wrote a GDPR Policy Document detailing how we meet them. One of our core responsibilities as a data processor was to know what data we stored and how we processed it. For this we produced a Data Inventory document.

Sharing Data with CCS¶

After seeking legal advice it was found that Digital Marketplace and CCS can share data across departmental boundaries because they are all part of the same organisation (the Cabinet Office). Furthermore we are working to achieve the same goals.

However we took the view that it would be prudent to ensure that:

We created an data sharing agreement document between the Digital Marketplace team and CCS
We explicitly noted this in both our GDPR documentation and Privacy Notice
We share only what is strictly necessary

Data Minimisation¶

A core tenet of the GDPR is the prinicpal of data minimisation. This principal states that organisations:

must limit personal data collection, storage, and usage to data that is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed.

As long as we continue to only collect data based on user needs then this should be adhered to. But it is something for the entire team to be mindful of.

Documentation¶

GDPR Policy Document (how we satisfy our responsibilities)
Data Sharing Agreement
Privacy Notice
Data Inventory

Previous Next

© Copyright 2013 - 2024 Digital Marketplace.

Built with Sphinx using a theme provided by Read the Docs.