Request a demo

Data sharing and security agreement

Updated 5 October 2023

Our responsibilities for data protection under the GDPR.

SocietyWorks Ltd (company number: 05798215) is a wholly owned subsidiary of mySociety, a registered charity in England and Wales (charity number: 1076346) and company limited by guarantee (company number: 03277032).

SocietyWorks Ltd is a registered data controller (ICO registration number: ZA937521). mySociety is a registered data controller (ICO registration number: Z9602302).

1. Roles

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Processing, in relation to personal data, means any operation or set of operations which is performed on personal data or on sets of personal data (whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction).


These roles impose certain responsibilities on both parties under the UK GDPR.

If a member of the public submits a request or report in relation to the provision of SocietyWorks’ services (including FixMyStreet Pro, WasteWorks, FOIWorks or ApplyWorks), the processing of the data involved is covered by SocietyWorks and the client acting as joint controllers. 

2. Controller responsibilities

3. What personal data is collected and shared

When a user submits a report through FixMyStreet or FixMystreet Pro, the following personal data is collected:

When a user submits a report or request through WasteWorks, the following personal data is collected:

SocietyWorks does not handle any payment information via WasteWorks. Payment details are handled by the client’s payment provider, who provides SocietyWorks with an authorisation response to indicate the status of a transaction.

When a user submits a request through FOIWorks, the following personal data is collected:

4. Who has access to personal data

At SocietyWorks, some members of staff have access to this data (see below under Security for details of access control). During any period of time, 1-3 members of SocietyWorks staff may be actively moderating the site. They are trained to protect personal data, not sharing it with anyone outside the direct SocietyWorks team other than in exceptional circumstances (for example, if required by law to hand it over to police; if serious abuse of the site prompts them to escalate to the wider team of developers; or if concerns for a user’s safety causes them to seek advice from the Managing Director (SocietyWorks), Chief Executive (mySociety) or non-executive directors / trustees).

Clients also have access to the admin function of their SocietyWorks product, giving them access to data within their own boundaries. The authority’s own data protection policies apply when this data is accessed by their employees.

5. How the data is used

SocietyWorks only uses users’ personal data for the purpose of sending their report or request to the relevant authority and to send them follow-up emails to ask if their issue has been resolved. 

Clients should use this data only to action and respond to the reported issue, and should not add it to any other database, eg. a newsletter list.

6. Joint control arrangement

Where SocietyWorks and the client are independent controllers in relation to the processing of client personal data, each party shall comply with UK GDPR in relation to its processing of client personal data.

Where the parties are joint controllers, the client is the point of contact for data subjects and is responsible for all steps necessary to comply with the UK GDPR regarding the exercise of data subjects of their rights under the UK GDPR. The client shall direct data subjects to its data protection officer or suitable alternative in connection with the exercise of their rights as data subjects and for any enquiries concerning their personal data or privacy.

SocietyWorks and the client acknowledge that a data subject has the right to exercise their legal rights under UK GDPR as against the relevant party as controller.

SocietyWorks and the client shall:

Each joint controller shall use its reasonable endeavours to assist the other controller to comply with any obligations under UK GDPR. 

SocietyWorks and the client shall notify the other party promptly, and in any event within 48 hours, upon becoming aware of any personal data breach or circumstances that are likely to give rise to a personal data breach, providing the other party and its advisors with sufficient information in a timescale which allows the other party to meet any obligations to report a personal data breach under UK GDPR, and all reasonable assistance. 

SocietyWorks and the client shall provide all reasonable assistance to the other to prepare any data protection impact assessment as may be required (including provision of detailed information and assessments in relation to processing operations, risks and measures); and maintain full and complete records of all processing carried out in respect of the personal data in connection with the agreement.

In respect of any processing of personal data performed by a third party on behalf of SocietyWorks or the client, that party shall carry out adequate due diligence on such third party to ensure that it is capable of providing the level of protection for the personal data as is required by the agreement and UK GDPR, and provide evidence of such due diligence to the other party where reasonably requested; and ensure that a suitable agreement is in place with the third party as required under UK GDPR.

SocietyWorks and the client agree to cease processing personal data as practicable after it has ceased to be necessary for them to process such personal data for any lawful purpose and in compliance with any data retention terms in their privacy policy.

7. Security

All passwords on our services must meet minimum complexity requirements, and login attempts are throttled, mitigating against remote brute-forcing. All passwords are stored in the database encrypted with a one-way bcrypt hash, mitigating against local brute-forcing.  SocietyWorks Administrator accounts must adhere to our own strict security policies, plus have two-factor authentication (whereby a changing code on a device needs to be input in addition to a password in order to log in).

SocietyWorks’ services are hosted on mySociety’s scalable, automated and secure server platform that makes use of both public and private cloud infrastructure. All systems are hosted in secure, access-controlled  data centres in the UK and Ireland. All data centre operators have ISO27001 certification.7

Every server runs a host based firewall to restrict inbound and outbound access of traffic. All servers and the packages on them are regularly and routinely patched to minimise the potential for vulnerabilities. SocietyWorks maintains a least-permissive access control model to reduce potential cross-contamination of access in the event of a security compromise.

Privileged credentials are only transmitted to SocietyWorks servers via encrypted protocols (HTTPS or SSH). Credentials are only exchanged in person or out-of-band with manual integrity checking.

A summary of our security measures will be maintained on the SocietyWorks website here: 

8. Lawful basis for processing

SocietyWorks’ lawful basis for processing is legitimate interests – we have an interest in running our problem reporting service for the benefit of the users and for society, and process personal data in a way that has a minimal impact on privacy and in ways they would reasonably expect. We take the submission of data on our services to be consent to the processing of the user’s personal data as described on this page and in the privacy policy. 

We clearly state how different types of users’ data (personal and public) will be processed. We believe that no other active consent is required from the user since, as the ICO says, there is “a positive action that makes it clear someone is agreeing to the use of their information for a specific and obvious purpose”.

9. Retention periods

We remove user accounts and anonymise problem reports that have been inactive for a period of two years on FixMyStreet and WasteWorks. Except in exceptional circumstances, we do not delete problem reports or updates made through FixMyStreet and WasteWorks. 

Historic FixMyStreet reports provide an invaluable resource for researchers into the quantity and type of street problems made across the UK during the years the site has been running. This research can help inform civic planners, developers, coders, historians and social scientists, among others. Therefore, if a user asks for a report to be removed, in most cases we will instead invite them to anonymise it (which they can do themselves when logged in to the site), so that there is no personal data present, or public connection between the content and the user’s name.

The retention period for FOIWorks requests are as follows: We delete requests and all user’s personal information;

10. Research

SocietyWorks and mySociety sometimes share anonymised data with researchers, and sometimes perform their own research on data generated by our websites. In the case of reports sent through FixMyStreet, this data will never include the user’s name, address, email address or any other identifying information. Data is only looked at in aggregate, for example to see how many reports were made in a specific area or within a specific category.

11. Client checklist

We advise clients to check the following:


This document has been prepared by the SocietyWorks client team who can be contacted at