Request a demo

Data sharing and security agreement

Updated 4 March 2022

Our responsibilities for data protection under the GDPR.

SocietyWorks Ltd (05798215) is a wholly owned subsidiary of mySociety, a registered charity in England and Wales (1076346) and limited company (03277032).

mySociety is a registered data controller (Z9602302). From hereon, this document refers to the group as ‘mySociety’, for the sake of simplicity.

1. Roles

Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed

Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Processing, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including —

  1. organisation, adaptation or alteration of the information or data,
  2. retrieval, consultation or use of the information or data,
  3. disclosure of the information or data by transmission, dissemination or otherwise making available, or
  4. alignment, combination, blocking, erasure or destruction of the information or data.


These roles impose certain responsibilities on both parties under the GDPR which came into force in May 2018.

If a member of the public submits a request or report via the client’s branded version of one of SocietyWorks’ services (including FixMyStreet Pro, WasteWorks, NoiseWorks, FOIWorks or ApplyWorks), mySociety is acting as a data processor for the client. In this instance the client is then the sole data controller.

If a member of the public goes directly to the national FixMyStreet site and reports a fault the client is responsible for, mySociety will be considered the data controller for this processing. In accordance with the stated terms of the service mySociety will transfer the fault report to the client, but this transfer takes place as a data controller to data controller transfer.

2. Data Controller responsibilities

3. What personal data is collected and shared

When a user submits a report through FixMyStreet or FixMystreet Pro, the following personal data is collected:

When a user submits a report or request through WasteWorks, the following personal data is collected:

mySociety does not handle any payment information via WasteWorks. Payment details are handled by the client’s payment provider, who provides mySociety with an authorisation response to indicate the status of a transaction.

When a user submits a request through FOIWorks, the following personal data is collected:

When a user submits a report through NoiseWorks, the following personal data is collected:

4. Who has access to personal data

At mySociety, some members of staff have access to this data (see below under Security for details of access control). During any period of time, 1-3 members of mySociety staff may be actively moderating the site. They are trained to protect personal data, not sharing it with anyone outside the direct SocietyWorks team other than in exceptional circumstances (for example, if required by law to hand it over to police; if serious abuse of the site prompts them to escalate to the wider team of developers; or if concerns for a user’s safety causes them to seek advice from the Chief Executive or trustees).

Clients also have access to the admin function of their SocietyWorks product, giving them access to reports within their own boundaries. The authority’s own data protection policies apply when this data is accessed by their employees.

5. How the data is used

mySociety only uses users’ personal data for the purpose of sending their report or request to the relevant authority; and, except in the case of NoiseWorks, to send them follow-up emails to ask if their issue has been fixed. 

Clients should use this data only to action and respond to the reported issue, and should not add it to any other database, eg a newsletter list.

6. Security

All passwords on mySociety’s services must meet minimum complexity requirements, and login attempts are throttled, mitigating against remote brute-forcing. All passwords are stored in the database encrypted with a one-way bcrypt hash, mitigating against local brute-forcing. mySociety administrator accounts must adhere to mySociety’s own strict security policies, plus have two-factor authentication (whereby a changing code on a device needs to be input in addition to a password in order to log in).

mySociety makes use of both public and private cloud infrastructure. All systems are hosted in secure, access-controlled  data centres in the UK and Ireland. All data centre operators have ISO27001 certification. .

Every mySociety server runs a host based firewall to restrict inbound and outbound access of traffic. All servers and the packages on them are regularly and routinely patched to minimise the potential for vulnerabilities. mySociety maintains a least-permissive access control model to reduce potential cross-contamination of access in the event of a security compromise.

Privileged credentials are only transmitted to mySociety servers via encrypted protocols (HTTPS or SSH). Credentials are only exchanged in person or out-of-band with manual integrity checking.

A summary of our security measures will be maintained on the SocietyWorks website here: 

7. Lawful basis for processing

mySociety’s lawful basis for processing is legitimate interests – we have an interest in running our problem reporting service for the benefit of the users and for society, and process personal data in a way that has a minimal impact on privacy and in ways they would reasonably expect. We take the submission of a report on FixMyStreet to be consent to the processing of the user’s personal data as described on this page and in the privacy policy. 

FixMyStreet’s submission form clearly states how different types of users’ data (personal and public) will be processed, and we can make this explicit, both on the page and on the confirmation email. We believe that no other active consent is required from the user since, as the ICO says, there is “a positive action that makes it clear someone is agreeing to the use of their information for a specific and obvious purpose”.

8. Retention periods

We remove user accounts and anonymise problem reports that have been inactive for a period of two years. Except in exceptional circumstances, we do not delete problem reports or updates made through FixMyStreet. The ICO states that requests for erasure may be turned down when personal data is processed for archiving purposes in the public interest, scientific research, historical research or statistical purposes.

Historic FixMyStreet reports provide an invaluable resource for researchers into the quantity and type of street problems made across the UK during the years the site has been running. This research can help inform civic planners, developers, coders, historians and social scientists, among others.

Therefore, if a user asks for a report to be removed, in most cases we will instead invite them to anonymise it (which they can do themselves when logged in to the site), so that there is no personal data present, or public connection between the content and the user’s name.

The retention period for FOIWorks requests are as follows: We delete requests and all user’s personal information;

9. Research

mySociety sometimes shares anonymised data with researchers, and sometimes performs its own research on data generated by our websites. In the case of reports sent through FixMyStreet, this data will never include the user’s name, address, email address or any other identifying information. Data is only looked at in aggregate, for example to see how many reports were made in a specific area or within a specific category. This does not apply to NoiseWorks.

10. Client checklist

We advise clients to check the following:

This document has been prepared by the SocietyWorks client team who can be contacted at