Microsoft Copilot Web
In order to comply with the UK General Data Protection Regulation (UK GDPR), where personal data relating to a data subject is collected, Lancashire County Council would like to provide you with the following details.
Identity and contact details of the data controller
- Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ
Contact details of the data protection officer
- Our Data Protection Officer is Paul Bond. You can contact him at dpo@lancashire.gov.uk or Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ
Purposes for processing
Lancashire County Council deploys Microsoft Copilot Web for use by its employees, volunteers, members and other individuals granted access to Lancashire County Council secure networks.
Copilot Web is a Microsoft-provided solution that enables users of it to input data to provide AI-informed responses to support Lancashire County Council operations and activities.
Copilot Web does not have access to any existing Lancashire County Council platforms, systems or technical infrastructure containing your personal data.
Lancashire County Council services may populate your personal data into the platforms for the purposes of supporting administrative tasks and to deliver more efficient and effective services. Data sent to and from Copilot with enterprise data protection is encrypted in transit and at rest. Microsoft has no 'eyes-on' access to it.
Any of your data that is processed within the Lancashire County Council Microsoft Copilot Web platform remains secure at all times, and Lancashire County Council will only ever process your data using such platforms where it has a clear lawful basis under UK GDPR for doing so.
The emphasis is placed in LCC training and IG policy that individuals are entirely responsible for any outcomes that they receive from an AI platform, and those utilising LCC Copilot Web must review any and all outputs against existing data and in line with operational policies and procedures within their individual service areas.
Any third party AI platform is not permitted for use by Lancashire County Council employees, and all in accordance with Lancashire County Council's Information Governance Policies.
Category of personal data being processed
- Personal data (information relating to a living, identifiable individual)
- Special category personal data (racial, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation)
- Criminal offence data
Legal basis for processing personal data, special category personal data and criminal offence data.
The individual lawful basis that individual Lancashire County Council services rely on to process your personal data within the Microsoft Copilot Web platform will depend on each use case and the lawful basis underpinning the Lancashire County Council areas of activity.
Any use of Microsoft Copilot Web to process personal data of any kind will be carried out in accordance with UK GDPR and have a clear lawful basis for processing.
Recipients of the data
- Microsoft – Provider of the Copilot Web functionality. No personal data inputted into the Lancashire County Council Copilot Web platform will be shared with anyone beyond Microsoft who provide the platform. Microsoft has no 'eyes-on' access to it.
Information we share
The personal data that Lancashire County Council processes within the Microsoft Copilot Web platform may be any personal data that Lancashire County Council requires to deliver it's functions and activities.
This will include but not be limited to the following:
- Name
- Address
- Email address
- Phone number
- NI number
- Date of birth
- Religion
- Occupation
- Medical history
- Ethnic origin
Any transfers to another country
- Yes – Microsoft Copilot Web processes personal data within the USA. Lancashire County Council has a UK GDPR compliant contract in place with Microsoft, and Microsoft form part of the Data Privacy Framework.
Lancashire County Council will only ever allow for the processing of your personal data using the Microsoft Copilot Web platform where it can demonstrate full compliance with UK GDPR and the Data Protection Act (2018).
Retention periods
Lancashire County Council will only store your information for as long as is legally required or in situations where there is no legal retention period they will follow established best practice.
| File type | Description | Security | Retention period |
|---|---|---|---|
| Personal data inputted into the Microsoft Copilot Web platform | Any form of personal, sensitive or confidential information that is populated into Lancashire County Council's instance of the Microsoft Copilot Web platform. | All data populated into Microsoft Copilot Web is encrypted and is held in secure cloud-based servers with access controlled by Lancashire County Council | Copilot chat history, including prompts and AI responses are retained for six years, in line with Lancashire County Council's corporate retention policies. |
| Responses and outputs from Microsoft Copilot Web | Responses provided by Microsoft Copilot Web based on the personal data and questions provided to it by individual users of the platform and any exported or extracted data from the platform then held on Lancashire County Council's wider network. | Held on Lancashire County Council's secure network. Utilised by individual Lancashire County Council services for operational purposes in line with Lancashire County Council's Information Governance Policies. | Any extracted or exported data from Lancashire County Council's Microsoft Copilot Web platform is managed, retained and securely destroyed in accordance with Lancashire County Council's corporate retention policies. |
Your rights
You have certain rights under the UK General Data Protection Regulation (UK GDPR), these are those rights:
- to be informed via Privacy Notices such as this.
- to withdraw your consent. If we are relying on your consent to process your data then you can remove this at any point.
- of access to any personal information the council holds about yourself. To request a copy of this information you must make a subject access request in writing. You are entitled to receive a copy of your personal data within 1 calendar month of our receipt of your subject access request. If your request is complex then we can extend this period by a further two months, if we need to do this we will contact you. You can request a subject access request, either via a letter or via an email to Information Governance Team, address below.
- of rectification, we must correct inaccurate or incomplete data within one month.
- to erasure. You have the right to have your personal data erased and to prevent processing unless we have a legal obligation to process your personal information.
- to restrict processing. You have the right to suppress processing. We can retain just enough information about you to ensure that the restriction is respected in future.
- to data portability. We can provide you with your personal data in a structured, commonly used, machine readable form when asked.
- to object. You can object to your personal data being used for profiling, direct marketing or research purposes.
- in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.
If you want to exercise any of these rights then you can do so by contacting:
Information Governance Team
Lancashire County Council
PO Box 78
County Hall
Preston
PR1 8XJ
Email: dpo@lancashire.gov.uk
To ensure that we can deal with your request as efficiently as possible you will need to include your current name and address, proof of identity (a copy of your driving licence, passport or two different utility bills that display your name and address), as much detail as possible regarding your request so that we can identify any information we may hold about you, this may include your previous name and address, date of birth and what council service you were involved with.
Further information
For more information about how we use personal information see Lancashire County Council's full privacy notice.
If you wish to raise a complaint on how we have handled your personal data, you can contact the Information Governance team who will investigate the matter.
Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ or email: dataprotection@lancashire.gov.uk
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).