Skip to main content
Legacy System Register

Alpha This is a new service – your feedback will help us build it.

Data usage policy

Last updated on 5 February 2026.

Who we are

The Legacy System Register is built and managed by the Government Digital Service (GDS). GDS is part of the Department for Science, Innovation and Technology (DSIT). All Legacy System Register administrators hold at minimum SC clearance.

How your data is used

The data on IT systems and the self-assessments you input into the Legacy System Register are stored on our systems.

The lead(s) for each government department, body or public sector organisation ("organisation admins") are assigned by the system administrators. The leads are able to set up and assign organisation users, system owners and assessors, giving them appropriate permissions. Organisations are responsible for ensuring roles and access rights allocated to individuals are appropriate and proportionate to the individual, using the principle of least privilege.

Organisation users can see all IT systems and assessments submitted to the Legacy System Register for their organisation, but not manage other users. System owners can see only the IT systems they are assigned to. Assessors can only access unsubmitted self-assessments they are assigned to.

Data attributed to a particular government department, body or public sector organisation will not be automatically visible to another one, other than the system administrators.

From the Legacy System Register, datasets will be generated that are anonymised for the names of systems, their descriptions, and names of system owners.

These datasets will be used to produce reporting on the government and public sector legacy IT estate for GDS to inform, prioritise and measure progress against the [INSERT ACTION PLAN].

How your data is stored and managed

IT systems are stored on Legacy System Register and are editable by admins, organisation admins, organisation users and assigned system owners.

In-progress self-assessments are stored on Legacy System Register and are editable by any user your organisation has assigned. Once complete and sent for review, further edits are not possible by the assessor. At this point, organisation admins, organisation users and system owners can review and choose to approve or not approve the self-assessment.

Data pertaining to IT systems, including assessment data, is stored while the system is not marked within the Legacy System Register as 'Retired'. From the date the IT system is marked as 'Retired', data is retained for two years before it is deleted. Data on IT systems can be permanently deleted by organisation admins and organisation users at any time.

[INFO ABOUT DB BACKUPS]

Further information

[INFO ABOUT ASSESSMENT PROCESS / RESULTS]

The development of the Legacy System Register aligns and adheres with the GDS Service Standard (opens in new tab) and Technology Code of Practice (opens in new tab).

For example, the application:

  • has appropriate access control
  • uses continuous integration and deployment from GitHub
  • logs and monitors usage and audit data
  • integrates continuous static and dynamic code analysis to identify vulnerability and configuration issues
  • runs using iterative development process to quickly remediate issues and adapt features

Further information on personal data can be found on the privacy policy.

For more help on Legacy System Register, including contact details for teams responsible, please visit the help page.