Privacy & cookies

Introduction
 
When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally.
 
These pieces of information are used to improve services for you through, for example:

  • enabling a service to recognise your device so you don't have to give the same information several times during one task
  • recognising that you may already have given a username and password so you don't need to do it for every web page requested
  • measuring how many people are using services, so they can be made easier to use and there's enough capacity to ensure they are fast
  • analysing anonymised data to help us understand how people interact with govt services so we can make them better

You can manage these small files and learn more about them from the article, Internet Browser cookies- what they are and how to manage them
http://www.direct.gov.uk/en/SiteInformation/DG_197506?CID=Central&PLA=url_mon&CRE=managing_cookies
 
If you'd like to learn how to remove cookies set on your device, visit: http://www.aboutcookies.org/Default.aspx?page=1 ‘Our use of cookies’
 
Our use of cookies
 
Google Analytics sets cookies to help us accurately estimate the number of visitors to the website and volumes of usage. This is to ensure that the NRT Portal is available when you want it, and to help us improve functionality. Google Analytics uses the following cookies:
 
Name: _utma
Purpose: to understand the number of visits, and the time of the first visit, the previous visit, and the current visit
Typical content: randomly generated number
Expires: 2 years
 
Name: _utmb
Purpose: to understand approximately how long visitors stay on a site, when a visit starts, and approximately ends
Typical content: randomly generated number
Expires: 30 minutes
 
Name: _utmc
Purpose: to understand approximately how long visitors stay on a site, when a visit starts, and approximately ends
Typical content: randomly generated number
Expires: when user exits browser
 
Name: _utmd
Purpose: to understand how the site was reached (e.g. directly or via a link, organic search or paid search)
Typical content: randomly generated number
Expires: 6 months
 
Name: _utmv
Purpose: to understand which organisations have accessed the site
Typical content: N/A
Expires: when user exits browser
 
Name: _utmz degradation
Purpose: to understand the search engine and / or keyword followed to access the site
Typical content: randomly generated number + info on how the site was reached (e.g. directly or via a link, organic search or paid search)
Expires: 6 months
 
For further details on the cookies set by Google Analytics, please refer to the Google Code website[1]
 
The NRT portal also contains cookies improving performance (sticky sessions) and recording user preferences:
 
Name: SESS6d06618e38d293160fd84a95eb1227de
Purpose: This cookie sets a unique session id. It can be used tostore information in a form of a session identification that does not personally identify the user
Typical content: randomly generated number
Expires: 1 month
 
Name: NSC_pss-qspexfc-wjq-iuuq
Purpose:   Identify the session, allowing a session to return to the same server even if the client has changed IP addresses.
Typical content: randomly generated number
Expires: when user exits browser
 
Name: NSC_pss-qspexfc-wjq-ttm
Purpose: Identify the session, allowing a session to return to the same server even if the client has changed IP addresses.
Typical content: randomly generated number
Expires: when user exits browser
 
Name: has_js
Purpose: This cookie informs the content mangement system whether you have javascript enabled in your browser settings. It can deliver content in a suitable way depending on your settings.
Typical content: 1 - which indicates that your browser supports javascript
Expires: when user exits browser
 
Third-party cookies
 
We use a number of suppliers who may also set cookies on their websites' on its behalf
 
Office of Rail Regulation (ORR)
 
The ORR uses cookies to distinguish you from other users. This helps to provide you with a better experience when you visit and also allows them to improve their site by analysing statistics.
 
Name: PHPSESSID
Purpose: Is the unique identifier for the user's session, so the content management system knows who they are, what the last page they visited was, etc (important for ensuring when someone clicks on a content link, the content is display in the correct navigational context).
Expires: When you close the browser
Link: http://www.rail-reg.gov.uk/server/show/nav.2776
 
Name: LPSCM002
Purpose: Is used to hint to a load balancer which machine should serve the request (ideally the same machine would serve a single user's entire visit to maintain session data which is usually stored on disk)
Expires: When you close the browser
Link: http://www.rail-reg.gov.uk/server/show/nav.2776
 
Network Rail
 
Network Rail uses cookies to distinguish you from other users. This helps to provide you with a better experience when you visit and also allows them to improve their site by analysing statistics.
 
Name: NR-BETA
Purpose:This cookie is used by our server infrastructure to maintain a consistent connection between your browser and a particular web server.
Expires: When you close the browser
Link: http://www.networkrail.co.uk/browseDirectory.aspx
 
Name: ecm
Purpose:This cookie is used by Ektron, the content management system which powers our website. It is used to store (anonymous) information about the user including language and site information
Expires: When you close the browser
Link: http://www.networkrail.co.uk/browseDirectory.aspx
 
Name: EktGUID
Purpose:This cookie is used by Ektron, the content management system which powers our website. A unique identifier for the current user is generated for all and assigned at the time they first arrive on the site.
Expires: 1 year
Link: http://www.networkrail.co.uk/browseDirectory.aspx
 
Name: EkAnalytics
Purpose:This cookie is used by Ektron, the content management system which powers our website. It is an anonymous user type identifier for an analytics feature.
Expires: 1 year
Link: http://www.networkrail.co.uk/browseDirectory.aspx
 
Name: ASP.NET_SessionId
Purpose:This cookie is the default one used by asp.net to uniquely identify the user's session on the site and relates the visitor's unique session to server side data.
Expires: When you close the browser
Link: http://www.networkrail.co.uk/browseDirectory.aspx
 
Name: lastClickedId
Purpose:Navigation cookie set by Network Rail during browsing of the website. The cookie tracks the user’s page request sequence and displays navigation path followed on screen.
Expires: When you close the browser
Link: http://www.networkrail.co.uk/browseDirectory.aspx
 
SurveyMonkey
 
When we provide links to third party services you find useful, SurveyMonkey may place a cookie on your device to make their service easier to use.
 
Name: ep201
Purpose:When we provide links to third party services you find useful, they may place a cookie on your device to make their service easier to use. Their policy on use may be found on the link below.
Expires: When you close the browser
Link: http://www.surveymonkey.com/s/useofNRT
 
Name: ep202
Purpose:When we provide links to third party services you find useful, they may place a cookie on your device to make their service easier to use. Their policy on use may be found on the link below.
Expires: 1 year
Link: http://www.surveymonkey.com/s/useofNRT
 
Name: TS54026e
Purpose: When we provide links to third party services you find useful, they may place a cookie on your device to make their service easier to use. Their policy on use may be found on the link below.
Expires: When you close the browser
Link: http://www.surveymonkey.com/s/useofNRT
 
 
How to control and delete cookies
 
We will not use cookies to collect personally identifiable information about you.
 
However, if you wish to restrict or block the cookies which are set by our websites, or indeed any other website, you can do this through your browser settings. The ‘Help’ function within your browser should tell you how.
 
Alternatively, you may wish to visit www.aboutcookies.orgwhich contains comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your machine as well as more general information about cookies.
 
Please be aware that restricting cookies may impact on the functionality of our website.
 
If you wish to view your cookie code, just click on a cookie to open it. You'll see a short string of text and numbers. The numbers are your identification card, which can only be seen by the server that gave you the cookie.
 
For information on how to do this on the browser of your mobile phone you will need to refer to your handset manual.
 
To opt-out of third-parties collecting any data regarding your interaction on our website, please refer to their websites for further information.
 
Break-down of identified cookie-supported functionality
 
In line with the original COI guidance, many departments, agencies and NDPBs have taken steps to publish information about their use of  cookies, with varying degrees of comprehensiveness. 
 
A very basic audit of departments' websites, based mainly on the information provided within relevant “Privacy and cookies” policy pages, has been carried out by ORR.  45 cookies were identified through this process. These were then categorised into 8 broad groups (excluding the group for cookies labelled “miscellaneous” due to insufficient information provided on their  purpose):

Cookie function 
Web Analytics/metrics

Proportion
38%

Description
This category comprises cookies used to evaluate site performance in terms of number of visits, unique visitors, drop-off rate for transactions etc.
 

Cookie function
Embedded third-party content and social media plug-ins

Proportion
9%

Description
This covers cookies which are set and controlled by third-parties such as social media networking sites. These cookies are often introduced through the use of social plug-ins such as the Facebook “Like” button and Wordpress.
 

Cookie function
Transaction-specific

Proportion
2%

Description
This category includes cookies which are critical to the delivery of a government service or transaction eg the use of cookies in the “Find My Nearest” tool on the Directgov site.
 

Cookie function
Stop multiple submissions

Proportion
7%

Description
This category covers cookies which are used to enable proper functioning of surveys and polls e.g. preventing a user from voting twice.
 

Cookie function
Personalised content/interface

Proportion
 
24%

Description
This classification covers cookies which are used to remember user settings for the duration of a user's session eg language preference.
 

Cookie function
Session management

Proportion
16%

Description
These are “session-based” cookies used in order to ensure the smooth running of users' sessions. This classification includes cookies used to support  server load balancing.
 

Cookie function
Javascript detection

Proportion
2%

Description
These cookies are used to 'remember' whether users' terminals support the use of Javascript. This facilitates an enhanced user experience as Javascript-enhanced features can be made available to users. 
 

Cookie function
Miscellaneous

Proportion
 2%
(approx.)

Description
As explained above cookies classified as “miscellaneous” have been labelled thus because insufficient information has been provided as to their purpose.
 

 
The result of this basic audit, and a break-down by department, is available on request. If some of the cookies you've identified in your cookie policy have been classified “miscellaneous”, it is advisable that you review the information you've published and update or clarify it, as necessary.
 
ORR's assessment of the intrusiveness levels (in terms of users' privacy) of cookies
 
Moderately intrusive cookies:
 
ORR has categorised cookies set for the purpose of supporting the operation of 1) Embedded third-party content and social media plug-ins and 2) campaign optimisation as “moderately intrusive” 

  1. Embedded third-party content and social media plug-ins:
  2. Campaign optimisation: 

The rationale for the classification is as follows: 

  1. Limited control over used of information: Government departments have no direct control over how the information stored within third-party cookies is used. While all attempts should be made by web managers of government sites to provide information about relevant third-parties' cookie policies, it is probable that users will have a more convoluted journey in attempting to access this information. This might result in users not accessing the information thereby reducing their understanding of how cookies work and reducing the opportunity of providing informed consent.
  2. User expectations when visiting the first-party site: A visitor to any first-party site has a relationship primarily with the site they have visited. Consequently, it is unlikely that visitors have an expectation that other parties might also be able to store information on their terminals. The setting of third-party cookies might be considered particularly intrusive when, in theory at least, they enable third-party websites e.g. Facebook, to track user behaviour across several sites. The fact that the visitor does not have to click on the plug-in or be a member of the social media networking site for the cookie to be set on their device, increases the perception that they are particularly intrusive.

 
While cookies used for the purposes cited above have been classified as being moderately intrusive, this is not to suggest that they are without merit. For example, cookies used to track how citizens interact with government campaigns are important in order for departments to ensure that their campaigns are effective and thus a good use of scarce resources.  However, it is important to minimise their usage in order to balance these benefits with users' privacy. 
 
Minimally intrusive cookies:
 
ORR has categorised cookies set for the purpose of supporting the operation of 1) Web analytics/metrics, 2) personalised content/interface, 3) Javascript detection as “minimally intrusive”.
 
Use of web-analytics/metrics: The use of metrics are integral are to departments' being able to:

  • Provide the best possible user experience in order to encourage citizens to use more cost-effective channels for accessing government services, and in so doing meet their objectives of cutting costs.
  • Assess and demonstrate whether the digital services they offer provide “value-for-money” as demonstrated by the recent National Audit Office (NAO) report.
  • Satisfy the government's commitment to transparency

 
Consequently, collecting these metrics are essential to the effective operation of government websites, at present the setting of cookies is the most effective way of doing this. 
 
Personalised content/interface: Consistently presenting users with the version of the site (or features within the site) which they find most convenient increases their enjoyment of the site and thus, the likelihood that they'll use the service/website in the future.
 
Javascript detection: Javascript allows website owners to offer users enhanced features where the user's terminal supports its use.  
 
The use of cookies to support web-analytics, personalised content/interfaces and Javascript has been classified as minimally intrusive (by ORR) because:
 

  1. Their usage tends to be controlled by the first-party and as such departments are able to be fully clear and transparent about how the cookies and the information stored in them are set and used respectively
  2. The scope of their use and information they store are limited to the first-party websites i.e. they are not used in relation to a user's activities on other sites.

 
The ICO guidance supports this view as it states “...it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals. Provided clear information is given about their activities we are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action
 
There are many benefits to using cookies for improving the user experience of government websites and for facilitating a culture of continual improvement of government digital services. As with the advice regarding the use of “moderately intrusive” cookies, it is important that the use of cookies does not proliferate indiscriminately but that those with responsibility for managing government  websites put in place effective cookie management procedures (see section 3.1.3 above)
 
Definitions of terminology used in this document
 
Session and persistent cookies
  
Session cookies are those which expire at the end of a browser session i.e. when the user exits the browser.  The ICO guidance notes that such cookies may sometimes “be considered less privacy intrusive than persistent ones”.
 
Persistent cookies remain stored on a user's device in-between browser sessions. They allow the preferences or actions of the user on a given site (or in some cases, such as behavioural advertising, across different websites) to be 'remembered'.
 
First and third-party cookies:
 
Whether a cookie is 'first' or 'third' party refers to the website or domain placing the cookie. First-party cookies in basic terms are cookies set by a website visited by the user- the website displayed in the URL window.
 
Third-party cookies are cookies set on a user's device by organisations other than the 'first-party'. Examples include cookies set by an advertising network or a provider of an embedded streaming video service.
 
Consent (“After the fact” and implied): There have been suggestions that the fact that the regulations do not specifically refer to the need for prior consent, it might be acceptable to seek consent 'after the fact' i.e. after the cookies have been set on a user's terminal. The ICO has indicated that they do not support this view but recognise that in some cases, for technical reasons, this might be unavoidable.
 
The ICO have stated that “implied consent” with regards to cookies i.e. presuming that by using a website the user has implicitly given their consent to the setting of cookies, cannot be relied upon by websites owners in the short-term. They estimate that the awareness levels amongst users about cookies will take a few years to rise to the point where “implied consent” can be relied upon. This reinforces the need for government websites to make educating users about the use of cookies a priority.
 
 

[1]http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.html#cookiesSet