Journey Builder privacy notice

Journey Builder is a workflow service provided by the Office of the Government Chief Information Officer (OGCIO) that supports Public Service Bodies (PSBs) in delivering digital public services. It enables PSBs to bring together different service components, such as forms, payments and messaging, into a single end‑to‑end service journey.

Journey Builder itself does not collect personal data directly from you. Instead, it coordinates and links the individual service components used by a PSB to deliver its service.

When you use a service that has been built using Journey Builder, the following personal information may be processed as part of the service:

• contact information, such as an email address, used to authenticate access to the service
• workflow metadata, such as confirmation that a step in the service has been completed
• reference identifiers that link together other Building Blocks relating to FormsIE, PaymentsIE, or MessagingIE used in the service

The specific personal data processed depends on the service provided by the PSB and the Building Blocks used within that service.

For the purpose covered by this privacy notice, the data controllers are:

• the Public Service Bodies (PSBs) who provide services using Journey Builder, and
• the Department of Public Expenditure, Infrastructure, Public Service Reform and Digitalisation (DPER), in respect of authentication data processed through LogTo.

Each PSB is the Data Controller for any personal data processed as part of the public service it provides using Journey Builder.

DPER is the Data Controller for the LogTo Broker (Database) and related authentication data processed within it. This includes the data in the LogTo Database, Profile database and the Personal Profile record in the Profile Data database, which collectively make up a data structure which hold user account information required by the Journey Builder Service.

The contact details for the relevant Data Protection Officers are provided below.

The purpose of the processing is to provide a secure, centrally managed workflow service that enables Public Service Bodies to deliver digital public services.

Journey Builder allows PSBs to configure and operate multi‑step service journeys by integrating a number of government Building Blocks, such as online forms, messaging, and payments, into a single end‑to‑end service process.

Journey Builder itself acts as an orchestration and workflow tool and does not determine the purpose of the underlying service. The purpose of processing personal data is defined by each PSB in the context of its statutory functions.

The legal basis for the processing of personal data collected through Journey Builder is determined by each Public Service Body (PSB) acting as data controller. PSBs are responsible for ensuring that the personal data they collect is necessary, proportionate, and processed for lawful and clearly defined statutory purposes.

OGCIO acts as a data processor for the Journey Builder platform and carries out processing operations on behalf of PSBs within the EEA. No international transfers of personal data are performed by the platform. OGCIO ensures that processing is conducted in a secure environment and that any sub‑processing used to support the platform is subject to appropriate controls.

Separately, DPER acts as the Data Controller for the LogTo identity broker and the authentication‑related personal data processed within it. This includes controllership over the LogTo database, the Profile database, and the personal Profile Data records in the Profile Data database, all of which are created, maintained, and governed by DPER/OGCIO as part of authentication and identity verification processes (including OTP authentication). These databases are accessible only by OGCIO. DPER determines the purposes and means of processing this authentication data, including the creation, linkage, synchronisation, and retention of user account and identity information within the LogTo ecosystem.

Journey Builder processes a limited set of personal data, depending on the service being delivered by the PSB.

This may include:

• an email address, used for authentication via LogTo and for associating a user with a service journey
• workflow metadata, such as confirmation that a step in a journey has been completed
• reference identifiers, used to link together forms, payments, or messages that make up a service journey

Journey Builder does not store:

• form responses
• message content
• payment details

Those data are processed within the relevant Building Blocks and remain under the control of the PSB providing the service.

Personal data is collected:

• When you authenticate using a one‑time passcode (OTP) via LogTo

Journey Builder receives only the minimum data necessary to support workflow orchestration and service integrity.

Your personal data is used to:

• authenticate access to a service journey
• associate you with a specific service instance
• ensure that the correct sequence of service steps is followed
• support service delivery, audit, and traceability

Journey Builder does not use personal data for profiling, analytics beyond service operation, or automated decision‑making.

None of your personal data is shared with any third parties.

Journey Builder retains:

• workflow reference identifiers and related metadata for as long as a service journey remains active, or as required by the PSB.

Journey Builder does not determine retention periods for form data, messages, or payment data. These are determined by the PSB providing the service.

Authentication data processed via LogTo is retained in accordance with DPER’s authentication policies.

You have rights under the GDPR, including:

• the right to access your personal data
• the right to rectification
• the right to erasure, in certain circumstances
• the right to restriction of processing
• the right to object to processing

To exercise your rights in respect of service‑related data, you should contact the Public Service Body providing the service.

To exercise your rights in respect of authentication data processed via LogTo, you should contact DPER.

If you have concerns about how your personal data is processed, you can contact:

• the Data Protection Officer of the relevant Public Service Body, or
• the Data Protection Officer of the Department of Public Expenditure, Infrastructure, Public Service Reform and Digitalisation at
  dataprotection@per.gov.ie

You may also lodge a complaint with the Data Protection Commission.

Journey Builder may collect limited technical information, such as:

• IP address
• browser type and version
• date and time of access

This information is used for security, operational, and statistical purposes only and is not used to identify individual users.

Cookies may be used to support authentication and secure navigation of Journey Builder services. Cookies do not contain personal data unless you have authenticated.

Cookies may be used to:

• maintain login state
• manage secure redirects
• support language preferences

Disabling cookies may affect the functionality of the service.

Department of Public Expenditure, Infrastructure, Public Service Reform and Digitalisation
Email: dataprotection@per.gov.ie

Each Public Service Body providing a service using Journey Builder will publish its own Data Protection Officer contact details.