017 - Cookies policy
Purpose
- Cookies are small data files that a website sends to a user’s computer. They’re used to store information about how users browse a website. The service manual tells us to keep use of cookies to a minimum, and be transparent about the ones you do use.
- Cookies must only apply to your originating domain name. For example, www.servicename.service.gov.uk not .gov.uk.
- Do not use cookies on domains that host only static assets like images or JavaScript - they slow response times for users without providing any benefit.
- You should only send cookies with the Secure attribute and, when appropriate, the HttpOnly attribute. These flags provide additional assurances about how browsers should handle cookies.
Goals
- Decide which cookies to use and how to use them - essential and non-essential
- Define our cookie policy
Essential cookies
These cookies are required to make the service work.We do not need to ask permission to use these cookies.
| Name | Purpose | Category | Time to expiry | Set (server or client) |
|---|---|---|---|---|
| __Secure-next-auth.session-token | Used to keep you signed in | Essential | 12 hours after activity | Client but with httponly attribute and secure |
Non-essential cookies
Functional cookies
The service will work without them, but the user will not be able to take advantage of some functionality. The user must give us permission to use these cookies.
Analytics cookies
With the user’s permission, we will use Google Analytics to collect data about how they use the service. This information will enable us to improve our service and assess our KPIs. All the data will be stored and processed on Google’s servers.
| Name | Purpose | Expires |
|---|---|---|
| _ga | Used to distinguish users | 2 years |
| _ga_container-id | Used to persist session state | 2 years |
| _stg_debug | Determines if the Tag Manager’s debugger should be displayed. A cookie is removed after you close the debugger. | 14 days |
| stg_traffic_source_priority | Stores the type of traffic source that explains how the visitor reached your website. | 30 minutes |
| stg_last_interaction | Determines whether the last visitor’s session is still in progress or a new session has started. | 1 year |
| stg_returning_visitor | Determines if the visitor has already been to your website — they are returning visitors. | 1 year |
| stg_fired__appID | Determines if the combination of a tag and trigger was fired during the current visitor’s session. | End of session |
| stg_utm_campaign | Stores a name of the campaign that directed the visitor to your website. | End of session |
| stg_pk_campaign | Stores a name of the campaign that directed the visitor to your website. | End of session |
| stg_externalReferrer | Stores an URL of a website that referred a visitor to your website. | End of session |
| _stg_opt_out_simulate | Used to simulate the behavior of the opt-out snippet in the debugger. It turns off all tracking tags in the tested domain. | 1 year |
| _stg_optout | Used to turn off all tracking tags in the tested domain. | 1 year |
Using Google Analytics
Google Analytics will be used to track front-end analytics. It tracks and reports website traffic. It will track user-related metrics.
Things to consider to meet GDS standards:
- What you need to do - for example, whether you need to do A/B or multivariate testing
- How much it will cost
- Google Analytics is free.
- Where the data is stored and how you’ll access it
- Google Analytics operates data centers globally, including in the United States, to maximize service speed and reliability. Before data is transferred to any servers in the United States, it is collected in local servers, where users’ IP addresses are anonymised (when the feature is enabled by customers).
- The GDPR and European Court of Justice say that data can be transferred outside of the European Union for just this sort of reason, provided conditions are met.
- What the quality of the data is
- Google Analytics has a range of functionality to choose from including: reports, activity log, users flow, location data & session recording
- What you can do with the data
- Data will be used to generate service KPIs & understand how our users are interacting with the website. This knowledge will enable us to iterate and improve the service.
- What support is available to help you use the tool
- Support is available if required
CloudWatch
We will also use AWS CloudWatch to log and monitor the system’s performance metrics and databases.
Setting user preferences for cookies
A cookie banner will be added to interface when a user first logs in:
1. User selects their preferences in the banner
2. A confirmation message is shown
All information regarding our cookies policy will be accessible to the user on the cookies information page which will show users what cookies are being used. Users should be able to visit the cookies information page at any time to amend their preferences.