The ICO exists to empower you through information.

At a glance

  • Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the UK GDPR.
  • You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
  • You must provide privacy information to individuals at the time you collect their personal data from them.
  • If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
  • There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
  • The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
  • It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.
  • User testing is a good way to get feedback on how effective the delivery of your privacy information is.
  • You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.
  • Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage.

Checklists

What to provide

We provide individuals with all the following privacy information:

The name and contact details of our organisation.

The name and contact details of our representative (if applicable).

The contact details of our data protection officer (if applicable).

The purposes of the processing.

The lawful basis for the processing.

The legitimate interests for the processing (if applicable).

The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).

The recipients or categories of recipients of the personal data.

The details of transfers of the personal data to any third countries or international organisations (if applicable).

The retention periods for the personal data.

The rights available to individuals in respect of the processing.

The right to withdraw consent (if applicable).

The right to lodge a complaint with a supervisory authority.

The source of the personal data (if the personal data is not obtained from the individual it relates to).

The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).

The details of the existence of automated decision-making, including profiling (if applicable).


When to provide it

We provide individuals with privacy information at the time we collect their personal data from them.

If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information:

within a reasonable period of obtaining the personal data and no later than one month;

if we plan to communicate with the individual, at the latest, when the first communication takes place; or

if we plan to disclose the data to someone else, at the latest, when the data is disclosed.


How to provide it

We provide the information in a way that is:

☐ concise;

☐ transparent;

☐ intelligible;

easily accessible; and

uses clear and plain language.


Changes to the information

We regularly review and, where necessary, update our privacy information.

If we plan to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing.


Best practice – drafting the information

We undertake an information audit to find out what personal data we hold and what we do with it.

We put ourselves in the position of the people we’re collecting information about.

We carry out user testing to evaluate how effective our privacy information is.

Best practice – delivering the information

When providing our privacy information to individuals, we use a combination of appropriate techniques, such as:

☐ a layered approach;

dashboards;

just-in-time notices;

icons; and

mobile and smart device functionalities.

In brief

What is the right to be informed and why is it important?

The right to be informed covers some of the key transparency requirements of the UK GDPR. It is about providing individuals with clear and concise information about what you do with their personal data.

Articles 13 and 14 of the UK GDPR specify what individuals have the right to be informed about. We call this ‘privacy information’.

Using an effective approach can help you to comply with other aspects of the UK GDPR, foster trust with individuals and obtain more useful information from them.

Getting this wrong can leave you open to fines and lead to reputational damage.

What privacy information should we provide?

The table below summarises the information that you must provide. What you need to tell people differs slightly depending on whether you collect personal data from the individual it relates to or obtain it from another source.

What information do we need to provide? Personal data collected from individuals Personal data obtained from other sources
The name and contact details of your organisation
The name and contact details of your representative
The contact details of your data protection officer
The purposes of the processing
The lawful basis for the processing
The legitimate interests for the processing
The categories of personal data obtained
The recipients or categories of recipients of the personal data
The details of transfers of the personal data to any third countries or international organisations
The retention periods for the personal data
The rights available to individuals in respect of the processing
The right to withdraw consent
The right to lodge a complaint with a supervisory authority
The source of the personal data
The details of whether individuals are under a statutory or contractual obligation to provide the personal data
The details of the existence of automated decision-making, including profiling

When should we provide privacy information?

When you collect personal data from the individual it relates to, you must provide them with privacy information at the time you obtain their data.

When you obtain personal data from a source other than the individual it relates to, you need to provide the individual with privacy information:

  • within a reasonable period of obtaining the personal data and no later than one month;
  • if you use the data to communicate with the individual, at the latest, when the first communication takes place; or
  • if you envisage disclosure to someone else, at the latest, when you disclose the data.

You must actively provide privacy information to individuals. You can meet this requirement by putting the information on your website, but you must make individuals aware of it and give them an easy way to access it.

Are there any exceptions?

When collecting personal data from individuals, you do not need to provide them with any information that they already have.

When obtaining personal data from other sources, you do not need to provide individuals with privacy information if:

  • the individual already has the information;
  • providing the information to the individual would be impossible;
  • providing the information to the individual would involve a disproportionate effort;
  • providing the information to the individual would render impossible or seriously impair the achievement of the objectives of the processing;
  • you are required by law to obtain or disclose the personal data; or
  • you are subject to an obligation of professional secrecy regulated by law that covers the personal data.

How should we draft our privacy information?

An information audit or data mapping exercise can help you find out what personal data you hold and what you do with it.

You should think about the intended audience for your privacy information and put yourself in their position.

If you collect or obtain children’s personal data, you must take particular care to ensure that the information you provide them with is appropriately written, using clear and plain language.

For all audiences, you must provide information to them in a way that is:

  • concise;
  • transparent;
  • intelligible;
  • easily accessible; and
  • uses clear and plain language.

It is good practice to carry out user testing on your draft privacy information to get feedback on how easy it is to access and understand.

After it is finalised, undertake regular reviews to check it remains accurate and up to date.

If you plan to use personal data for any new purposes, you must update your privacy information and proactively bring any changes to people’s attention.

What methods can we use to provide privacy information?

There are a number of techniques you can use to provide people with privacy information. You can use:

  • A layered approach – short notices containing key privacy information that have additional layers of more detailed information.
  • Dashboards – preference management tools that inform people how you use their data and allow them to manage what happens with it.
  • Just-in-time notices – relevant and focused privacy information delivered at the time you collect individual pieces of information about people.
  • Icons – small, meaningful, symbols that indicate the existence of a particular type of data processing.
  • Mobile and smart device functionalities – including pop-ups, voice alerts and mobile device gestures.

Consider the context in which you are collecting personal data. It is good practice to use the same medium you use to collect personal data to deliver privacy information.

Taking a blended approach, using more than one of these techniques, is often the most effective way to provide privacy information.

What common issues might come up in practice?

If you share personal data with (or sell it to) other organisations:

  • As part of the privacy information you provide, you must tell people who you are giving their information to, unless you are relying on an exception or an exemption.
  • You can tell people the names of the organisations or the categories that they fall within; choose the option that is most meaningful.
  • It is good practice to use a dashboard to let people manage who their data is sold to, or shared with, where they have a choice.

If you buy personal data from other organisations:

  • You must provide people with your own privacy information, unless you are relying on an exception or an exemption.
  • If you think that it is impossible to provide privacy information to individuals, or it would involve a disproportionate effort, you must carry out a DPIA to find ways to mitigate the risks of the processing.
  • If your purpose for using the personal data is different to that for which it was originally obtained, you must tell people about this, as well as what your lawful basis is for the processing.
  • Provide people with your privacy information within a reasonable period of buying the data, and no later than one month.

If you obtain personal data from publicly accessible sources:

  • You still have to provide people with privacy information, unless you are relying on an exception or an exemption.
  • If you think that it is impossible to provide privacy information to individuals, or it would involve a disproportionate effort, you must carry out a DPIA to find ways to mitigate the risks of the processing.
  • Be very clear with individuals about any unexpected or intrusive uses of personal data, such as combining information about them from a number of different sources.
  • Provide people with privacy information within a reasonable period of obtaining the data, and no later than one month.

If you apply Artificial Intelligence (AI) to personal data:

  • Be upfront about it and explain your purposes for using AI.
  • If the purposes for processing are unclear at the outset, give people an indication of what you are going to do with their data. As your processing purposes become clearer, update your privacy information and actively communicate this to people.
  • Inform people about any new uses of personal data before you actually start the processing.
  • If you use AI to make solely automated decisions about people with legal or similarly significant effects, tell them what information you use, why it is relevant and what the likely impact is going to be.
  • Consider using just-in-time notices and dashboards which can help to keep people informed and let them control further uses of their personal data.

In more detail – ICO guidance

We have published detailed guidance on the right to be informed.

The Accountability Framework looks at the ICO’s expectations in relation to data protection by design

In more detail – European Data Protection Board

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues

WP29 adopted guidelines on Transparency, which have been endorsed by the EDPB.