The ICO exists to empower you through information.

Why is this important?

Data protection law aims to empower individuals and give them greater control over their personal data through several rights, which you need to facilitate effectively. Compliance with individual rights minimises the privacy risks to individuals as well as to organisations. It will help you to comply with other data protection requirements, such as the principles. Good data protection compliance enhances your reputation and gives you a competitive edge because it increases the trust and confidence that people have in how you handle personal data.

At a glance – what we expect from you

Informing individuals and identifying requests

You inform individuals about their rights and all staff are aware of how to identify and deal with both verbal and written requests.

Ways to meet our expectations:

  • You give individuals clear and relevant information about their rights and how to exercise them.
  • Your policies and procedures set out processes for dealing with requests from individuals about their rights.
  • All staff receive training and guidance about how to recognise a request and where to send them.

Have you considered the effectiveness of your accountability measures?

  • Do all staff understand how to recognise a request and where to send them?
  • Would individuals say that you provided useful materials to help them to exercise their rights?

Resources

You have appropriate resources in place to handle requests from individuals about their data.

Ways to meet our expectations:

  • A specific person/s or team are responsible for managing and responding to requests.
  • Staff receive specialised training to handle requests, including regular refresher training.
  • You have sufficient resources to deal with requests.
  • If a staff member is absent, you train other staff to carry out key tasks.
  • Your organisation can deal with any increase in requests or reduction in staffing levels.

Have you considered the effectiveness of your accountability measures?

  • Are staff aware of their key responsibilities and how to deliver them in practice?
  • Would your staff say that you have appropriate resources to deal with the volume of requests?
  • In the case of staff absences, could key tasks in the request process be covered by more than one individual?

Logging and tracking requests

Your organisation logs receipt of all verbal and written requests from individuals and updates the log to track the handling of each request.

Ways to meet our expectations:

  • You have processes in place to ensure the log is accurate and updated as appropriate.
  • The log shows the due date for requests, the actual date of the final response and the action taken.
  • A checklist records the key stages in the request handling process, eg which systems or departments have been searched. This is either part of the log or a separate document.
  • You have records of your organisation's request responses, and any disclosed or withheld information from subject access requests.

Have you considered the effectiveness of your accountability measures?

  • Could you locate relevant records easily?
  • Are the records correct?
  • Would a small sample of requests show that your staff follow the policies and procedures?

Timely responses

You deal with requests from individuals in a timely manner that meets individual expectations and statutory timescales.

Ways to meet our expectations:

  • You action all requests within statutory timescales.
  • The staff responsible for managing requests meet regularly to discuss any issues and investigate, prioritise or escalate any delayed cases.
  • If you need an extension, you update individuals on the progress of their request and keep them informed.
  • If a request is refused, you have records about the reasons why and you inform individuals about the reasons for any refusals or exemptions.

Have you considered the effectiveness of your accountability measures?

  • Would staff say that the process in place to deal with issues is regular and effective?

  • Would requesters say they were kept well-informed about the progress of their request?

  • Did requesters receive clear information?

Monitoring and evaluating performance

Your organisation monitors how your staff handle requests and you use that information to make improvements.

Ways to meet our expectations:

  • The staff responsible for managing requests meet regularly to discuss any issues.
  • You produce regular reports on performance and case quality assessments to ensure that requests are handled appropriately.
  • You share reports with senior management, that they review and action at appropriate meetings.
  • Your organisation analyses any trends in the nature or cause of requests to improve performance or reduce volumes.

Have you considered the effectiveness of your accountability measures?

  • Are the management reports easy to understand?

  • Does senior management know about current performance?

  • Are the actions clear and are they followed up?

Inaccurate or incomplete information

Your organisation has appropriate systems and procedures to change inaccurate information, add additional information to incomplete records or add a supplementary statement where necessary.

Ways to meet our expectations:

  • Your organisation takes proportionate and reasonable steps to check the accuracy of the personal data held and, if necessary, is able to rectify it.
  • If your organisation is satisfied that the data is accurate, you have a procedure to explain this to the individual. You need to inform the individual of their right to complain, and as a matter of good practice, record on the system the fact that the individual disputes the accuracy of the information.
  • If personal data has been disclosed to others, your organisation contacts each recipient to inform them about the rectification, unless this is impossible or involves disproportionate effort.
  • If asked, the organisation tells the data subject which third parties have received the personal data.

Have you considered the effectiveness of your accountability measures?

  • Would staff say there are effective processes in place to rectify inaccurate or incomplete personal data?
  • Would requesters say they were given clear information about the steps you took?

Erasure

You have appropriate methods and procedures in place within your organisation to delete, suppress or otherwise stop processing personal data if required.

Ways to meet our expectations:

  • You erase personal data from back-up systems as well as live systems where necessary, and you clearly tell the individual what will happen to their data.
  • If the personal data is disclosed to others, your organisation contacts each recipient to inform them about the erasure, unless this is impossible or involves disproportionate effort.
  • If asked to, your organisation tells the data subject which third parties have received the personal data.
  • If personal data has been made public in an online environment, you take reasonable steps to tell other controllers, if they are processing it, to erase links to, copies or replication of that data.
  • Your organisation gives particular weight to a request for erasure where the processing is or was based on a child’s consent, especially when processing any personal data on the internet.

Have you considered the effectiveness of your accountability measures?

  • Would staff say there are effective processes in place to erase personal data?

  • Would requesters say they were given clear information about the steps you took?

Restriction

Your organisation has appropriate methods and procedures in place to restrict the processing of personal data if required.

Ways to meet our expectations:

  • Your organisation restricts personal data in a way appropriate for the type of processing and the system, for example temporarily moving the data to another system or removing it from a website.
  • If the personal data has been disclosed to others, your organisation contacts each recipient to tell them about the restriction, unless this is impossible or involves disproportionate effort.
  • If asked to, your organisation tells the data subject which third parties have received the personal data.

Have you considered the effectiveness of your accountability measures?

  • Would staff say you have effective processes in place to restrict personal data?

  • Would requesters say you gave them clear information about the steps you took?

Data portability

Individuals are able to move, copy or transfer their personal data from your organisation to another securely, without affecting the data.

Ways to meet our expectations:

  • When requested, you provide personal data in a structured, commonly used and machine readable format.
  • Where possible and if an individual requests it, your organisation can directly transmit the information to another organisation.

Have you considered the effectiveness of your accountability measures?

  • Would staff say you have effective data portability processes in place?
  • Would requesters say you gave them clear information?

Rights related to automated decision-making and profiling

Your organisation can protect individual rights related to automated decision-making and profiling, particularly where the processing is solely automated with legal or similarly significant effects.

Ways to meet our expectations:

  • You complete additional checks for vulnerable groups, such as children, for all automated decision-making and profiling..
  • Your organisation only collects the minimum data needed and has a clear retention policy for the profiles created.
  • If your organisation uses solely automated decisions that have legal or similarly significant effects on individuals, you have a recorded process to ensure these decisions only occur in accordance with Article 22 of the UK GDPR. If this applies, your organisation must also carry out a data protection impact assessment (DPIA).
  • Where the decision is solely automated and has legal or similarly significant effects on individuals, a recorded process allows simple ways for individuals to request human intervention, express their opinion and challenge a decision.
  • You conduct regular checks for accuracy and bias to ensure that systems are working as intended, and you feed this back into the design process.

Have you considered the effectiveness of your accountability measures?

  • Do staff and customers find your retention policy clear?
  • Do staff say you have effective processes to protect rights relating to automated decision-making and profiling?
  • Would individuals say you made it easy to request human intervention, express their opinion and challenge a decision?

Individual complaints

Your organisation has procedures to recognise and respond to individuals' complaints about data protection, and individuals are made aware of their right to complain.

Ways to meet our expectations:

  • You have procedures to handle data protection complaints raised by individuals and you report their resolution to senior management.
  • The DPO’s contact details or alternative contact points are publicly available if individuals wish to raise a complaint about the use of their data.
  • You tell individuals about their right to make a complaint to the ICO in your privacy information.

Have you considered the effectiveness of your accountability measures?

  • Would complainants say that they were clear about how to make complaints and how it would be handled?