Why is this important?
Transparency is a key data protection principle which is fundamental to a ‘data protection by design and by default’ approach. It facilitates the exercise of individuals’ rights and gives people greater control. This is particularly important if the processing is complex or if it relates to a child. Proactively respecting people’s privacy can give you a competitive advantage by increasing the confidence of the public, regulators and business partners. Being open and honest about what you do with personal data will support contracting and data sharing with third parties.
At a glance – what we expect from you
- Privacy notice content
- Timely privacy information
- Effective privacy information
- Automated decision-making and profiling
- Staff awareness
- Privacy information review
- Tools supporting transparency and control
Privacy notice content
Your organisation's privacy information or notice includes all the required information under Article 13 and 14 of the UK GDPR.
Ways to meet our expectations:
- Privacy information includes all relevant contact information, eg the name and contact details of your organisation (and your representative if applicable) and the DPO’s contact details.
- Privacy information includes the purposes of the processing and the lawful bases (and, if applicable, the legitimate interests for the processing).
- Privacy information includes the types of personal data you obtain and the data source, if the personal data is not obtained from the individual it relates to.
- Privacy information includes details of all personal data that you share with other organisations and, if applicable, details of transfers to any third countries or international organisations.
- Privacy information includes retention periods for the personal data, or if that is not possible, the criteria used to determine the period.
- Privacy information includes details about individuals' rights including, if applicable, the right to withdraw consent and the right to make a complaint.
- Privacy information includes details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if you collect the personal data from the individual it relates to).
- You provide individuals with privacy information regarding the source of the processed personal data if you don’t obtain it from the individual concerned, eg if the data is from publicly accessible sources such as social media, the open electoral register or Companies House.
Have you considered the effectiveness of your accountability measures?
- Do your staff understand what privacy information is and what must be provided?
- Are individuals provided with clear information about the source of personal data, if you don’t obtain it from the individual concerned?
Timely privacy information
You have a recorded procedure to make sure that individuals receive privacy information at the right time, unless an exemption applies.
Ways to meet our expectations:
- Individuals receive privacy information when their data is collected (eg when they fill in a form) or by observation (eg when using CCTV or people are tracked online).
- If you obtain personal data from a source other than the individual it relates to, you provide privacy information to individuals, no later than one month of obtaining the data.
Have you considered the effectiveness of your accountability measures?
- Do your staff understand when and how privacy information should be provided?
Effective privacy information
Your organisation provides privacy information that is:
- concise;
- transparent;
- intelligible;
- clear
- in plain language; and
- communicated in a way that is effective for the target audience.
Ways to meet our expectations:
- You proactively make individuals aware of privacy information and have a free, easy way to access it.
- You provide privacy information to individuals in electronic and hard-copy form, using a combination of appropriate techniques, such as a layered approach, icons and mobile and smart device functionalities.
- You write privacy information in clear and plain language that the intended audience can understand, and offer it in accessible formats if required.
- You take particular care to write privacy information for children in clear, plain language, that is age-appropriate, and explains the risks involved in the processing and what safeguards are in place.
Have you considered the effectiveness of your accountability measures?
- Would customers say you proactively made them aware of privacy information?
- Did you use an appropriate form of communication?
- Was it easy to understand?
Automated decision-making and profiling
Your organisation is transparent about any processing relating to automated decision-making and profiling.
Ways to meet our expectations:
- You have procedures for individuals to access the personal data you use to create profiles, so they can review for accuracy and edit it if needed.
- If the decision is solely automated and has legal or similarly significant effects, your organisation tells individuals about the processing - including what information you are using, why and what the impact is likely to be.
- If the purpose is initially unclear, you give individuals an indication of what your organisation is going to do with their data, and you proactively update your privacy information as this becomes clearer.
- If the decision is solely automated and has legal or similarly significant effects, your organisation explains the processing in a meaningful way that enables individuals to exercise their rights including obtaining human intervention, expressing their point of view and contesting the decision.
Have you considered the effectiveness of your accountability measures?
- Would individuals say that you explained the processing to them in a meaningful way that helped them to exercise their rights?
- Is it easy for them to access the personal data you used to create profiles?
Staff awareness
Your organisation can demonstrate that any member of front-line staff is able to explain the necessary privacy information to data subjects and provide guidance.
Ways to meet our expectations:
- You arrange organisation-wide staff training about privacy information.
- Front-line staff receive more specialised or specific training.
- Staff are aware of the various ways in which the organisation provides privacy information.
Have you considered the effectiveness of your accountability measures?
- Do your staff have good general knowledge about privacy information and the ways it is provided?
- Do front-line staff have more detailed knowledge?
Privacy information review
Your organisation has procedures to review the privacy information provided to data subjects regularly to make sure that it is accurate, up to date and effective.
Ways to meet our expectations:
- You review privacy information against the records of processing activities, to ensure it remains up to date and that it accurately explains what happens with individuals’ personal data.
- You maintain a log of historical privacy notices, including the dates you made any changes, in order to allow a review of what privacy information you provided to data subjects and when.
- Your organisation carries out user testing to evaluate the privacy information’s effectiveness.
- Your organisation analyses complaints from the public about how you use their personal data, and in particular, any complaints about how you explain that use.
- If your organisation plans to use personal data for a new purpose, you have a procedure to update the privacy information and communicate the changes to individuals before starting any new processing.
Have you considered the effectiveness of your accountability measures?
-
Is there an effective review process?
-
Would individuals say that you provide effective privacy information?
Tools supporting transparency and control
You are open about how you use personal data, and offer tools to support transparency and control, especially when processing children's personal data.
Ways to meet our expectations:
- Privacy policies are clear and easy for members of the public to access.
- You provide individuals with tools, such as secure self-service systems, dashboards and just-in-time notices, so they can access, determine and manage how your organisation uses their personal data.
- Your organisation offers strong privacy defaults and user-friendly options and controls.
- Where relevant, you have processes in place to help children exercise their data protection rights in an easily accessible way that they understand.
- You implement appropriate measures to protect children using digital services.
Have you considered the effectiveness of your accountability measures?
- Would the public say that your policies are clear, easy to find and access?
- Do they feel appropriately supported in accessing, determining and managing how their data is used?
- Would children say the same?
Further reading
ICO guidance:
- Guidance on Explaining decisions made with AI
- Right to be informed
- Children
- Draft Guidance on explaining
- Age Appropriate Design Code of Practice
ICO template: