Profiling tools for online safety
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
We want to hear from you. We’re running a survey to gather feedback on this guidance and understand its impact. Please complete the survey and tell us your views.
Click to toggle details
Latest updates - July 2025
30 July 2025 - this guidance was published
Contents
About this guidance
- Why have you produced this guidance?
- Who’s it for?
- What does it cover?
- What doesn’t it cover?
- How do we use this guidance?
- How does this guidance relate to the OSA?
What are profiling tools and what personal information processing do they involve?
- What do you mean by profiling tools?
- How are profiling tools used in trust and safety systems
- What personal information processing do profiling tools involve?
- How do profiling tools inform moderation decisions on online services?
- Do profiling tools process special category information?
- Is criminal offence information a relevant consideration?
How does PECR apply to profiling tools?
How do we demonstrate our compliance with our data protection obligations?
- How do we assess and mitigate the data protection risks involved in our use of profiling tools?
- How do we integrate data protection by design and by default?
- What if our profiling tools use children’s information?
- Who is the data controller for our profiling tools?
- How do we share personal information relating to our profiling?
- What do we need to consider if we transfer people’s personal information outside the UK?
- How do we demonstrate accountability?
How do we use profiling tools lawfully?
- What does it mean for our use of profiling tools to be lawful?
- When can we rely on legal obligation?
- When can we rely on legitimate interests?
- Can we rely on contract?
- What about consent?
- What about vital interests and public task?
- What if our profiling involves special category information?
- What if our profiling involves criminal offence information?
How do we use profiling tools fairly and transparently?
How do we define our purposes for profiling and ensure data minimisation?
How do we ensure the accuracy of personal information in our profiling tools?
How long should we keep personal information for and how do we keep it secure?
- How long should we keep personal information that is used and generated by our profiling tools?
- How do we ensure the security of personal information used in our profiling tools?
What data protection rights do people have?
- Why is this important?
- What must we provide in response to a subject access request (SAR)?
- What do we do if we receive a rectification request?
- What do we need to do if someone objects to our processing?
Does article 22 apply to our use of profiling tools?
- Why is this important?
- When are we taking solely automated decisions about users?
- When does our use of profiling have a legal or similarly significant effect?
- What do we need to do when article 22 applies to our use of profiling?
- What about special category information?
- What if article 22 does not apply?