The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.


Good information handling provides a range of benefits as well as helping you to comply with the Data Protection and Freedom of Information Acts. Our information rights checklist (pdf) lists the main benefits and risks, along with practical suggestions for how to be open and responsible.

Data protection – looking after the information you hold

If you hold and process information about your clients, employees or suppliers, you are legally obliged to protect that information. Under the Data Protection Act, you must:

  • only collect information that you need for a specific purpose;
  • keep it secure;
  • ensure it is relevant and up to date;
  • only hold as much as you need, and only for as long as you need it; and
  • allow the subject of the information to see it on request.

Good information handling makes good business sense, and provides a range of benefits. You'll enhance your organisation’s reputation, increase customer and employee confidence, and by ensuring that the information is accurate, save both time and money.

Find out more about your data protection obligations

Filing defaults with credit reference agencies

Guidance for lenders and others who provide credit about when and how to file information about defaults with the credit reference agencies to ensure credit reference agencies are able to hold fair and accurate records about the financial standing of those individuals.

Principles for the Reporting of Arrears, Arrangements and Defaults at Credit Reference Agencies (pdf, external link)

Credit agreements and data sharing

The ICO’s view on whether credit reference agencies can process information after a credit agreement has ended.

Credit agreements - data sharing (pdf)

Requests for personal information

Your employees and customers have the right to see their personal information by making a subject access request.

Find out how to deal with requests from individuals for personal information


If you do telephone, email or other electronic marketing then you need to comply with the Privacy and Electronics Communications Regulations.

For further information, see our guidance on direct marketing (pdf).

Credit unions - advisory visits report

In 2012/13 the ICO undertook seven advisory visits at credit unions (CRUs) to get a better understanding of the processing they undertake and the circumstances that they operate in. Read our findings from ICO advisory visits to credit unions which covers our experience of personal data handling by CRUs and where they can make improvements in how they handle their members’ information.

Credit unions – findings from seven advisory visits at credit unions (pdf)

Registering with the ICO

If you handle personal information, you may need to register with us as a data controller. Notification is a statutory requirement and every organisation that processes personal information must notify the ICO, unless they are exempt. Failure to notify is a criminal offence.

Find out if you need to register


As an employer, you are obliged to protect your employees’ personal information.


Our training page has videos and practical toolkits to help you promote good data protection practice in your own organisation.