The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.


Information rights

Good information handling provides a range of benefits as well as helping you to comply with the Data Protection and Freedom of Information Acts. We have produced guidance for senior managers about taking a positive approach to information rights.

Data protection – looking after the information you hold

If you hold and process information about your clients, employees or suppliers, you are legally obliged to protect that information. Under the Data Protection Act, you must:

  • only collect information that you need for a specific purpose;
  • keep it secure;
  • ensure it is relevant and up to date;
  • only hold as much as you need, and only for as long as you need it; and
  • allow the subject of the information to see it on request.

Find out about your data protection obligations.

Marketing campaigns

If you're planning a marketing campaign, you'll have to comply with a number of regulations. Some of these apply to unsolicited electronic messages sent by telephone, fax, email or text, while others apply to marketing material sent by post.

Electronic mail marketing

The most important thing to remember is that you can only carry out unsolicited electronic marketing if the person you're targeting has given you their permission.

However, there is an exception to this rule. Known as the 'soft opt-in' it applies if the following conditions are met;

  • where you've obtained a person's details in the course of a sale or negotiations for a sale of a product or service;
  • where the messages are only marketing similar products or services; and
  • where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don't opt out at this point, are given a simple way to do so in future messages.

When you send an electronic marketing message, you must tell the recipient who you are and provide a valid contact address.

The rules on emails don't apply to emails sent to organisations, though you must still identify yourself and provide an address.

The Telephone Preference Service (TPS) and Fax Preference Service (FPS) are operated by the Direct Marketing Association, and allow people to register their numbers to opt out of receiving unsolicted calls or faxes. You must not market individuals or organisations who have registered their numbers with the TPS or FPS.

In summary, we recommend that your marketing campaigns are always permission-based and you explain clearly what a person's details will be used for. Provide a simple way for them to opt out of marketing messages and have a system in place for dealing with complaints.

To ensure your marketing complies with data protection law and good practice see our direct marketing checklist - ideal for small businesses (pdf). For more information read our direct marketing guidance (pdf).

Postal marketing

Postal marketing - more commonly known as 'junk mail' - can form an important part of any organisation's overall marketing strategy. From simple flyers and response forms to competition entries and interactive CDs, postal campaigns can generate important new leads and business.

However, as with electronic marketing, if the person or organisation you're targeting asks to be taken off your mailing list, you must comply with their request. There are no exceptions to this rule, and if you fail to comply, they can apply to the courts for an order against you under section 11 of the Data Protection Act.

The Mailing Preference Service (MPS) is a service set up by the direct marketing industry to help people who don't want to receive 'junk mail'. People simply register their details to prevent further mailings, and several direct marketing codes of practice specify that marketers should clean their lists against the MPS file. Many of the companies who subscribe to the MPS recognise the considerable benefits of the service as they save money, time and resources by not sending material to people who don't wish to receive it.

To ensure your marketing complies with data protection law and good practice see our direct marketing checklist. For more information read our direct marketing guidance.

Notification with the ICO

If you handle personal information, you may need to notify as a data controller with the Information Commissioner’s Office. Notification is a statutory requirement and every organisation that processes personal information must notify the ICO, unless they are exempt. Failure to notify is a criminal offence. See our page Do I need to notify and how do I maintain my register entry? for more information.

Requests for personal information

Your employees and customers have rights to see their personal information. They can make a subject access request to see the personal information you hold about them. Find out more information on this and what you need to do to reply to a subject access request.


If you are an employer, you are obliged to protect your employees’ personal information. For more information, see our section on employment here; our Quick Guide to the Employment Practices Code gives practical advice on handling employees’ personal information, on monitoring at work and on employees’ rights. You will also find help on your obligations regarding the storing and release of any references you supply.

Freedom of information – making public information available

The Freedom of Information Act means that public authorities must disclose official information when people ask for it (unless there is a good legal reason not to), and they must reply within 20 working days. Find out about your freedom of information obligations.