The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Privacy notice content

Your organisation's privacy information or notice includes all the required information under Article 13 and 14 of the UK GDPR.

Ways to meet our expectations:

  • Privacy information includes all relevant contact information, eg the name and contact details of your organisation (and your representative if applicable) and the DPO’s contact details.
  • Privacy information includes the purposes of the processing and the lawful bases (and, if applicable, the legitimate interests for the processing).
  • Privacy information includes the categories of personal data you obtain and the data source, if this isn’t the individual the data relates to.
  • Privacy information includes details of all personal data that you share with other organisations and, if applicable, details of transfers to any third countries or international organisations.
  • Privacy information includes retention periods for the personal data, or if that is not possible, the criteria used to determine the period.
  • Privacy information includes details about individuals' rights including, if applicable, the right to withdraw consent and the right to make a complaint.
  • Privacy information includes details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if you collect the personal data from the individual it relates to).
  • You provide individuals with privacy information regarding the source of the processed personal data if you don’t obtain it from the individual concerned, eg if the data is from publicly accessible sources such as social media, the open electoral register or Companies House.

Can you answer yes to the following questions?

  • Do your staff understand what privacy information is and what must be provided?
  • Are individuals provided with clear information about the source of personal data, if you don’t obtain it from the individual concerned?