The ICO exists to empower you through information.

Are you transparent about how you use peoples data? - Report

Download options

Pages

Format

How to use this report

Please see below for suggested actions and further reading based on your answers to the six questions. You can download this report as a Word document using the button on the top right corner of the page. If you have an problem downloading the report into a word document please let us know.

Is someone in your business responsible for creating the privacy information for your activities and keeping it up to date? - Partially

 

Choose someone to take responsibility for keeping your privacy information accurate and up to date. If you’re a sole trader, this needs to be you.  

Give them adequate training so they can do this role effectively for your organisation.

Your staff need to know who this person is and how they can contact them.

They should regularly review your privacy information to make sure it is accurate and up to date.

You need to update the privacy information if you process personal data for a new purpose, and tell people before you start the new processing.

Does the responsible person know what your privacy information needs to include? - Partially

 

The responsible person needs to know what information people should be told.

Your privacy information must always include:

  • name and contact details for your business;
  • the types of personal data you process, for example names and addresses, health data, personal data in official documents such as a copy of a birth certificate;
  • why you’re processing the data;
  • your lawful basis for processing it;
  • where you got people’s personal data from, if it wasn’t directly from them (including if it was from a public source);
  • who you are sharing it with;
  • how long you are keeping it or how you decide this;
  • that people have data protection rights;
  • how people can exercise those rights, for example they can ask for a copy of their personal data; and
  • that people can complain to the ICO.

Sometimes, you’ll need to give more information, for example if you transfer personal data outside the UK or if you use automated decision- making.

We’ve got information on our website that should help you to decide what information you need to provide.

Does your responsible person know how to provide privacy information? - No

 

Your responsible person should review your privacy information and decide if you are providing it in the best way. There isn’t a one-size-fits-all method that works best and you can give it in a variety of ways, such as:

  • in writing – eg on financial applications or job application forms;
  • on signage – eg a poster in a public area or a sign advising of CCTV in operation;
  • electronically – in emails or on your website; or
  • verbally – although it’s best to make a note if you provide information verbally so you have a record that you’ve done it.

Consider a layered approach to make the information more accessible. For example, your emails might contain a brief description of how you use their personal data but also provide a link to your detailed privacy notice.

You may find our guidance on methods to use when providing your privacy information and our privacy notice template useful here.

Is your business’ privacy information easy to understand? - Partially

 

The responsible person should review your privacy information now.

They should make sure it is clear, concise and uses plain language.

It must be appropriate for your target audience. For instance, if you process children's personal data regularly, you must write your privacy information so a child can understand it.

Does the responsible person know when to give privacy information? - Partially

 

The responsible person should make sure you give your privacy information as soon as possible. There are different rules depending where the personal data came from.

If you get personal data directly from the people themselves, you need to give them your privacy information at the same time.

If you didn’t get the personal data from the individual themselves, you need to provide them with your privacy information:

  • the first time you communicate with them;
  • within a reasonable time after obtaining the personal data and no more than one month later; or
  • before or when you disclose the data to someone else.

There are some limited exceptions when you don’t need to provide privacy information.

Are all people in your business aware of your privacy information and where to find it? - No

 

Make sure all people in your business, regardless of grade, role or responsibilities, are aware of your privacy information and where to find it.

You are likely to process their personal data, so they are entitled to receive privacy information themselves. You may decide to have an employee section in your privacy notice.

You should include privacy information in new starter and refresher training. The training should be specific to people’s roles and go into enough detail to help them answer questions in this area. The training should help them spot any gaps or inaccuracies in your privacy information and make clear that they should raise these with your lead person.