The ICO exists to empower you through information.

This guidance discusses the right to be informed in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding to help you decide what information to give individuals about your processing, and how to do this in practice. DPOs and those with specific data protection responsibilities in larger organisations are likely to find it useful.

If you haven’t yet read the ‘in brief’ page on the right to be informed in the Guide to Data Protection, you should read that first. It sets out the key points you need to know, along with practical checklists to help you comply.

Contents

What is the right to be informed and why is it important?

What is the right to be informed?

Why is it important?

How can it help our broader compliance?

What can happen if we get it wrong?

What privacy information should we provide?

What information must we provide when we collect personal data from individuals?

What information must we provide when we obtain personal data from another source?

 

When should we provide privacy information?

At what point do we have to provide information to individuals?

How long do we have if we obtain personal data from other sources?

Can we put privacy information on our website for people to find?

Are there any exceptions?

Are there any exceptions or exemptions?

What are the exceptions in the UK GDPR?

When can we rely on impossibility?

When can we rely on disproportionate effort?

What else should we consider if we want to rely on an exception?

What other exemptions are in the DPA 2018?

How should we draft our privacy information?

Where should we start?

Why should we think about our audience?

How should we write and present the information?

Should we test our privacy information?

Should we keep it under review?

What if we want to use personal data for a new purpose?

What methods can we use to provide privacy information?

Are there different ways we can provide privacy information?

What is a layered approach?

How can dashboards help?

What is a just-in-time notice?

Can we use icons as well?

How can we provide privacy information to people using mobile devices?

What about the Internet of Things and other smart devices?

What common issues might come up in practice?

What do we need to think about if we plan to share personal data with (or sell it to) other organisations?

What if we buy personal data from other organisations?

What do we need to think about if we obtain personal data from publicly accessible sources?

What do we need to think about if we use Artificial Intelligence (AI)?