The ICO exists to empower you through information.

At a glance

  • Individuals have the right to be informed about the collection and use of their personal data;
  • You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’;
  • The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language;
  • Exemptions apply, and you may restrict the provision of information where it is necessary and proportionate.

In brief

How should we provide this information?

The information you supply about the processing of personal data must be:

  • concise, intelligible and easily accessible;
  • written in clear and plain language, adapting this to the needs of vulnerable persons, such as children; and
  • free of charge.

What information must we supply as a minimum?

You must make this information generally available to the public:

  • your identity and contact details;
  • the contact details of your data protection officer, if applicable;
  • purposes of the processing;
  • the individual’s rights (access, rectification, erasure and restriction); and
  • the right to lodge a complaint with the Information Commissioner and the contact details of the ICO.

What information should we supply to an individual?

You should supply the following information to enable an individual to exercise their rights: 

  • your legal basis for processing;
  • your retention period or the criteria you used to determine the retention period;
  • any recipient or categories of recipients of the personal data (including in third countries or international organisations); and
  • any further information needed to enable individuals to exercise their rights, eg if information is collected without their knowledge

The right to this information is a qualified right, subject to restrictions that prevent any prejudice to an ongoing investigation or compromise to operational techniques.

Example

You have a generic privacy notice on your website which covers basic information about the organisation, the purpose you process personal data for, a data subject’s rights and their right to complain to the Information Commissioner.

You have received intelligence that an individual was present when a crime took place. On first interviewing this individual, you need to provide the generic information, as well as the further supporting information, to enable their rights to be exercised. You can only restrict the fair processing information you are providing if it will adversely affect the investigation you are undertaking.

In what circumstances may we limit the provision of further supporting information?

You may restrict the provision of further information where it is necessary and proportionate to:

  • avoid obstructing an official or legal inquiry, investigation or procedure;
  • avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
  • protect public security;
  • protect national security; or
  • protect the rights and freedoms of others.

You need to justify any restriction you apply as necessary and proportionate, and apply it on a case by case basis. It is important to balance the rights of the individual against the harm disclosure would cause.

You also must inform the individual when this limitation is in place, explaining its existence and the reasons, unless providing this information itself will undermine the purpose of imposing the restriction. Regardless, you still need to inform the individual about the process of raising a complaint with the Information Commissioner or taking matters to court.

You should keep a record of your decisions to rely on any restriction, and provide this reasoning to the Information Commissioner if required.