If you hold or use personal information about your clients, employees or other people, you are legally obliged to protect that information. This toolkit helps you with what you need to know, and do.

Under the Data Protection Act 1998 (DPA) you must:

  • use personal information fairly and lawfully;
  • collect only the information necessary for a specific purpose(s);
  • ensure it is relevant, accurate and up to date;
  • only hold as much as you need, and only for as long as you need it;
  • allow the subject of the information to see it on request; and
  • keep it secure.

Good information handling makes good business sense, and provides a range of benefits. You'll enhance your business' reputation, increase customer and employee confidence, and by ensuring that personal information is accurate, relevant and safe, save both time and money.

This toolkit should help you evaluate and improve your compliance with the DPA.

Route A: Data protection assurance checklist

For first time users or those unfamiliar with their data protection obligations, Route A provides an overview and high level assessment of compliance with the DPA.

Route B: Select one or more checklists

Check the boxes below to choose specific areas and tailor the self-assessment to your organisation’s particular needs and risks (click the “i” for more information on each):

{{ lists[buildList].label }}
  • {{ lists[list].data[sectionData].name }}

{{ measure.label }}

More information

This measure has been:

At a glance (overall rating)

Report Generated at: {{date | date:'H:mm on d MMMM yyyy'}}

{{ lists[buildList].label }}
Overall rating: {{ getRating(buildList, false) }}
  • {{ getCount(buildList, 1) }}: Measures not implemented/planned
  • {{ getCount(buildList, 50) }}: Measures partially implemented/planned
  • {{ getCount(buildList, 100) }}: Measures successfully implemented

In detail

{{ lists[buildList].label }}
Overall rating: {{ getRating(buildList, false) }}

{{ option.text }}
Areas for focus/suggested actions Guidance
Action(s) Owner Deadline

Report Generated at: {{date | date:'H:mm on d MMMM yyyy'}}

You are almost ready to generate your report

Your report will include the following checklists:

{{ list.label }}

Would you like to include any of the following checklists in your report?


This toolkit is designed to help organisations evaluate and benchmark their own compliance with the DPA via self-assessment. Responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in place rests solely with the data controller.

We take all reasonable care to ensure that the results of our self-assessment toolkit are a fair and accurate reflection of the data controller’s responses but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this toolkit, however such loss or damage is caused. We cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information in, or results from, this toolkit.

User guide

Toolkit outline

The ability of the ICO to undertake data protection audits, advisory visits or workshops for all the organisations it regulates is obviously limited by its resources. Therefore, the objective of the self-assessment toolkit is to give more organisations the opportunity to evaluate and benchmark their own DPA compliance without the direct involvement of the ICO.

This toolkit is aimed specifically at small to medium sized organisations.

Toolkit content

The overall objective of this toolkit is to enable an organisation to self-assess their compliance with the Data Protection Act 1998 (DPA).

The toolkit has five main checklists:

  • Data protection assurance
  • Information security
  • Records management
  • Data sharing and subject access
  • Direct marketing

For each completed checklist the toolkit will generate an assessment rating based on your responses.

Each of the five main checklists contains subsets of controls. The subsets consist of individual measures against which an organisation should assess themselves using the options provided (see below).

Each measure also contains some ‘more information’ which includes further explanation and suggestions that should be considered when making your assessment, as well as some 'guidance' links which will provide more detailed information in that area.

Assessment options

Within each measure in the toolkit there are three main assessment options:

  • Measures have not yet been implemented
  • Measure has been partially implemented/planned
  • Measured have been successfully implmented

The user should assess the measures that are currently in place within their organisation based on these options and then select the appropriate radio button on the right hand side.

In addition, there is also a “Not Applicable” option but this should only be selected where, after careful consideration, you feel that the measure does not apply to your organisation.

How to use this toolkit

A first time user can start the self-assessment by selecting Route A to begin the Data protection assurance checklist. This checklist has been designed to provide an overview and high level assessment of compliance with the DPA. Its content is based broadly around the eight principles of the DPA but it is not as detailed as the other toolkits.

Alternatively, a user can use Route B to select a number of the checklists to work through. This will provide a more detailed series of measures within the particular compliance areas selected, and allow the organisation to tailor the self-assessment to its particular needs and risks.

Once the selected checklists have been completed, the user can request a report which will summarise their responses and provide an overall rating. This can be printed and used as the basis for an action plan the organisation can use to improve their compliance with the DPA.

Unsupported Browser Detected

We have detected that you are using an unsupported browser. In order to use this service please upgrade this browser or select any of the following alternatives;