The ICO exists to empower you through information.

What to provide

We provide individuals with all the following privacy information:

The name and contact details of our organisation.

The name and contact details of our representative (if applicable).

The contact details of our data protection officer (if applicable).

The purposes of the processing.

The lawful basis for the processing.

The legitimate interests for the processing (if applicable).

The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).

The recipients or categories of recipients of the personal data.

The details of transfers of the personal data to any third countries or international organisations (if applicable).

The retention periods for the personal data.

The rights available to individuals in respect of the processing.

The right to withdraw consent (if applicable).

The right to lodge a complaint with a supervisory authority.

The source of the personal data (if the personal data is not obtained from the individual it relates to).

The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).

The details of the existence of automated decision-making, including profiling (if applicable).


When to provide it

We provide individuals with privacy information at the time we collect their personal data from them.

If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information:

within a reasonable of period of obtaining the personal data and no later than one month;

if we plan to communicate with the individual, at the latest, when the first communication takes place; or

if we plan to disclose the data to someone else, at the latest, when the data is disclosed.


How to provide it

We provide the information in a way that is:




easily accessible; and

uses clear and plain language.


Changes to the information

We regularly review and, where necessary, update our privacy information.

If we plan to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing.


Best practice – drafting the information

We undertake an information audit to find out what personal data we hold and what we do with it.

We put ourselves in the position of the people we’re collecting information about.

We carry out user testing to evaluate how effective our privacy information is.


Best practice – delivering the information

When providing our privacy information to individuals, we use a combination of appropriate techniques, such as:

a layered approach;


just-in-time notices;

icons; and

mobile and smart device functionalities.