The ICO exists to empower you through information.

More and more people are conducting their personal affairs online. Online shopping, social networking, job hunting and the ability to carry out official functions, such as renewing car tax or contacting local councils and government departments online, are now an everyday part of life. Doing things online can offer convenience and widen opportunities, and in general people value it.

Organisations that collect and use your information have responsibilities to protect it. However, you can take various precautions to protect yourself from identity fraud or the misuse of your information, or to ensure that your privacy is respected in the way you would want.

How can I protect my personal information online?

When doing any online transaction you can take steps to protect your personal information. Use the same common sense as you would when asked for personal information on paper or face to face. Ask yourself:

  • who is collecting the information
  • what will be done with it?
  • is it necessary?
  • what are the consequences for me?

Check a site’s privacy notice to find out what it intends to do with your information. A privacy notice, sometimes called a privacy policy or statement, should tell you who is collecting your information, what it is going to be used for, and whether it will be shared with other organisations. This information may also be provided at the time you are asked for personal data via a popup box or floating text.

If the intentions are not clear, ask the company concerned for further details before you give any personal data, especially if it is sensitive. Companies may want to use your personal information to send you marketing or pass your details to other companies for marketing. They should give you the chance to opt in or out of receiving this marketing.

How can I protect my identity online?

Be careful when providing your personal information online. In particular, do not make too much personal information available to lots of people, for example by having open access on social networking sites. Your personal information can be used to steal your identity and commit fraud. Be wary of anyone who asks for your bank or credit card details, and only use secure sites when shopping online – secure sites usually carry the green padlock symbol in the address bar. However, this on its own is not a guarantee that you’re visiting the site you think you are – make sure the address for the website is the one you would expect as well.

Be careful when providing your:

  • Full name
  • Full address
  • Date of birth
  • Telephone number
  • National insurance number
  • School/ workplace
  • Birthplace
  • Previous addresses
  • Bank account details or payment card details
  • Account information

When choosing a password, avoid obvious choices such as mother’s maiden name, child’s name, pet’s name, or other references that someone may be able to find out through information you have posted elsewhere. Try to use random mixtures of numbers and letters. Use different passwords for different sites.

What are online scams and how can I avoid them?

Numerous scams are in operation to get you to provide personal details, including details of your bank account or credit card, for fraud. Phishing is a mostly email-based scam that lures you under false pretences to websites which look legitimate to get you to provide personal information. Such emails appear to be from recognisable sources such as banks but actually link to fraudulent websites.

  • If in doubt, don’t open emails or attachments.
  • Before disclosing any personal information online, make sure you know who you are dealing with.
  • Be suspicious of anyone who asks for your bank account of credit card details or asks for your password.
  • Examine the email sender’s address carefully before opening an email, and do not click on any links or email attachments unless you are sure of the sender’s identity.
  • Check that the link looks correct before you click on it – if you’re using webmail in a browser, hovering over the link with your cursor should allow you to see the actual link in the bottom left corner of your browser

As a rule, don’t click on any links in emails unless you’ve requested the email - visit the website you’re being asked to go to via your usual means, e.g. type the address in manually, use a bookmark or use a search engine.

Can I opt out of online marketing and advertising?

There are different ways of advertising to people online. Some involve displaying the same adverts to everyone who visits a particular website. Online behavioural advertising involves showing you a selection of adverts based on websites you have previously visited, as well as other interactions you’ve had with organisations, both online and offline. This targeted approach aims to tell you about products or services you are likely to be interested in.

Organisations and companies have always used information about their customers to market goods and services to them. For some people this will be a welcome and useful feature of using the internet, particularly when shopping online. However, other people dislike this approach and don’t want their buying and browsing habits used like this.

Websites should provide you with clear explanations of what they collect about your browsing habits, how they use that information to show you adverts, and provide an easy way for you to opt out of having your personal data processed in this way. It is important to note that this does not mean that you can opt out of having adverts displayed.

You should be told when cookies are being used and given choices about whether you agree to this use.

The Internet Advertising Bureau provides information on how online behavioural advertising works, and gives links to several organisations that enable you to opt out of behavioural advertising.

What security measures can I take?

Your internet browser – the software you use to browse the web, for example Microsoft Edge, Firefox, Chrome or Safari – will have built-in tools to help protect your personal information. Take some time to learn about the security and privacy settings in your browser. Some tools help you to control the amount of personal information you put online; others allow you to wipe the details of sites you have visited, or searches you have made, from your computer.

You should also install reputable and trusted antivirus and security software and keep this software updated. In some cases, you may have such software built in to your device’s operating system.

What should I consider when social networking?

Whether you are using a social networking site, internet dating site or just chatting on a messageboard or forum, the chances are you are putting personal information online. Once it’s out there, you will not be able to control what happens to it. This could pose a risk to your privacy or even your personal safety.

So before you create a profile, post a picture or tell the online world what you’re doing, think about how to make sure you’re safe.

When posting information online it’s also worth thinking about who might see it apart from your intended audience – would the things you write or the pictures you post cause embarrassment in real life? How would you feel if your current or potential employer saw what you posted?

Most sites allow you to control how public or private your information is – these controls are usually called privacy settings. While some sites set privacy settings automatically at their most private level, on others all your information could be available to anyone unless you change the privacy setting. If you don’t understand what a particular privacy setting means in practice, don’t post any information until you have found out.

Here are a few things you should consider before posting information or images on social networking sites:

  • Consider how the social network itself will use your personal information and whether you consider that to be appropriate.
  • Find out how the privacy settings offered can limit access to your personal information.
  • Adjust your privacy settings so that information about your family and children is shared only with those you know well.
  • Don’t include too much personal information that could make you vulnerable to identity fraud.
  • Think carefully before posting information – would you want your employer or potential employer to see those compromising pictures?
  • Review your information regularly – what may have seemed like a good idea at the time may not seem such a good idea some months or years later.
  • Get people’s consent before you upload their pictures or personal information.
  • Use strong passwords and logins to prevent your account being misused.

Remember that websites located outside of the European Economic Area are not obliged to follow these principles, so always check the privacy policy of the site.

How should I use privacy settings on social networking sites?

All reputable social networking websites should have clear and visible privacy settings. They can usually be accessed from the main page of your account, along with other general options. You can adjust privacy settings to control who can see your information, and how much they can see.

Here are some tips on using privacy settings:

  • Consider using the highest privacy settings when you first create your profile, then gradually adjust them and allow networking features only when you feel comfortable. This way, you won’t be making information available unless you really want to.
  • Think about what you want to use your profile for. If you only want to keep in touch with family and close friends, set your profile up so that it can only be accessed by those people.
  • You can set up your profile so that people can only access it if you have approved them. Once you accept someone as a friend, they’ll be able to access all the info and photos you have on your profile. You can always remove friends or followers if you change your mind, but by then they may have already seen your details.
  • On some social networking sites, people that aren’t your approved friends will still be able to see some details on your profile. It’s worth checking what they will be able to see. For example, on Facebook, you can choose to make people 'limited friends’, so they will only have access to a cut-down version of your profile.
  • If you don’t understand how to adjust your settings or you feel that you aren’t being given enough options, get in touch with the site administrator or customer service team. If you still aren’t happy, consider not using the website.

How can I help my children stay safe online?

Children use the internet regularly and may be involved in more online activity than their parents. Some children may have greater technical knowledge than their parents, but they may be unable to identify the risks of giving too much personal information online, and may be unable to spot scams as readily as adults. So:

  • Take the time to get involved in your children’s internet use and teach them about online safety.
  • Explain to children that they should not give any personal information online, eg full name, address, mobile number, email address, school name etc, if they would not want it freely available in the offline world.
  • Explain that people online may be lying about who they are, and ensure your children know they must always get your permission before agreeing to meet anyone.
  • Make children aware of spam or junk emails and explain that they should not open emails or texts from someone they don’t know.
  • Be aware that you will need to provide consent for your child to use an online service if they are under the age of 13
  • If children are using social networking sites, make sure they use appropriate privacy settings.
  • Be aware that children may be accessing the internet via their games console or mobile phone.
  • Consider using internet filtering and monitoring software for computers, mobiles or games consoles that your children own or use.
  • Be aware that your children may have the right to request the erasure of personal data posted on some services.

For more on child internet safety and useful materials aimed at children, parents and teachers, see:

What can I do if someone says something about me online that I don’t like?

There are several things you can do:

  • Most social networking sites have a policy for dealing with inaccurate or derogatory posts. Have a look on their website for their procedure for complaining about a post or asking for something to be removed.
  • If you can’t find a procedure or form on the website than try contacting the website administrator with your complaints.
  • Take the matter up directly with the organisation or individual who has posted the comments about you, if you think that this might help.
  • If you think that the posting is defamatory, or you feel threatened or harassed then consider taking legal advice or contacting the police.

If you don’t get things resolved by following the above advice then we are limited in what we can do to help you.

If the person posting comments about you is another individual expressing their personal view, we won’t be able to take any action against them.

We sometimes work with social networking websites to help them ensure their procedures for dealing with disputes about inaccurate or derogatory posts are adequate. If their procedures are adequate then we’re unlikely to consider complaints against websites about individual postings, and if we do then it's important that we recognise the right to freedom of expression guaranteed by the European Convention on Human Rights.

What other rights do I have?

You also have the right to stop organisations using your information to send you direct marketing. You should get the opportunity to opt in or opt out of receiving such marketing at the point you give your personal details. You should also have the opportunity to change your preference later if you change your mind.

If you would like to see or correct personal information that is held about you, or if you think there is a problem with how your personal information has been collected online, or how it is being used, you should first contact the person or organisation responsible for collecting the information.

The provider of the service or website you have given the information to should give details of how you can contact those responsible – often this information is in the privacy notice on its website.

If you complain to an organisation about the collection or use of your personal information, they should be able to explain to you how they are processing your personal information in line with the Data Protection Act.

Do I have any responsibilities when posting personal data about other people online?

In a personal capacity

If you are acting in a purely personal capacity when you post other people’s personal data online then you are not subject to the Data Protection Act.

However, even if you are exempt from the data protection principles it is still possible for you to break the law in other ways when posting online. For example, you could be prosecuted under the Protection from Harassment Act 1997 or the Communications Act 2003.

You could also be subject to a claim in the civil courts for damages, or be held to be in contempt of court. So it's important to think carefully about what you intend to say before posting information.

In a non-personal capacity

If you are representing an organisation or promoting your business interests then, even if you are doing so through your own social networking pages, you will be subject to the GDPR and may need to comply with the data protection principles.

We have previously produced guidance on when the requirements of the DPA applied to social networking and forums, which is linked below. It is our intention to update this guidance to explain the requirements of the GDPR in due course, but in the meantime you may find some of the general principles it discusses helpful.