The GDPR is coming soon
This legislation will replace current data privacy law, giving more rights to you as an individual and more obligations to organisations holding your personal data.
One of the rights is a right to be informed, which means we have to give you even more information than we do now about the way in which we use, share and store your personal information.
This means that we will be publishing a new privacy notice so you can access this information, along with information about the increased rights you have in relation to the information we hold on you and the legal basis on which we are using it.
This new privacy notice will be published on this website on 25 May.
How we use your information
This privacy notice tells you what to expect when the Information Commissioner’s Office (ICO) collects personal information. It applies to information we collect about:
- visitors to our websites;
- survey on the ICO blog
- complainants and other individuals in relation to a data protection or freedom of information complaint or enquiry;
- people who use our services, eg who subscribe to our newsletter or request a publication from us;
- people who notify under the Data Protection Act;
- people who register their household CCTV camera;
- people who nominate individuals for the ICO practitioner award for excellence in data protection;
- people who apply for a grant under the ICO Grants Programme; and
- job applicants and our current and former employees.
When someone visits www.ico.org.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
Our website search and decision notice search is powered by System Associates. Search queries and results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either ICO or any third party.
We use a third party provider, Adestra, to deliver our monthly e-newsletters. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter. For more information, please see Adestra’s privacy notice.
Online reporting tool
We collect information volunteered by members of the public about nuisance calls and texts using an online reporting tool hosted by Snap Surveys. This company is a data processor for the ICO and only processes personal information in line with our instructions.
Security and performance
The ICO uses a third party service to help maintain the security and performance of the ICO website. To deliver this service it processes the IP addresses of visitors to the ICO website.
We use a third party service, WordPress.com, to publish our blog, and some of our conference microsites. These sites are hosted at WordPress.com, which is run by Automattic Inc. We use a standard WordPress service to collect anonymous information about users' activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it. WordPress requires visitors that want to post a comment to enter a name and email address. For more information about how WordPress processes data, please see Automattic's privacy notice.
People who contact us via social media
We use a third party provider, Hootsuite to manage our social media interactions.
If you send us a private or direct message via social media the message will be stored by Hootsuite for three months. It will not be shared with any other organisations.
People who call our helpline
When you call the ICO's helpline we collect Calling Line Identification (CLI) information. We use this information to help improve its efficiency and effectiveness.
Our helpline also offers a translation service for customers when English is not their first language, this is provided by a third party company. The company that provides this service does not retain any information from the calls or record them.
People who email us
We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.
We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
People who use our LiveChat service
We use a third party provider, Goss Interactive, to supply and support our LiveChat service, which we use to handle customer enquiries in real time.
If you use the LiveChat service we will collect your name, email address (optional) and the contents of your LiveChat session. This information will be retained for two years and will not be shared with any other organisations.
You can request a transcript of your LiveChat session if you provide your email address at the start of your session or when prompted at the end.
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile and publish statistics showing information like the number of complaints we receive, but not in a form which identifies anyone.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
When we take enforcement action against someone, we may publish the identity of the defendant in our Annual Report or elsewhere. Usually we do not, identify any complainants unless the details have already been made public.
The ICO offers various services to the public. We use a third party to deal with some publication requests, but they are only allowed to use the information to send out the publications.
We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have requested a publication to carry out a survey to find out if they are happy with the level of service they received. When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this.
Many businesses are required by law to ‘notify’ certain specified information to the Information Commissioner. This may contain personal information, for example where the business is a sole trader. The ICO compiles this information into a register which it is required by law to make publicly available. The ICO cannot therefore give any guarantees as to how the information contained on the register will be used by those accessing it.
When businesses fill in their registration forms, they are asked to provide the contact details of a relevant member of staff. ICO will use this for its own purposes, for example where we have a query about a registration, but will not put it on the public register.
When we request information as part of the registration process, we make it clear where the provision of information is required by law and where it is voluntary.
This type of registration will contain personal data; the operator of the domestic CCTV system must be a named individual and the registration requires the address of where the camera(s) is/are located. The ICO compiles this information into a register which it is required by law to make publicly available – although for this type of registration there is the option to provide an email or PO Box address instead of a full postal address for publication only. As the register is publicly available, the ICO cannot give any guarantees as to how the information contained on the register will be used by those accessing it.
When we request this information we make it clear what information we will and will not be publishing on the register.
When individuals complete a nomination for the ICO practitioner award for excellence in data protection they submit their information and that of the nominee in an application form. Any personal information that is provided, are used only for the purpose of reviewing the nomination. The information of about the winner will also be published on our own website.
When individuals apply for a research grant under the ICO’s Grants Programme, they submit their information in an application form, provide details of their proposal and an outline of the research’s potential cost. Those who are awarded grants are asked to provide progress reports, a final report and final expenses. Any personal information that is provided in the application and during any research that has been awarded a grant, are used only for the purpose of reviewing the grant application and the ongoing administration and management of any grants that are awarded. We may also publish information about projects on our own website, including the amount of grant awarded and the recipient of the grant.
Some information regarding grants that are awarded are also published on the Government grants register. The information that will be made public on the Government grants register includes the name of the grant programme (for us the ICO Grants Programme) and the funder’s name (the ICO), a description of the grant’s aims and objectives, the value and currency of the grant, the date it was awarded and the name of recipient of the grant and their recipient ID. More information on the Government grants register can be found here.
Service providers reporting a breach
Public electronic communications service providers are required by law to report any security breaches involving personal data to the ICO.
We provide an online form for this purpose, hosted by Egress. We use the data collected by the form to record the breach, to make decisions about the action we may take, and as relevant in order to carry out those actions. We retain personal information only for as long as necessary to carry out these functions, and in line with our retention schedule. This means that logs and breach reports will be retained for two years from receipt, and longer where this information leads to regulatory action being taken. We retain de-personalised information about organisations for as long as is necessary to help inform future actions, but no individuals are identifiable from that data.
The ICO and Egress have measures in place to ensure the security of data collected and transferred to the ICO via this form. Egress is a data processor for the ICO and only processes personal information in line with our instructions.
The ICO is the data controller for the information you provide during the process unless otherwise stated. If you have any queries about the process or how we handle your information please contact us at firstname.lastname@example.org.
What will we do with the information you provide to us?
All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
What information do we ask for, and why?
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it might affect your application if you don’t.
If you use our online application system, this will be collected by a data processor on our behalf (please see below).
We ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for. Our recruitment team will have access to all of this information.
You will also be asked to provide equal opportunities information. This is not mandatory information – if you don’t provide it, it will not affect your application. This information will not be made available to any staff outside of our recruitment team, including hiring managers, in a way which can identify you. Any information you do provide, will be used only to produce and monitor equal opportunities statistics.
Our hiring managers shortlist applications for interview. They will not be provided with your name or contact details or with your equal opportunities information if you have provided it.
We might ask you to participate in assessment days; complete tests or occupational personality profile questionnaires; and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by the ICO.
If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of six months. If you say yes, we would proactively contact you should any further suitable vacancies arise.
If we make a conditional offer of employment we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.
You will therefore be required to provide:
- Proof of your identity – you will be asked to attend our office with original documents, we will take copies.
- Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies.
- You will be asked to complete a criminal records declaration to declare any unspent convictions.
- We will provide your email address to the Government Recruitment Service who will contact you to complete an application for a Basic Criminal Record check via the Disclosure and Barring Service, or Access NI, which will verify your declaration of unspent convictions.
- We will contact your referees, using the details you provide in your application, directly to obtain references
- We will also ask you to complete a questionnaire about your health. This is to establish your fitness to work. This is done through a data processor (please see below).
If we make a final offer, we will also ask you for the following:
- Bank details – to process salary payments
- Emergency contact details – so we know who to contact in case you have an emergency at work
- Membership of a Civil Service Pension scheme – so we can send you a questionnaire to determine whether you are eligible to re-join your previous scheme.
Post start date
Some roles require a higher level of security clearance – this will be clear on the advert. If this is the case, then you will be asked to submit information via the National Security Vetting process to HMRC. HMRC will be the data controller for this information.
HMRC will tell us whether your application is successful or not. If it is unsuccessful, the ICO will not be told the reason(s) why but we might need to review your suitability for the role or how you perform your duties.
Our Code of Conduct requires all staff to declare if they have any potential conflicts of interest, or if they are active within a political party. If you complete a declaration, the information will be held on your personnel file.
Use of data processors
Data processors are third parties who provide elements of our recruitment service for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
If you use our online application system, you will provide the requested information to Vacancy Filler who provide this online service for us. Once you click ‘apply now’ you will be taken to Vacancy Filler’s website and they will hold the information you submit but the ICO will have access to it.
Here is a link to their Privacy Notice.
If you accept a final offer from us, some of your personnel records will be held on CIPHR which is an internally used HR records system.
Here is a link to their Privacy Notice.
Capita HR Services
If you are employed by the ICO, relevant details about you will be provided to Capita HR Services who provide payroll services to the ICO. This will include your name, bank details, address, date of birth, National Insurance Number and salary.
Likewise, your details will be provided to MyCSP who are the administrators of the Civil Service Pension Scheme, of which the ICO is a member organisation. You will be auto-enrolled into the pension scheme and details provided to MyCSP will be your name, date of birth, National Insurance number and salary. Your bank details will not be passed to MyCSP at this time.
Health Management provide our Occupational Health service. If we make you a conditional offer, we will ask that you complete a questionnaire which will help to determine if you are fit to undertake the work that you have been offered, or advise us if any adjustments are needed to the work environment or systems so that you may work effectively.
We will send you a link to the questionnaire which will take you to Health Management’s website. The information you provide will be held by Health Management who will provide us with a fit to work certificate or a report with recommendations. You are able to request to see the report before it is sent to us. If you decline for us to see it, then this could affect your job offer. If an occupational health assessment is required, this is likely to be carried out by Health Management.
Here is a link to their Privacy Notice.
CEB provide online testing for us. If we ask you to complete one of these tests, we will send you a link to the test. Your answers will be provided to and held by CEB.
Here is a link to their Privacy Notice.
For senior vacancies, we sometimes advertise through Hays Recruitment. Hays will collect the application information and might ask you to complete a work preference questionnaire which is used to assess your suitability for the role you have applied for, the results of which are assessed by recruiters. Information collected by Hays will be retained for 12 months following the end of our agreement.
Here is a link to their Privacy Notice.
How long is the information retained for?
If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references.
If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign.
Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the campaign.
Equal opportunities information is retained for 6 months following the closure of the campaign whether you are successful or not.
Vacancy Filler will provide us with management information about our recruitment campaigns. This is anonymised information which tells us about the effectiveness of campaigns, for example, from which source did we get the most candidates, equal opportunities information for monitoring purposes. This anonymised information will be retained for 6 years from the end of the campaign.
How we make decisions about recruitment?
Final recruitment decisions are made by hiring managers and members of our recruitment team. All of the information gathered during the application process is taken into account.
CEB online testing is marked and a result is generated automatically. However, if you wish to challenge the mark you have received, the result can be checked manually.
You are able to ask about decisions made about your application by speaking to your contact within our recruitment team or by emailing email@example.com.
We also offer opportunities for people to come and work with us on a secondment basis. We accept applications from individuals or from organisations who think they could benefit from their staff working with us.
Applications are sent directly to the ICO. Once we have considered your application, if we are interested in speaking to you further, we’ll contact you using the details you provided.
We might ask you to provide more information about your skills and experience or invite you to an interview.
If we do not have any suitable work at the time, we’ll let you know but we might ask you if you would like us to retain your application so that we can proactively contact you about possible opportunities in the future. If you say yes, we will keep your application for 6 months.
If you are seconded to the ICO, we will ask that you complete:
- A political affiliation declaration
Also you will be expected to adhere to a confidentiality agreement and code of conduct which will be agreed with your organisation.
We might also ask you to complete our pre-employment checks or to obtain security clearance via the National Security Vetting process – both of which are described in this Notice above. Whether you need to do this will depend on the type of work you will be doing for us.
We ask for this information so that we fulfil our obligations to avoid conflicts of interest and to protect the information we hold.
It will be retained for the duration of your secondment plus 6 years following the end of your secondment.
Under the Data Protection Act 1998, you have rights as an individual which you can exercise in relation to the information we hold about you.
You can read more about these rights here – https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/
Complaints or queries
ICO tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of ICO’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
If you want to make a complaint about the way we have processed your personal information, you can contact us in our capacity as the statutory body which oversees data protection law – www.ico.org.uk/concerns.
Access to personal information
ICO tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:
- give you a description of it;
- tell you why we are holding it;
- tell you who it could be disclosed to; and
- let you have a copy of the information in an intelligible form.
To make a request to the ICO for any personal information we may hold you need to put the request in writing addressing it to our Information Governance department, or writing to the address provided below.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the Information Governance department.
Disclosure of personal information
In many circumstances we will not disclose personal data without consent. However when we investigate a complaint, for example, we will need to share personal information with the organisation concerned and with other relevant bodies. Further information is available in our Information Charter about the factors we shall consider when deciding whether information should be disclosed.
You can also get further information on:
- agreements we have with other organisations for sharing information;
- circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics;
- our instructions to staff on how to collect, use and delete personal data; and
- how we check that the information we hold is accurate and up to date.
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 24 November 2017.
How to contact us
Information Governance department
Information Commissioner's Office