The ICO exists to empower you through information.

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • You have made a complaint or enquiry to us.
  • You have made an information request to us.
  • You wish to attend, or have attended, an event.
  • You subscribe to our e-newsletter.
  • You have applied for a job or secondment with us.
  • You are representing your organisation.
  • You visit our website and consent to our use of cookies.
  • You have contacted the Digital Regulation Cooperation Forum (DRCF).

We also receive personal information indirectly, in the following scenarios:

  • We have contacted an organisation about a complaint you have made and it gives us your personal information in its response.
  • Your personal information is contained in reports of breaches of data protection law (‘breach reports’) given to us by organisations.
  • A complainant refers to you in their complaint correspondence.
  • From an individual using our subject access request service.
  • Whistleblowers include information about you in their reporting to us.
  • We have seized personal information as part of an investigation.
  • As part of the evidence provided to us by an organisation that we are auditing, or when assessing an organisation’s suitability for an audit.
  • From other public authorities, regulators or law enforcement bodies.
  • Where you have made your contact information available on your organisation's website, or social media accounts, and we use this to contact you and your organisation in our role as a regulator.
  • An employee of ours gives your contact details as an emergency contact or a referee.
  • We undertake personal or corporate credit reference agency checks as part of the process to determine the amount of a penalty to be issued for serious breaches of the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations, or in seeking to recover payment of a penalty or Court order. Checks undertaken on individuals will not leave a footprint on the individual’s credit file. Where we are setting the amount of a penalty we may seek to validate financial information already provided. We may therefore advise individuals directly that credit reference checks will be undertaken, providing it is not considered prejudicial to the Commissioner’s regulatory functions.

If it is not disproportionate or prejudicial, we’ll contact you to let you know we are processing your personal information. ​

As part of the Information Commissioner’s statutory and corporate functions, we process special category data and criminal conviction data. Please read our Safeguards Policy – special categories of personal data and criminal convictions here.