The ICO exists to empower you through information.

View our 'what we do with your personal data when you...' infographic for a basic overview of the below information.


Purpose and lawful basis for processing

As part of our statutory functions, we investigate and prosecute individuals and organisations for alleged criminal offences committed under the legislation we regulate (including Data Protection Act 2018, Freedom of Information 2000, etc.). The Information Commissioner is named as a competent authority for the purpose of Part 3 of the DPA 2018 which applies to the processing of personal data by such authorities for law enforcement purposes.

These purposes are set out at s.31 DPA 2018 and are the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, which might include the safeguarding against and the prevention of threats to public security. Our processing is either done because it is necessary for the performance of a task relating to one of these purposes or with the consent of the individual.

We process personal data for the purposes of law enforcement of the legislation for which we are regulator in the following three areas:

  • Criminal investigations
  • Intelligence
  • Financial recovery

Our processing can also include sensitive processing which means processing special category data for law enforcement purposes. Where this is the case we rely on either the consent of the individual or, provided the processing is strictly necessary for the law enforcement purposes, on a condition set out in Schedule 8 of the DPA 2018. Our Safeguards Policy explains about our processing (including sensitive processing) for law enforcement purposes, our procedures for complying with the data protection principles and our policies for retention and erasure of any personal data. You can read our policy here.

What we need

When we investigate an alleged criminal offence, we gather information and evidence which might include information about victims, suspects, witnesses and other individuals relevant to the circumstances and events. 

Why we need it

In our role as a competent authority, we need to establish whether offences have been committed so that we can take legal action if appropriate. So we’ll gather information relevant to our investigation which might include information about you. 

What we do with it

We use your personal information for the purposes of our investigation and, and for prosecution purposes if appropriate.

In some circumstances we may share your personal information with law enforcement and other agencies during an investigation. We may also share it with others such as expert witnesses.

If we are considering taking legal action, we’ll share this information with our external legal counsel, the courts and any co-defendants and their legal representatives. Court cases are held in public and so personal data, including special category data, might be made public during the course of proceedings.

When we successfully prosecute someone, we may publish the convicted individual’s identity in our Annual Report, on our website or distribute more widely to the media.

How long we keep it

For information about how long we hold personal data, see our retention schedule.

What are your rights?

You have a right to access your personal data held by or for us. You also have a right to get inaccurate data rectified and incomplete data completed, and for your personal data to be erased in certain circumstances.

We will provide further information directly to data subjects in specific cases to enable them to exercise their rights. This might be in cases where

we are processing your personal data that was collected without your knowledge.

We will not do this where doing so would be prejudicial to our investigation or for other reasons set out in s.44 (4) Data Protection Act 2018.

Do we use any data processors?

We do use external service providers in the UK for the case management system we use to process cases which are investigated for law enforcement purposes.

We sometimes use external service providers to carry out forensic analysis of evidence in cases which are investigated for law enforcement purposes or for financial recovery activities.

We have a legal obligation to ensure that the website is accessible in line with the WCAG 2.1 guidelines. Any prosecutions listed on our website will also be processed by our data processor, Silktide, to ensure we are compliant with these guidelines.

Do we make any overseas data transfers? 

Any transfers are made in line with our data protection obligations.