The ICO exists to empower you through information.

Purpose and lawful basis for processing

Our purpose is to investigate and take regulatory action in line with our statutory duties.

The lawful basis we rely on to process your personal data is article 6(1)(e) of the UK GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

If the information you provide us in relation to your report contains special category data, such as health, religious or ethnic information the lawful basis we rely on to process it is article 9(2)(g) of the UK GDPR, which also relates to our public task and the safeguarding of your fundamental rights. And Schedule 1 part 2(6) of the DPA2018 which relates to statutory and government purposes.

What we need and why we need it

We need enough information from you to investigate your protected disclosure to us, including any evidence you have to support it.

When we receive a complaint from you we’ll set up a case file containing the details of your complaint. This normally includes your identity, contact details and any other information you have given us about individuals involved in the complaint. We will treat the information you provide confidentially. Please see our guidance for whistleblowers for more information

You can contact us anonymously if you prefer but we are more likely to be able to investigate potential wrongdoing if we are confident that the person making the disclosure is in a position to make an informed complaint. It will also mean we are better able to feedback information about any action we have taken, if we can.

Why we need it

We need to know the details of your complaint so that we can make a decision on the organisation’s compliance with the relevant legislation and fulfil our regulatory function.

What we do with it

We’ll treat the information you provide as confidential and won’t disclose it without lawful authority. But to look into a matter properly, we’ll usually need to disclose some information to the organisation concerned. We can discuss this with you, but you should clearly indicate any information that you don’t want us to share from the outset.

If possible, we’ll give you feedback about any action we take as a result of your disclosure. However, this feedback will be restricted. We also have a duty of confidence to the organisations we regulate. We are legally prevented from sharing much of the information we hold about them.

We’ll also publish information in a yearly report about any action we take as a result of disclosures by whistleblowers. This won’t, however, contain any information that will identify individual whistleblowers or their employers (including ex-employers).

We will use your personal information to process your complaint and to check on the level of service we provide. We compile and publish statistics showing such information as the number of complaints we receive, but not in a form that identifies anyone.

How long we keep it

For information about how long we hold personal data, see our retention schedule.

What are your rights?

We are acting in our official capacity to assess your report of a potential breach of the law, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

For more information on your rights please see ‘Your rights as an individual’.

Do we use any data processors?