The ICO exists to empower you through information.

We will not share your information with any third parties for the purposes of direct marketing.

We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct. When it is necessary for us to transfer your personal information outside of the UK this will only be done in accordance with the UK GDPR. 

In some circumstances we are legally obliged to share information. For example under a court order or where we cooperate with other European supervisory authorities in handling complaints or investigations. We might also share information with other regulatory bodies in order to further their, or our, objectives. In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.

In our capacity as UK supervisory authority for data protection, there are some circumstances where we must cooperate with and help other supervisory authorities in the EEA, in handling complaints and investigations. This may lead to sharing personal information if it is relevant to the complaint or investigation.

We may also share your information in the event of the non-payment of a Civil Monetary Penalty or Court order. If the debt remains outstanding after the specified timeframe for payment, no payment plan is in place or an agreed payment plan is not being adhered to, we may initiate formal proceedings to recover the full amount of the unpaid penalty. As a result the ICO will share personal data with the litigation and recovery specialists it instructs in order for them to identify assets and undertake recovery action through the courts.

As a public authority and controller we receive information requests under the Freedom of Information Act and the UK GDPR. Requests are considered on a case by case basis and we will only disclose your information where we are legally required to do so.

As a public authority we’re subject to audit and may share your information with auditors. What we share will depend on the nature and scope of the audit and we will take steps to minimise data sharing wherever possible.

We share personal data with The National Archives (TNA). As a public authority we must comply with the Public Records Act 1958. We are required to retain and transfer records of historical significance to TNA after 20 years in line with their Collection Policy. The full list of records in scope of permanent preservation can be found in section 14 of our Retention Schedule.