Your right to be informed if your personal data is being used

An organisation must inform you if it is using your personal data. It should provide detailed information on the following:

  • Why it is using your data.
  • What type/types of data it is using
  • How long your data will be kept
  • Information if it is going to transfer your data to third parties, including their names and the reasons for the transfer.
  • Information if it is going to transfer the data overseas, including the country involved and what will be done with the data.
  • Your information rights.
  • Where the data is from.
  • If it is using the data in profiling (a type of automated processing where your personal data is used to analyse or predict things such as your performance at work, economic situation, health, personal preferences and interests).
  • How to contact the organisation.
  • Your right to complain to the ICO.

This is called ‘privacy information’.

The organisation should give you privacy information at the time it collects your data. If it obtains your data from another source, it should provide privacy information within one month. It may do so in the form of a privacy notice.

This is called your ‘right to be informed’.

When can an organisation not inform you of its activities?

Generally, organisations must give you privacy information, but in some circumstances they don’t have to. These include where:

  • you already have the privacy information and nothing has changed
  • giving you the privacy information is impossible or would require “disproportionate effort”, or
  • giving you the privacy information would make it impossible to use your data or seriously damage the reasons for its use.

How should I raise my concern about how an organisation has handled my information?

You can use the template letter below to help you raise your concerns.

[Your full address]
[Phone number]
[The date]

[Name and address of the organisation]
[Reference number (if provided within the initial response)]

Dear [Sir or Madam / name of the person you have been in contact with]

Information rights concern
[Your full name and address and any other details such as account number to help identify you]

I am concerned that you have not handled my personal information properly.

[Give details of your concern, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.]

I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.

If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.

You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me on the following number [telephone number].


Yours faithfully
[Signature]