Your right to be informed if your personal data is being used

An organisation must inform you if it is using your personal data. It should provide detailed information on the following:

  • Why it is using your data.
  • What type/types of data it is using
  • How long your data will be kept
  • Information if it is going to transfer your data to third parties, including their names and the reasons for the transfer.
  • Information if it is going to transfer the data overseas, including the country involved and what will be done with the data.
  • Your information rights.
  • Where the data is from.
  • If it is using the data in profiling (a type of automated processing where your personal data is used to analyse or predict things such as your performance at work, economic situation, health, personal preferences and interests).
  • How to contact the organisation.
  • Your right to complain to the ICO.

This is called ‘privacy information’.

The organisation should give you privacy information at the time it collects your data. If it obtains your data from another source, it should provide privacy information within one month. It may do so in the form of a privacy notice.

This is called your ‘right to be informed’.

When can an organisation not inform you of its activities?

Generally, organisations must give you privacy information, but in some circumstances they don’t have to. These include where:

  • you already have the privacy information and nothing has changed
  • giving you the privacy information is impossible or would require “disproportionate effort”, or
  • giving you the privacy information would make it impossible to use your data or seriously damage the reasons for its use.