<!doctype html> <!--[if lte IE 8 ]><html lang="en" class="ie8"><![endif]--> <!--[if lte IE 9 ]><html lang="en" class="ie9"><![endif]--> <!--[if (gt IE 9)|!(IE)]><!--> <html lang="en"> <head prefix="og: http://ogp.me/ns#"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="initial-scale=1.0, width=device-width"> <title>Right to data portability | ICO</title> <meta name="DC.Subject" content="Right to data portability" /> <meta name="DC.Date" content="Tuesday, November 19, 2024" /> <meta name="DC.Creator" content="" /> <meta name="DC.Publisher" content="ICO" /> <meta name="DC.Title" content="Right to data portability" /> <meta name="DC.PageID" content="5690" /> <meta property="og:title" content="Right to data portability" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-data-portability/" /> <meta property="og:description" content="" /> <meta property="og:image" content="" /> <meta name="twitter:title" content="Right to data portability" /> <meta name="twitter:description" content="" /> <meta name="robots" content="index" /> <link rel="shortcut icon" type="image/x-icon" href="/media2/lhphq55z/favicon.ico" /> <link rel="stylesheet" type="text/css" href="/css/site.css?v=2vrG7eADocFkX9vchR9h5gTORmu6STTHxmyTWJsW9nw" /> </head> <body id="top" class="bg-white min-h-screen "> <a class="flex items-center justify-center px-3 py-2 bg-secondary text-white text-xl sr-only focus:relative focus:w-full focus:h-fit" href="#main-content"> <span class="font-serif text-serif-base pr-2">Skip to main content</span> <span class="icon icon-arrow-down"></span> </a> <header class="w-full fixed md:static z-10 md:z-auto print:hidden"> <div class="bg-primary"> <div class="lg:container px-4 py-3.5 md:flex"> <div class="md:pr-8"> <a href="/"> <div class="bg-left bg-contain bg-no-repeat h-8 w-20 inline-block md:hidden" style="background-image: url('/media2/qkcg1rdf/logo-small.svg?width=80&amp;height=32&amp;v=1db03b868bf60c0');"></div> <div class="bg-left bg-contain bg-no-repeat h-24 w-40 hidden md:inline-block" style="background-image: url('/media2/myukqaa2/ico-header-logo.svg?width=160&amp;height=96&amp;v=1db03b866f17e90');"></div> <span class="sr-only">Home</span> </a> </div> <div class="grow items-stretch hidden md:flex"> <div class="font-serif text-center md:text-left text-white text-serif-base md:flex items-end md:pl-8 border-secondary border-dotted md:border-l-2"> <span>The ICO exists to empower you through information.</span> </div> </div> <div class="flex flex-col items-end md:pl-8"> <script type="application/json" id="language-settings"> {"cookieDomain":"ico.org.uk","options":[{"text":"English","href":"https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-data-portability/","icon":"icon-lang-en","value":"English"},{"text":"Cymraeg","href":"https://cy.ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-data-portability/","icon":"icon-lang-cy","value":"Welsh"}]} </script> <div id="language-toggle"></div> <div class="grow flex items-end"> <button type="button" id="search-toggle" class="absolute rounded p-2 top-3 right-12 md:hidden hover:bg-secondary" aria-controls="search"> <span id="search-icon" class="block icon icon-search text-white text-xl"></span> <span class="sr-only">Search</span> </button> <div id="search" class="motion-safe:transition-all motion-safe:duration-200 hidden md:block w-full sm:w-fit max-h-0 md:max-h-fit overflow-hidden md:overflow-auto"> <form action="https://icosearch.ico.org.uk/s/search.html" method="GET" id="search-form" class="pt-3.5 md:pt-0"> <input type="hidden" name="collection" value="ico-meta" /> <input type="hidden" name="profile" value="_default" /> <div class="flex"> <label for="search-query" class="sr-only">Search</label> <input type="search" name="query" id="search-query" class="grow min-w-0 px-2 py-1 border-t border-b border-l border-r-0 border-white/50 focus:border-white focus:ring-0 rounded-l bg-secondary motion-safe:transition-colors hocus:bg-white text-white hocus:text-black sm:w-60 md:w-48" /> <button type="submit" class="text-transparent bg-secondary rounded-r p-2 border-t border-b border-r border-white/50"> <span class="block text-white text-xl icon icon-search"></span> <span class="sr-only">Search</span> </button> </div> </form> </div> </div> </div> </div> </div> <div class="bg-secondary"> <div class="lg:container md:px-4"> <button type="button" id="navbar-toggle" class="absolute rounded p-2 top-3 right-3 md:hidden hover:bg-secondary" aria-controls="navbar"> <span class="block icon icon-menu text-white text-xl"></span> <span class="sr-only">Menu</span> </button> <nav id="navbar" class="bg-secondary motion-safe:transition-all motion-safe:duration-200 hidden md:block max-h-0 md:max-h-fit overflow-hidden md:overflow-auto"> <ul class="border-primary border-dotted border-t-2 md:border-t-0 md:flex md:flex-wrap"> <li class="md:flex"> <a href="/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-grey md:hover:border-t-theme-grey"> <span>Home</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> <li class="md:flex"> <a href="/for-the-public/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-green md:hover:border-t-theme-green"> <span>For the public</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> <li class="md:flex"> <a href="/for-organisations/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-yellow md:hover:border-t-theme-yellow bg-primary md:border-t-theme-yellow"> <span>For organisations</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> <li class="md:flex"> <a href="/make-a-complaint/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-orange md:hover:border-t-theme-orange"> <span>Make a complaint</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> <li class="md:flex"> <a href="/action-weve-taken/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-red md:hover:border-t-theme-red"> <span>Action we&#x27;ve taken</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> <li class="md:flex"> <a href="/about-the-ico/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-blue md:hover:border-t-theme-blue"> <span>About the ICO</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> </ul> </nav> </div> </div> </header> <main id="main-content" class="pt-20 md:pt-0 md:mt-7 mb-3 md:mb-4"> <div class="lg:container px-4 mb-4 print:hidden"> <nav aria-label="breadcrumb"> <ul class="-mx-1 flex flex-wrap text-sm"> <li class="mx-1"> <span class="after:content-['/'] after:ml-1"> <a href="/for-organisations/" class="text-link hover:underline">For organisations</a> </span> </li> <li class="mx-1"> <span class="after:content-['/'] after:ml-1"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/" class="text-link hover:underline">UK GDPR guidance and resources</a> </span> </li> <li class="mx-1"> <span class="after:content-['/'] after:ml-1"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/" class="text-link hover:underline">Individual rights - guidance and resources</a> </span> </li> <li class="mx-1"> <span class="after:content-['/'] after:ml-1"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/" class="text-link hover:underline">A guide to individual rights</a> </span> </li> <li class="mx-1"> <span>Right to data portability</span> </li> </ul> </nav> </div> <div class="lg:container px-4"> <div class="border-dotted border-b-2 border-neutral-200 pb-2 sm:pb-3.5 md:pb-6 mb-2 sm:mb-3.5 md:mb-5"> <div class="md:flex md:items-center"> <h1 class="py-0.5 font-serif leading-none sm:border-l-10 sm:pl-3 text-serif-2xl sm:text-serif-3xl border-theme-yellow">Right to data portability</h1> <div class="md:pl-2 md:ml-auto mt-2 md:mt-2 print:hidden"> <a href="#0" id="download-options-toggle" class="font-serif text-serif-base text-link flex items-center"> Download options <span class="hidden">(Opens download panel)</span> <i class="inline-block icon icon-download text-xl text-white bg-pink-600 rounded-full p-2 ml-2"></i> </a> </div> </div> <div class="download-container bg-pink-600 mt-5 rounded-lg motion-safe:transition-all motion-safe:duration-200 overflow-hidden max-h-0 hidden" id="download-options-container"> <form method="post" action="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-data-portability/" class="p-3 text-white md:flex md:items-center" target="_blank"> <input type="hidden" name="currentUrl" value="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-data-portability/" /> <input type="hidden" name="nodeId" value="5690" /> <input type="hidden" name="formId" /> <input type="hidden" name="recordId" /> <fieldset class="md:flex md:items-center"> <legend class="font-serif text-serif-base contents">Pages</legend> <ul class="flex mt-1 md:mt-0 ml-2"> <li class="md:ml-2"> <input type="radio" name="pages" id="pages-all" value="all" class="hidden appearance-none cursor-pointer peer" checked> <label for="pages-all" class="cursor-pointer rounded p-2 pr-3 flex justify-center items-center peer-checked:bg-pink-700 text-sm md:text-base"> <i class="icon icon-book mr-2 text-base md:text-lg"></i>All pages </label> </li> <li class="ml-2"> <input type="radio" name="pages" id="pages-this" value="this" class="hidden appearance-none cursor-pointer peer"> <label for="pages-this" class="cursor-pointer rounded p-2 pr-3 flex justify-center items-center peer-checked:bg-pink-700 text-sm md:text-base"> <i class="icon icon-file-blank mr-2 text-base md:text-lg"></i>This page </label> </li> </ul> </fieldset> <fieldset class="md:ml-10 md:flex md:items-center mt-3 md:mt-0"> <legend class="font-serif text-serif-base contents">Format</legend> <ul class="flex mt-1 md:mt-0 ml-2"> <li class="md:ml-2"> <input type="radio" name="types" id="types-pdf" value="pdf" class="hidden appearance-none cursor-pointer peer" checked> <label for="types-pdf" class="cursor-pointer rounded p-2 pr-3 flex justify-center items-center peer-checked:bg-pink-700 text-sm md:text-base"> <i class="icon icon-file-pdf mr-2 text-base md:text-lg"></i>PDF </label> </li> </ul> </fieldset> <div class="ml-auto mt-3 md:mt-0"> <button class="btn bg-primary flex items-center text-base md:text-lg"> Download <i class="icon icon-download text-white ml-2 text-lg"></i> </button> </div> </form> </div> </div> <div class="grid grid-cols-4"> <div class="col-span-4 md:hidden border-b-2 border-dotted border-neutral-200 flex justify-between pb-2 mb-4 cursor-pointer print:hidden" id="multipage-nav-toggle"> <p class="text-sm text-primary justify-start">Contents</p> <div class="justify-end"> <span class="icon icon-search text-primary" id="multipage-search-button"></span> <span class="icon icon-pointer-down text-primary"></span> </div> </div> <aside class="col-span-4 md:col-span-1 hidden md:block motion-safe:transition-all motion-safe:duration-200 overflow-hidden md:overflow-auto max-h-0 md:max-h-fit mb-6 md:mb-0" id="multipage-nav"> <form id="multipage-search" class="mb-3 flex" method="get"> <label for="multipage-search-input" class="sr-only">Search this document</label> <input type="search" name="search" value="" class="w-full py-2 px-2 text-sm bg-slate-100 border-r-0" id="multipage-search-input" /> <button type="submit" title="Search" class="icon icon-search px-2 bg-slate-100 border border-solid border-l-0 border-slate-700"> </button> </form> <nav> <ul> <li> <div class="mb-2 pb-2 border-b-2 border-dotted border-neutral-200"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5616"> <span>A guide to individual rights</span> </a> </div> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-be-informed/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5661"> <span>Right to be informed</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-of-access/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5669"> <span>Right of access</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-rectification/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5674"> <span>Right to rectification</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-erasure/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5678"> <span>Right to erasure</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-restrict-processing/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5683"> <span>Right to restrict processing</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-data-portability/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid bg-neutral-100 text-neutral-600 border-theme-yellow pl-[10px]" data-id="5690"> <span>Right to data portability</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-object/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5700"> <span>Right to object</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/rights-related-to-automated-decision-making-including-profiling/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5705"> <span>Rights related to automated decision making including profiling</span> </a> </div> </li> </ul> </li> </ul> </nav> </aside> <div class="col-span-4 md:col-span-3 md:pl-10"> <div class="mb-10"> <div class="umb-block-grid" data-grid-columns="12;" style="--umb-block-grid--grid-columns: 12;"> <div class="umb-block-grid__layout-container"> <div class="umb-block-grid__layout-item" data-content-element-type-alias="richTextBlock" data-content-element-type-key="d7ec1d8a-2a00-439e-95b4-9f3537f5ece4" data-element-udi="umb://element/e6a8173680474446802bc3ac49b5d64e" data-col-span="12" data-row-span="1" style=" --umb-block-grid--item-column-span: 12; --umb-block-grid--item-row-span: 1; "> <div class="prose prose-sm md:prose-base prose-h2:font-serif sm:prose-h2:border-l-10 sm:prose-h2:pl-3 sm:prose-h2:-ml-3 sm:prose-h2:relative sm:prose-h2:left-[-10px] prose-h3:font-serif sm:prose-lead:border-l-10 sm:prose-lead:pl-3 sm:prose-lead:-ml-3 sm:prose-lead:relative sm:prose-lead:left-[-10px] prose-hr:my-4 prose-h2:border-theme-yellow-light prose-lead:border-theme-yellow-light prose-theme-yellow sm:ml-[10px] sm:pl-3"> <h2>At a glance</h2><ul> <li>The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.</li> <li>It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.</li> <li>Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.</li> <li>The right only applies to information an individual has provided to a controller.</li> <li>Some organisations in the UK already offer data portability through midata and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe.</li> </ul><h2>Checklists</h2><div class="rt-block rt-letter"> <h3>Preparing for requests for data portability</h3> <p><span>☐</span> We know how to recognise a request for data portability and we understand when the right applies.</p> <p><span>☐</span> We have a policy for how to record requests we receive verbally.</p> <p><span>☐</span> We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.</p> <h3>Complying with requests for data portability</h3> <p><span>☐</span> We can transmit personal data in structured, commonly used and machine readable formats.</p> <p><span>☐</span> We use secure methods to transmit personal data.</p> <p><span>☐</span> We have processes in place to ensure that we respond to a request for data portability without undue delay and within one month of receipt.</p> <p><span>☐</span> We are aware of the circumstances when we can extend the time limit to respond to a request.</p> </div><h2>In brief</h2><ul> <li><a href="#ib1">What is the right to data portability?</a></li> <li><a href="#ib2">When does the right apply?</a></li> <li><a href="#ib3">What does the right apply to?</a></li> <li><a href="#ib4">What does ‘provided to a controller’ mean?</a></li> <li><a href="#ib5">Does the right apply to anonymous or pseudonymous data?</a></li> <li><a href="#ib6">What happens if the personal data includes information about others?</a></li> <li><a href="#ib7">What is an individual entitled to?</a></li> <li><a href="#ib8">What are the limits when transmitting personal data to another controller?</a></li> <li><a href="#ib9">Do we have responsibility for the personal data we transmit to others?</a></li> <li><a href="#ib10">How should we provide the data?</a></li> <li><a href="#ib11">What does ‘structured’ mean?</a></li> <li><a href="#ib12">What does ‘commonly used’ mean?</a></li> <li><a href="#ib13">What does ‘machine-readable’ mean?</a></li> <li><a href="#ib14">Should we use an ‘interoperable’ format?</a></li> <li><a href="#ib15">What formats can we use?</a></li> <li><a href="#ib16">What is CSV?</a></li> <li><a href="#ib17">What is XML?</a></li> <li><a href="#ib18">What is JSON?</a></li> <li><a href="#ib19">Are these the only formats we can use?</a></li> <li><a href="#ib20">What responsibilities do we have when we receive personal data because of a data portability request?</a></li> <li><a href="#ib21">When can we refuse to comply with a request for data portability?</a></li> <li><a href="#unfounded">What does manifestly unfounded mean?</a></li> <li><a href="#excessive">What does excessive mean?</a></li> <li><a href="#ib22">What should we do if we refuse to comply with a request for data portability?</a></li> <li><a href="#ib23">How do we recognise a request?</a></li> <li><a href="#ib24">Can we charge a fee?</a></li> <li><a href="#ib25">How long do we have to comply?</a></li> <li><a href="#ib26">Can we extend the time for a response?</a></li> <li><a href="#ib27">Can we ask an individual for ID?</a></li> </ul><h3><a id="ib1"></a>What is the right to data portability?</h3><p>The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.</p><h3><a id="ib2"></a>When does the right apply?</h3><p>The right to data portability only applies when:</p><ul> <li>your lawful basis for processing this information is consent <strong>or</strong> for the performance of a contract; and</li> <li>you are carrying out the processing by automated means (ie excluding paper files).</li> </ul><h3><a id="ib3"></a>What does the right apply to?</h3><p>Information is only within the scope of the right to data portability if it is personal data of the individual that they have provided to you.</p><h3><a id="ib4"></a>What does ‘provided to a controller’ mean?</h3><p>Sometimes the personal data an individual has provided to you will be easy to identify (eg their mailing address, username, age). However, the meaning of data ‘provided to’ you is not limited to this. It is also personal data resulting from observation of an individual’s activities (eg where using a device or service).</p><p>This may include:</p><ul> <li>history of website usage or search activities;</li> <li>traffic and location data; or</li> <li>‘raw’ data processed by connected objects such as smart meters and wearable devices.</li> </ul><p>It does not include any additional data that you have created based on the data an individual has provided to you. For example, if you use the data they have provided to create a user profile then this data would not be in scope of data portability.</p><p>You should however note that if this ‘inferred’ or ‘derived’ data is personal data, you still need to provide it to an individual if they make a subject access request. Bearing this in mind, if it is clear that the individual is seeking access to the inferred/derived data, as part of a wider portability request, you <strong>must</strong> include this data in your response.</p><h3><a id="ib5"></a>Does the right apply to anonymous or pseudonymous data?</h3><p>The right to data portability only applies to personal data. This means that it does not apply to genuinely anonymous data. However, pseudonymous data that can be clearly linked back to an individual (eg where that individual provides the respective identifier) is within scope of the right.</p><h3><a id="ib6"></a>What happens if the personal data includes information about others?</h3><p>If the requested information includes information about others (eg third party data) you need to consider whether transmitting that data would adversely affect the rights and freedoms of those third parties.</p><p>Generally speaking, providing third party data to the individual making the portability request should not be a problem, assuming that the requestor provided this data to you within their information in the first place. However, you should always consider whether there will be an adverse effect on the rights and freedoms of third parties, in particular when you are transmitting data directly to another controller.</p><p>If the requested data has been provided to you by multiple data subjects (eg a joint bank account) you need to be satisfied that all parties agree to the portability request. This means that you may have to seek agreement from all the parties involved.</p><h3><a id="ib7"></a>What is an individual entitled to?</h3><p>The right to data portability entitles an individual to:</p><ul> <li>receive a copy of their personal data; and/or</li> <li>have their personal data transmitted from one controller to another controller.</li> </ul><p>Individuals have the right to receive their personal data and store it for further personal use. This allows the individual to manage and reuse their personal data. For example, an individual wants to retrieve their contact list from a webmail application to build a wedding list or to store their data in a personal data store.</p><p>You can achieve this by either:</p><ul> <li>directly transmitting the requested data to the individual; or</li> <li>providing access to an automated tool that allows the individual to extract the requested data themselves.</li> </ul><p>This does not create an obligation for you to allow individuals more general and routine access to your systems – only for the extraction of their data following a portability request.</p><p>You may have a preferred method of providing the information requested depending on the amount and complexity of the data requested. In either case, you need to ensure that the method is secure.</p><h3><a id="ib8"></a>What are the limits when transmitting personal data to another controller?</h3><p>Individuals have the right to ask you to transmit their personal data directly to another controller without hindrance. If it is technically feasible, you should do this.</p><p>You should consider the <strong>technical feasibility</strong> of a transmission on a request by request basis. The right to data portability does not create an obligation for you to adopt or maintain processing systems which are technically compatible with those of other organisations (UK GDPR Recital 68). However, you should take a reasonable approach, and this should not generally create a barrier to transmission.</p><p><strong>Without hindrance</strong> means that you should not put in place any legal, technical or financial obstacles which slow down or prevent the transmission of the personal data to the individual, or to another organisation.</p><p>However, there may be legitimate reasons why you cannot undertake the transmission. For example, if the transmission would adversely affect the rights and freedoms of others. It is however your responsibility to justify why these reasons are legitimate and why they are not a ‘hindrance’ to the transmission.</p><h3><a id="ib9"></a>Do we have responsibility for the personal data we transmit to others?</h3><p>If you provide information directly to an individual or to another organisation in response to a data portability request, you are not responsible for any subsequent processing carried out by the individual or the other organisation. However, you are responsible for the transmission of the data and need to take appropriate measures to ensure that it is transmitted securely and to the right destination.</p><p>If you provide data to an individual, it is possible that they will store the information in a system with less security than your own. Therefore, you should make individuals aware of this so that they can take steps to protect the information they have received. </p><p>You also need to ensure that you comply with the other provisions in the UK GDPR. For example, whilst there is no specific obligation under the right to data portability to check and verify the quality of the data you transmit, you should already have taken reasonable steps to ensure the accuracy of this data in order to comply with the requirements of the accuracy principle of the UK GDPR.</p><h3><a id="ib10"></a>How should we provide the data?</h3><p>You should provide the personal data in a format that is:</p><ul> <li>structured;</li> <li>commonly used; and</li> <li>machine-readable.</li> </ul><p>Although these terms are not defined in the UK GDPR these three characteristics can help you decide whether the format you intend to use is appropriate.</p><p>You can also find relevant information in the ‘Open Data Handbook’, published by Open Knowledge International. The handbook is a guide to ‘open data’, information that is free to access and can be re-used for any purpose – particularly information held by the public sector. The handbook contains a number of definitions that are relevant to the right to data portability, and this guidance includes some of these below.  </p><h3><a id="ib11"></a>What does ‘structured’ mean?</h3><p>Structured data allows for easier transfer and increased usability.</p><p>The Open Data Handbook defines ‘structured data’ as:</p><blockquote> <p>‘data where the structural relation between elements is explicit in the way the data is stored on a computer disk.’</p> </blockquote><p>This means that software must be able to extract specific elements of the data. An example of a structured format is a spreadsheet, where the data is organised into rows and columns, ie it is ‘structured’. In practice, some of the personal data you process will already be in structured form.</p><p>In many cases, if a format is structured it is also machine-readable.</p><h3><a id="ib12"></a>What does ‘commonly used’ mean?</h3><p>This simply means that the format you choose must be widely-used and well-established.</p><p>However, just because a format is ‘commonly used’ does not mean it is appropriate for data portability. You have to consider whether it is ‘structured’, and ‘machine-readable’ as well. Although you may be using common software applications, which save data in commonly-used formats, these may not be sufficient to meet the requirements of data portability.</p><h3><a id="ib13"></a>What does ‘machine-readable’ mean?</h3><p>The Open Data Handbook states that ‘machine readable’ data is:</p><blockquote> <p>‘Data in a data format that can be automatically read and processed by a computer.’</p> </blockquote><p>Furthermore, Regulation 2 of the Re-use of Public Sector Information Regulations 2015 defines ‘machine-readable format’ as:</p><blockquote> <p>‘A file format structured so that software applications can easily identify, recognise and extract specific data, including individual statements of fact, and their internal structure.’</p> </blockquote><p>Machine-readable data can be made directly available to applications that request that data over the web. This is undertaken by means of an application programming interface (“API”).</p><p>If you are able to implement such a system then you can facilitate data exchanges with individuals and respond to data portability requests in an easy manner.</p><h3><a id="ib14"></a>Should we use an ‘interoperable’ format?</h3><p>Although you are not required to use an interoperable format, this is encouraged by the UK GDPR, which seeks to promote the concept of interoperability. Recital 68 says:</p><blockquote> <p>‘Data controllers should be encouraged to develop interoperable formats that enable data portability.’</p> </blockquote><p>Interoperability allows different systems to share information and resources. An ‘interoperable format’ is a type of format that allows data to be exchanged between different systems and be understandable to both.</p><p>At the same time, you are not expected to maintain systems that are technically compatible with those of other organisations. Data portability is intended to produce interoperable systems, not compatible ones.</p><h3><a id="ib15"></a>What formats can we use?</h3><p>You may already be using an appropriate format within your networks and systems, and/or you may be required to use a particular format due to the particular industry or sector you are part of. Provided it meets the requirements of being structured, commonly-used and machine readable then it could be appropriate for a data portability request.</p><p>The UK GDPR does not require you to use open formats internally. Your processing systems may indeed use proprietary formats which individuals may not be able to access if you provide data to them in these formats. In these cases you need to perform some additional processing on the personal data in order to put it into the type of format required by the UK GDPR.</p><p>Where no specific format is in common use within your industry or sector, you should provide personal data using open formats such as CSV, XML and JSON. You may also find that these formats are the easiest for you to use when answering data portability requests.</p><p>For further information on CSV, XML and JSON, please see below.</p><h3><a id="ib16"></a>What is CSV?</h3><p>CSV stands for ‘Comma Separated Values’. It is defined by the Open Data Handbook as:</p><blockquote> <p>‘a standard format for spreadsheet data. Data is represented in a plain text file, with each data row on a new line and commas separating the values on each row. As a very simple open format it is easy to consume and is widely used for publishing open data.’</p> </blockquote><p>CSV is used to exchange data and is widely supported by software applications. Although CSV is not standardised it is nevertheless structured, commonly used and machine-readable and is therefore an appropriate format for you to use when responding to a data portability request.</p><h3><a id="ib17"></a>What is XML?</h3><p>XML stands for ‘Extensible Markup Language’. It is defined by the Open Data Handbook as:</p><blockquote> <p>‘a simple and powerful standard for representing structured data.’</p> </blockquote><p>It is a file format that is intended to be both human readable and machine-readable. Unlike CSV, XML is defined by a set of open standards maintained by the World Wide Web Consortium (“W3C”). It is widely used for documents, but can also be used to represent data structures such as those used in web services.</p><p>This means XML can be processed by APIs, facilitating data exchange. For example, you may develop or implement an API to exchange personal data in XML format with another organisation. In the context of data portability, this can allow you to transmit personal data to an individual’s personal data store, or to another organisation if the individual has asked you to do so.</p><h3><a id="ib18"></a>What is JSON?</h3><p>JSON stands for ‘JavaScript Object Notation’. The Open Data Handbook defines JSON as:</p><blockquote> <p>‘a simple but powerful format for data. It can describe complex data structures, is highly machine-readable as well as reasonably human-readable, and is independent of platform and programming language, and is therefore a popular format for data interchange between programs and systems.’</p> </blockquote><p>It is a file format based on the JavaScript language that many web sites use and is used as a data interchange format. As with XML, it can be read by humans or machines. It is also a standardised open format maintained by the W3C.</p><h3><a id="ib19"></a>Are these the only formats we can use?</h3><p>CSV, XML and JSON are three examples of structured, commonly used and machine-readable formats that are appropriate for data portability. However, this does not mean you are obliged to use them. Other formats exist that also meet the requirements of data portability.</p><div class="rt-example"> <p><strong>Example</strong></p> <p>The RDF or ‘Resource Description Framework’ format is also a structured, commonly-used, machine-readable format. It is an open standard published by the W3C and is intended to provide interoperability between applications exchanging information.</p> </div><p>You should however consider the nature of the portability request. If the individual cannot make use of the format, even if it is structured, commonly-used and machine-readable then the data will be of no use to them.</p><div class="rt-block rt-green"> <p><strong>Further reading</strong></p> <p>The Open Data Handbook is published by Open Knowledge International and is a guide to ‘open data’. The Handbook is updated regularly and you can read it here:</p> <p><a href="http://opendatahandbook.org">http://opendatahandbook.org</a></p> <p>W3C candidate recommendation for XML is available here:</p> <p><a href="http://www.w3.org/TR/2008/REC-xml-20081126/">http://www.w3.org/TR/2008/REC-xml-20081126/</a></p> <p>W3C’s specification of the JSON data interchange format is available here:</p> <p><a href="https://tools.ietf.org/html/rfc7159">https://tools.ietf.org/html/rfc7159</a></p> <p>W3C’s list of specifications for RDF is available here:</p> <p><a href="http://www.w3.org/standards/techs/rdf#w3c_all">http://www.w3.org/standards/techs/rdf#w3c_all</a></p> </div><h3><a id="ib20"></a>What responsibilities do we have when we receive personal data because of a data portability request?</h3><p>When you receive personal data that has been transmitted as part of a data portability request, you need to process this data in line with data protection requirements.</p><p>In deciding whether to accept and retain personal data, you should consider whether the data is relevant and not excessive in relation to the purposes for which you will process it. You also need to consider whether the data contains any third party information.</p><p>As a new controller, you need to ensure that you have an appropriate lawful basis for processing any third party data and that this processing does not adversely affect the rights and freedoms of those third parties. If you have received personal data which you have no reason to keep, you should delete it as soon as possible. When you accept and retain data, it becomes your responsibility to ensure that you comply with the requirements of the UK GDPR.</p><p>In particular, if you receive third party data you should not use this for your own purposes. You should keep the third party data under the sole control of the individual who has made the portability request, and only used for their own purposes.</p><div class="rt-example"> <p><strong>Example</strong></p> <p>An individual enters into a contract with a controller for the provision of a service. The controller relies on Article 6(1)(b) to process the individual’s personal data. The controller receives information from a data portability request that includes information about third parties. The controller has a legitimate interest to process the third party data under Article 6(1)(f) so that it can provide this service to the individual. However, it should not then use this data to send direct marketing to the third parties.</p> </div><h3><a id="ib21"></a>When can we refuse to comply with a request for data portability?</h3><p>If an exemption applies, you can refuse to comply with a request for data portability (wholly or partly). Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies to a particular request. For more information, please see our guidance on <a href="/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/exemptions/">Exemptions</a>.</p><p>You can also refuse to comply with a request if it is:</p><ul> <li>manifestly unfounded; or</li> <li>excessive.</li> </ul><p>In order to decide if a request is manifestly unfounded or excessive you must consider each request on a case-by-case basis. You should not have a blanket policy.</p><p>You must be able to demonstrate to the individual why you consider the request is manifestly unfounded or excessive and, if asked, explain your reasons to the Information Commissioner.</p><h3><span><a id="unfounded"></a>What does manifestly unfounded mean?</span></h3><p>A request may be manifestly unfounded if:</p><ul> <li>the individual clearly has no intention to exercise their right to data portability. For example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or</li> <li>the request is malicious in intent and is being used to harass an organisation with no real purposes other than to cause disruption. For example: <ul> <li>the individual has explicitly stated, in the request itself or in other communications, that they intend to cause disruption;</li> <li>the request makes unsubstantiated accusations against you or specific employees;</li> <li>the individual is targeting a particular employee against whom they have some personal grudge; or</li> <li>the individual systematically sends different requests to you as part of a campaign, eg once a week, with the intention of causing disruption.</li> </ul> </li> </ul><p>This is not a simple tick list exercise that automatically means a request is manifestly unfounded. You must consider a request in the context in which it is made, and you are responsible for demonstrating that it is manifestly unfounded.</p><p>Also, you should not presume that a request is manifestly unfounded because the individual has previously submitted requests which have been manifestly unfounded or excessive or if it includes aggressive or abusive language.</p><p>The inclusion of the word “manifestly” means there must be an obvious or clear quality to it being unfounded. You should consider the specific situation and whether the individual genuinely wants to exercise their rights. If this is the case, it is unlikely that the request will be manifestly unfounded.</p><div class="rt-example"> <p><strong>Example</strong></p> <p>An individual believes that information held about them is inaccurate. They repeatedly request its correction but you have previously investigated and told them you regard it as accurate.</p> <p>The individual continues to make requests along with unsubstantiated claims against you as the controller.</p> <p>You refuse the most recent request because it is manifestly unfounded and you notify the individual of this.</p> </div><h3><a id="excessive"></a>What does excessive mean?</h3><p>A request may be excessive if:</p><ul> <li>it repeats the substance of previous requests; or</li> <li>it overlaps with other requests.</li> </ul><p>However, it depends on the particular circumstances. It will <strong>not necessarily</strong> be excessive just because the individual:</p><ul> <li>makes a request about the same issue. An individual may have legitimate reasons for making requests that repeat the content of previous requests. For example, if the controller has not handled previous requests properly;</li> <li>makes an overlapping request, if it relates to a completely separate set of information; or</li> <li>previously submitted requests which have been manifestly unfounded or excessive.</li> </ul><h3><a id="ib22"></a>What should we do if we refuse to comply with a request for data portability?</h3><p>You must inform the individual without undue delay and within one month of receipt of the request.                    </p><p>You should inform the individual about:</p><ul> <li>the reasons you are not taking action;</li> <li>their right to make a complaint to the ICO or another supervisory authority; and</li> <li>their ability to seek to enforce this right through a judicial remedy.</li> </ul><p>You should also provide this information if you request a reasonable fee or need additional information to identify the individual.</p><h3><a id="ib23"></a>How do we recognise a request?</h3><p>The UK GDPR does not specify how individuals should make data portability requests. Therefore, requests could be made verbally or in writing. They can also be made to any part of your organisation and do not have to be to a specific person or contact point.</p><p>A request does not have to include the phrase 'request for data portability' or a reference to ‘Article 20 of the UK GDPR’, as long as one of the conditions listed above apply.</p><p>This presents a challenge as any of your employees could receive a valid request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.</p><p>Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. We also recommend that you keep a log of verbal requests.</p><p>In practice, you may already have processes in place to enable your staff to recognise subject access requests, such as training or established procedures. You could consider adapting them to ensure your staff also recognise data portability requests.</p><h3><a id="ib24"></a>Can we charge a fee?</h3><p>In most cases you cannot charge a fee to comply with a request for data portability.</p><p>However, you can charge a “reasonable fee” for the administrative costs of complying with the request if it is manifestly unfounded or excessive. You should base the reasonable fee on the administrative costs of complying with the request.</p><p>If you decide to charge a fee you should contact the individual promptly and inform them. You do not need to comply with the request until you have received the fee.</p><p>Alternatively, you can refuse to comply with a manifestly unfounded or excessive request.</p><h3><a id="ib25"></a>How long do we have to comply?</h3><p>You must comply with a request for data portability without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receipt of:</p><ul> <li>any information requested to confirm the requester’s identity (see<span><span> <a href="#ib27">Can we ask an individual for ID?</a></span></span>); or</li> <li>a fee (only in certain circumstances – see <a href="#ib24">Can we charge a fee?</a>)</li> </ul><p>You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month</p><div class="rt-example"> <p><strong>Example</strong> </p> <p>An organisation receives a request on 3 September. The time limit will start from the same day. This gives the organisation until 3 October to comply with the request.</p> </div><p>If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.</p><p>If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.</p><p>This means that the exact number of days you have to comply with a request varies, depending on the month in which the request was made.</p><div class="rt-example"> <p><strong>Example</strong></p> <p>An organisation receives a request on 31 March. The time limit starts from the same day. As there is no equivalent date in April, the organisation has until 30 April to comply with the request.</p> <p>If 30 April falls on a weekend, or is a public holiday, the organisation has until the end of the next working day to comply.</p> </div><p>For practical purposes, if a consistent number of days is required (eg for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.</p><h3><a id="ib26"></a>Can we extend the time for a response?</h3><p>You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary.</p><h3><a id="ib27"></a>Can we ask an individual for ID?</h3><p>If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.</p><p>You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information.</p> </div> </div> <div class="umb-block-grid__layout-item" data-content-element-type-alias="furtherReadingBlock" data-content-element-type-key="349dc532-9e3f-4f24-9fa4-2e5b86aa0eda" data-element-udi="umb://element/2bed65dc9e014695a31acb7058270ef3" data-col-span="12" data-row-span="1" style=" --umb-block-grid--item-column-span: 12; --umb-block-grid--item-row-span: 1; "> <further-Reading x-href="https://www.legislation.gov.uk/eur/2016/679/contents" x-target="_blank" x-title="Relevant provisions in the UK GDPR - See Articles 13, 20 and Recital 68" x-location="External link"></further-Reading> </div> <div class="umb-block-grid__layout-item" data-content-element-type-alias="richTextBlock" data-content-element-type-key="d7ec1d8a-2a00-439e-95b4-9f3537f5ece4" data-element-udi="umb://element/6d601b9cced248d7b92bbc0de3b2893b" data-col-span="12" data-row-span="1" style=" --umb-block-grid--item-column-span: 12; --umb-block-grid--item-row-span: 1; "> <div class="prose prose-sm md:prose-base prose-h2:font-serif sm:prose-h2:border-l-10 sm:prose-h2:pl-3 sm:prose-h2:-ml-3 sm:prose-h2:relative sm:prose-h2:left-[-10px] prose-h3:font-serif sm:prose-lead:border-l-10 sm:prose-lead:pl-3 sm:prose-lead:-ml-3 sm:prose-lead:relative sm:prose-lead:left-[-10px] prose-hr:my-4 prose-h2:border-theme-yellow-light prose-lead:border-theme-yellow-light prose-theme-yellow sm:ml-[10px] sm:pl-3"> <div class="rt-block rt-amber"> <p><strong>In more detail – <span>European Data Protection Board<span> </span></span></strong></p> <p>The European Data Protection Board (EDPB) includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not  binding under the UK regime. However, they may still provide helpful guidance on certain issues.</p> <p>The EDPB has published <a href="http://ec.europa.eu/newsroom/document.cfm?doc_id=44099">guidelines</a> and <a href="http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp242_annex_en_40854.pdf">FAQs</a> on data portability for organisations.</p> </div><div class="rt-block rt-green"> <p><strong>Further reading – ICO guidance</strong></p> <p>The <a href="https://ico.org.uk/for-organisations/accountability-framework/individuals-rights/#portability" title="Individual rights">Accountability Framework</a> looks at the ICO’s expectations in relation to right to portability.</p> </div> </div> </div> </div> </div> </div> <nav class="print:hidden inline-flex flex-col items-start gap-5"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-restrict-processing/" class="group text-primary"> <div class="flex items-center"> <i class="icon icon-arrow-left text-4xl"></i> <span class="pl-3 flex flex-col"> <span class="text-lg font-semibold">Previous</span> <span class="text-sm underline underline-offset-4 decoration-dotted decoration-1 group-hover:decoration-solid">Right to restrict processing</span> </span> </div> </a> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-object/" class="group text-primary"> <div class="flex items-center"> <i class="icon icon-arrow-right text-4xl"></i> <span class="pl-3 flex flex-col"> <span class="text-lg font-semibold">Next</span> <span class="text-sm underline underline-offset-4 decoration-dotted decoration-1 group-hover:decoration-solid">Right to object</span> </span> </div> </a> </nav> </div> </div> </div> </main> <a href="#top" id="button-top" class="transition-opacity duration-500 flex items-center justify-center fixed right-4 bottom-4 z-10 rounded-full outline outline-white w-8 h-8 bg-primary opacity-0 hidden print:hidden"> <span class="icon icon-arrow-up text-white"></span> <span class="sr-only">Back to top</span> </a> <footer class="sticky top-[100vh] print:hidden"> <div class="lg:container px-4 border-t-2 border-dotted border-neutral-200 mt-6"> <div class="py-3"> <button onClick="window.print()" class="flex items-center group"> <i class="icon icon-printer text-lg text-white rounded-full p-1 bg-neutral-400"></i> <span class="ml-2 text-sm text-link group-hover:underline">Print this page</span> </button> </div> </div> <div class="bg-neutral-100"> <div class="lg:container px-4"> <div class="py-5 flex"> <div class="hidden md:block flex-auto"> <ul class="grid gap-4 grid-cols-4"> <li> <div class="mb-3"> <a href="/for-the-public/" class="font-serif text-serif-base text-link hover:underline">For the public</a> </div> <ul class="text-sm text-neutral-600 -mt-1"> <li class="mt-1"> <a href="/for-the-public/official-information/" class="hover:underline">Official information</a> </li> <li class="mt-1"> <a href="/for-the-public/nuisance-calls/" class="hover:underline">Nuisance calls</a> </li> </ul> </li> <li> <div class="mb-3"> <a href="/for-organisations/" class="font-serif text-serif-base text-link hover:underline">For organisations</a> </div> <ul class="text-sm text-neutral-600 -mt-1"> <li class="mt-1"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/" class="hover:underline">UK GDPR guidance and resources</a> </li> <li class="mt-1"> <a href="/for-organisations/foi/" class="hover:underline">Freedom of information</a> </li> <li class="mt-1"> <a href="/for-organisations/eir-and-access-to-information/" class="hover:underline">EIR and access to information</a> </li> <li class="mt-1"> <a href="/for-organisations/direct-marketing-and-privacy-and-electronic-communications/" class="hover:underline">Direct marketing</a> </li> <li class="mt-1"> <a href="/for-organisations/advice-and-services/" class="hover:underline">Advice and services</a> </li> </ul> </li> <li> <div class="mb-3"> <a href="/action-weve-taken/" class="font-serif text-serif-base text-link hover:underline">Action we&#x27;ve taken</a> </div> <ul class="text-sm text-neutral-600 -mt-1"> <li class="mt-1"> <a href="/action-weve-taken/enforcement/" class="hover:underline">Enforcement action</a> </li> <li class="mt-1"> <a href="https://icosearch.ico.org.uk/s/search.html?collection=ico-meta&amp;profile=decisions&amp;query" class="hover:underline">Decision notices</a> </li> <li class="mt-1"> <a href="https://ico.org.uk/action-weve-taken/audits-and-overview-reports/" class="hover:underline">Audits</a> </li> </ul> </li> <li> <div class="mb-3"> <a href="/about-the-ico/" class="font-serif text-serif-base text-link hover:underline">About the ICO</a> </div> <ul class="text-sm text-neutral-600 -mt-1"> <li class="mt-1"> <a href="/about-the-ico/who-we-are/" class="hover:underline">Who we are</a> </li> <li class="mt-1"> <a href="/about-the-ico/what-we-do/" class="hover:underline">What we do</a> </li> <li class="mt-1"> <a href="/about-the-ico/media-centre/" class="hover:underline">Media centre</a> </li> <li class="mt-1"> <a href="/about-the-ico/jobs/" class="hover:underline">Careers</a> </li> <li class="mt-1"> <a href="/about-the-ico/modern-slavery-statement/" class="hover:underline">Modern Slavery Statement</a> </li> </ul> </li> </ul> </div> <div class="hidden md:block flex-auto mx-8 border-l-2 border-dotted border-neutral-400"> </div> <div class="flex-auto"> <div class="font-serif text-serif-base text-link mb-3">Follow us</div> <ul class="flex flex-col sm:flex-row md:flex-col sm:flex-wrap sm:gap-x-4 gap-y-2 text-sm text-neutral-600"> <li class="sm:flex-auto md:flex-none"> <a class="flex items-center hover:underline" href="https://twitter.com/iconews" target="_blank"> <img class="rounded-full mr-2" src="/media2/g1plb1os/twitter.svg?width=24&amp;height=24&amp;v=1db03b86976f0f0" width="24" height="24" alt="Icon for the Twitter @ICONews social link" /> <span>Twitter @ICONews</span> </a> </li> <li class="sm:flex-auto md:flex-none"> <a class="flex items-center hover:underline" href="http://www.youtube.com/user/icocomms" target="_blank"> <img class="rounded-full mr-2" src="/media2/z3vdkkxj/youtube.svg?width=24&amp;height=24&amp;v=1db042ab32beee0" width="24" height="24" alt="Icon for the YouTube social link" /> <span>YouTube</span> </a> </li> <li class="sm:flex-auto md:flex-none"> <a class="flex items-center hover:underline" href="http://linkedin.com/company/information-commissioner&#x27;s-office" target="_blank"> <img class="rounded-full mr-2" src="/media2/cgdpvn4n/linkedin.svg?width=24&amp;height=24&amp;v=1db042ab2dda7d0" width="24" height="24" alt="Icon for the LinkedIn social link" /> <span>LinkedIn</span> </a> </li> <li class="sm:flex-auto md:flex-none"> <a class="flex items-center hover:underline" href="http://facebook.com/ICOnews" target="_blank"> <img class="rounded-full mr-2" src="/media2/g2nhkyjv/facebook.svg?width=24&amp;height=24&amp;v=1db03b86b4b62d0" width="24" height="24" alt="Icon for the Facebook social link" /> <span>Facebook</span> </a> </li> <li class="sm:flex-auto md:flex-none"> <a class="flex items-center hover:underline" href="/about-the-ico/media-centre/e-newsletter/"> <img class="rounded-full mr-2" src="/media2/thzeryz5/envelope.svg?width=24&amp;height=24&amp;v=1db03b86a1d4310" width="24" height="24" alt="Icon for the Subscribe to our e-newsletter social link" /> <span>Subscribe to our e-newsletter</span> </a> </li> </ul> </div> </div> </div> </div> <div class="bg-secondary"> <div class="lg:container px-4"> <div class="py-3 md:hidden"> <div class="font-serif text-center md:text-left text-white text-serif-base md:flex items-end md:pl-8 border-secondary border-dotted md:border-l-2"> <span>The ICO exists to empower you through information.</span> </div> </div> </div> </div> <div class="bg-primary"> <div class="lg:container px-4"> <div class="pt-2"> <ul class="-mx-3 flex flex-wrap text-white text-sm md:text-base"> <li class="mx-3 my-1"> <a href="/global/contact-us/" class="hover:underline">Contact us</a> </li> <li class="mx-3 my-1"> <a href="/global/privacy-notice/" class="hover:underline">Privacy notice</a> </li> <li class="mx-3 my-1"> <a href="/global/cookies/" class="hover:underline">Cookies</a> </li> <li class="mx-3 my-1"> <a href="/global/accessibility/" class="hover:underline">Accessibility</a> </li> <li class="mx-3 my-1"> <a href="/about-the-ico/who-we-are/wales-office/" class="hover:underline">Cymraeg</a> </li> <li class="mx-3 my-1"> <a href="/global/request-publications/" class="hover:underline">Publications</a> </li> <li class="mx-3 my-1"> <a href="/global/disclaimer/" class="hover:underline">Disclaimer</a> </li> <li class="mx-3 my-1"> <a href="/global/copyright-and-re-use-of-materials/" class="hover:underline">&#xA9; Copyright</a> </li> </ul> </div> <div class="py-5"> <div class="md:flex md:items-center"> <div class="pr-4 mb-2 md:mb-0"> <img class="w-10" src="/media2/r34b3hma/ogl.png?width=40&amp;height=16&amp;v=1db03b8684a57d0" width="40" height="16" alt="" /> </div> <div class="prose prose-sm prose-white"> <p>All text content is available under the <a href="http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/">Open Government Licence v3.0</a>, except where otherwise stated.</p> </div> </div> </div> </div> </div> </footer> <script type="text/javascript" src="https://cc.cdn.civiccomputing.com/9/cookieControl-9.9.min.js"></script> <script type="application/json" id="cookie-settings"> {"apiKey":"dbf86e044f3ab8c4df852af5c7c6ceb2dd7678dd","necessaryCookies":[".AspNetCore.Antiforgery.*","language"],"statement":{"description":"For more detailed information, see our","name":"Cookies page","url":"https://ico.org.uk/global/cookies/","updated":"04/09/2024"},"text":{"title":"Cookies on the ICO website","intro":"We use some essential cookies to make this site work. We\u0027d like to set analytics cookies to understand how you use this site. We may use services from Vimeo and YouTube that may also use cookies.","acceptSettings":"Accept non-essential cookies","rejectSettings":"Reject non-essential cookies","necessaryTitle":"Essential cookies","necessaryDescription":"These cookies are necessary for core functionality, such as security and network management. They always need to be on.","closeLabel":"Save and close","cornerButton":"Cookie options","on":"On","off":"Off"},"optionalCookies":[{"name":"analytics","label":"Analytics cookies","description":"We use Silktide to measure how you use the ICO website. These cookies collect information about how you got to the site, the pages you visit and how long you spend on each page, and what you click on."},{"name":"videoPlayer","label":"Video player cookies","description":"We use services from Vimeo and YouTube to show you embedded videos on the ICO website. Vimeo and Google may use cookies to receive information about the videos you watch for analytics and advertising purposes."}]} </script> <script type="text/plain" id="silktide-settings">12d0c703744ea255b679f823daf1645f</script> <script type="text/javascript" src="/js/index.js?v=TYEGb_GH5SkF5NJRh7cZpx-oDut7QIjlT7FB7jistDU"></script> </body> </html>