<!doctype html> <!--[if lte IE 8 ]><html lang="en" class="ie8"><![endif]--> <!--[if lte IE 9 ]><html lang="en" class="ie9"><![endif]--> <!--[if (gt IE 9)|!(IE)]><!--> <html lang="en"> <head prefix="og: http://ogp.me/ns#"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="initial-scale=1.0, width=device-width"> <title>Right to be informed | ICO</title> <meta name="DC.Subject" content="Right to be informed" /> <meta name="DC.Date" content="Tuesday, November 19, 2024" /> <meta name="DC.Creator" content="" /> <meta name="DC.Publisher" content="ICO" /> <meta name="DC.Title" content="Right to be informed" /> <meta name="DC.PageID" content="5661" /> <meta property="og:title" content="Right to be informed" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-be-informed/" /> <meta property="og:description" content="" /> <meta property="og:image" content="" /> <meta name="twitter:title" content="Right to be informed" /> <meta name="twitter:description" content="" /> <meta name="robots" content="index" /> <link rel="shortcut icon" type="image/x-icon" href="/media2/lhphq55z/favicon.ico" /> <link rel="stylesheet" type="text/css" href="/css/site.css?v=2vrG7eADocFkX9vchR9h5gTORmu6STTHxmyTWJsW9nw" /> </head> <body id="top" class="bg-white min-h-screen "> <a class="flex items-center justify-center px-3 py-2 bg-secondary text-white text-xl sr-only focus:relative focus:w-full focus:h-fit" href="#main-content"> <span class="font-serif text-serif-base pr-2">Skip to main content</span> <span class="icon icon-arrow-down"></span> </a> <header class="w-full fixed md:static z-10 md:z-auto print:hidden"> <div class="bg-primary"> <div class="lg:container px-4 py-3.5 md:flex"> <div class="md:pr-8"> <a href="/"> <div class="bg-left bg-contain bg-no-repeat h-8 w-20 inline-block md:hidden" style="background-image: url('/media2/qkcg1rdf/logo-small.svg?width=80&amp;height=32&amp;v=1db03b868bf60c0');"></div> <div class="bg-left bg-contain bg-no-repeat h-24 w-40 hidden md:inline-block" style="background-image: url('/media2/myukqaa2/ico-header-logo.svg?width=160&amp;height=96&amp;v=1db03b866f17e90');"></div> <span class="sr-only">Home</span> </a> </div> <div class="grow items-stretch hidden md:flex"> <div class="font-serif text-center md:text-left text-white text-serif-base md:flex items-end md:pl-8 border-secondary border-dotted md:border-l-2"> <span>The ICO exists to empower you through information.</span> </div> </div> <div class="flex flex-col items-end md:pl-8"> <script type="application/json" id="language-settings"> {"cookieDomain":"ico.org.uk","options":[{"text":"English","href":"https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-be-informed/","icon":"icon-lang-en","value":"English"},{"text":"Cymraeg","href":"https://cy.ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-be-informed/","icon":"icon-lang-cy","value":"Welsh"}]} </script> <div id="language-toggle"></div> <div class="grow flex items-end"> <button type="button" id="search-toggle" class="absolute rounded p-2 top-3 right-12 md:hidden hover:bg-secondary" aria-controls="search"> <span id="search-icon" class="block icon icon-search text-white text-xl"></span> <span class="sr-only">Search</span> </button> <div id="search" class="motion-safe:transition-all motion-safe:duration-200 hidden md:block w-full sm:w-fit max-h-0 md:max-h-fit overflow-hidden md:overflow-auto"> <form action="https://icosearch.ico.org.uk/s/search.html" method="GET" id="search-form" class="pt-3.5 md:pt-0"> <input type="hidden" name="collection" value="ico-meta" /> <input type="hidden" name="profile" value="_default" /> <div class="flex"> <label for="search-query" class="sr-only">Search</label> <input type="search" name="query" id="search-query" class="grow min-w-0 px-2 py-1 border-t border-b border-l border-r-0 border-white/50 focus:border-white focus:ring-0 rounded-l bg-secondary motion-safe:transition-colors hocus:bg-white text-white hocus:text-black sm:w-60 md:w-48" /> <button type="submit" class="text-transparent bg-secondary rounded-r p-2 border-t border-b border-r border-white/50"> <span class="block text-white text-xl icon icon-search"></span> <span class="sr-only">Search</span> </button> </div> </form> </div> </div> </div> </div> </div> <div class="bg-secondary"> <div class="lg:container md:px-4"> <button type="button" id="navbar-toggle" class="absolute rounded p-2 top-3 right-3 md:hidden hover:bg-secondary" aria-controls="navbar"> <span class="block icon icon-menu text-white text-xl"></span> <span class="sr-only">Menu</span> </button> <nav id="navbar" class="bg-secondary motion-safe:transition-all motion-safe:duration-200 hidden md:block max-h-0 md:max-h-fit overflow-hidden md:overflow-auto"> <ul class="border-primary border-dotted border-t-2 md:border-t-0 md:flex md:flex-wrap"> <li class="md:flex"> <a href="/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-grey md:hover:border-t-theme-grey"> <span>Home</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> <li class="md:flex"> <a href="/for-the-public/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-green md:hover:border-t-theme-green"> <span>For the public</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> <li class="md:flex"> <a href="/for-organisations/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-yellow md:hover:border-t-theme-yellow bg-primary md:border-t-theme-yellow"> <span>For organisations</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> <li class="md:flex"> <a href="/make-a-complaint/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-orange md:hover:border-t-theme-orange"> <span>Make a complaint</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> <li class="md:flex"> <a href="/action-weve-taken/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-red md:hover:border-t-theme-red"> <span>Action we&#x27;ve taken</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> <li class="md:flex"> <a href="/about-the-ico/" class="relative flex justify-between items-center text-white text-serif-lg md:text-base whitespace-nowrap md:whitespace-normal pl-9 md:pl-3 pr-4 md:pr-3 py-2 md:py-1 font-serif md:font-sans before:absolute before:w-2.5 before:top-2 before:bottom-2 before:left-4 md:before:hidden md:border-y-5 md:border-transparent before:bg-theme-blue md:hover:border-t-theme-blue"> <span>About the ICO</span> <span class="icon icon-arrow-right text-xl md:hidden"></span> </a> </li> </ul> </nav> </div> </div> </header> <main id="main-content" class="pt-20 md:pt-0 md:mt-7 mb-3 md:mb-4"> <div class="lg:container px-4 mb-4 print:hidden"> <nav aria-label="breadcrumb"> <ul class="-mx-1 flex flex-wrap text-sm"> <li class="mx-1"> <span class="after:content-['/'] after:ml-1"> <a href="/for-organisations/" class="text-link hover:underline">For organisations</a> </span> </li> <li class="mx-1"> <span class="after:content-['/'] after:ml-1"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/" class="text-link hover:underline">UK GDPR guidance and resources</a> </span> </li> <li class="mx-1"> <span class="after:content-['/'] after:ml-1"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/" class="text-link hover:underline">Individual rights - guidance and resources</a> </span> </li> <li class="mx-1"> <span class="after:content-['/'] after:ml-1"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/" class="text-link hover:underline">A guide to individual rights</a> </span> </li> <li class="mx-1"> <span>Right to be informed</span> </li> </ul> </nav> </div> <div class="lg:container px-4"> <div class="border-dotted border-b-2 border-neutral-200 pb-2 sm:pb-3.5 md:pb-6 mb-2 sm:mb-3.5 md:mb-5"> <div class="md:flex md:items-center"> <h1 class="py-0.5 font-serif leading-none sm:border-l-10 sm:pl-3 text-serif-2xl sm:text-serif-3xl border-theme-yellow">Right to be informed</h1> <div class="md:pl-2 md:ml-auto mt-2 md:mt-2 print:hidden"> <a href="#0" id="download-options-toggle" class="font-serif text-serif-base text-link flex items-center"> Download options <span class="hidden">(Opens download panel)</span> <i class="inline-block icon icon-download text-xl text-white bg-pink-600 rounded-full p-2 ml-2"></i> </a> </div> </div> <div class="download-container bg-pink-600 mt-5 rounded-lg motion-safe:transition-all motion-safe:duration-200 overflow-hidden max-h-0 hidden" id="download-options-container"> <form method="post" action="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-be-informed/" class="p-3 text-white md:flex md:items-center" target="_blank"> <input type="hidden" name="currentUrl" value="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-be-informed/" /> <input type="hidden" name="nodeId" value="5661" /> <input type="hidden" name="formId" /> <input type="hidden" name="recordId" /> <fieldset class="md:flex md:items-center"> <legend class="font-serif text-serif-base contents">Pages</legend> <ul class="flex mt-1 md:mt-0 ml-2"> <li class="md:ml-2"> <input type="radio" name="pages" id="pages-all" value="all" class="hidden appearance-none cursor-pointer peer" checked> <label for="pages-all" class="cursor-pointer rounded p-2 pr-3 flex justify-center items-center peer-checked:bg-pink-700 text-sm md:text-base"> <i class="icon icon-book mr-2 text-base md:text-lg"></i>All pages </label> </li> <li class="ml-2"> <input type="radio" name="pages" id="pages-this" value="this" class="hidden appearance-none cursor-pointer peer"> <label for="pages-this" class="cursor-pointer rounded p-2 pr-3 flex justify-center items-center peer-checked:bg-pink-700 text-sm md:text-base"> <i class="icon icon-file-blank mr-2 text-base md:text-lg"></i>This page </label> </li> </ul> </fieldset> <fieldset class="md:ml-10 md:flex md:items-center mt-3 md:mt-0"> <legend class="font-serif text-serif-base contents">Format</legend> <ul class="flex mt-1 md:mt-0 ml-2"> <li class="md:ml-2"> <input type="radio" name="types" id="types-pdf" value="pdf" class="hidden appearance-none cursor-pointer peer" checked> <label for="types-pdf" class="cursor-pointer rounded p-2 pr-3 flex justify-center items-center peer-checked:bg-pink-700 text-sm md:text-base"> <i class="icon icon-file-pdf mr-2 text-base md:text-lg"></i>PDF </label> </li> </ul> </fieldset> <div class="ml-auto mt-3 md:mt-0"> <button class="btn bg-primary flex items-center text-base md:text-lg"> Download <i class="icon icon-download text-white ml-2 text-lg"></i> </button> </div> </form> </div> </div> <div class="grid grid-cols-4"> <div class="col-span-4 md:hidden border-b-2 border-dotted border-neutral-200 flex justify-between pb-2 mb-4 cursor-pointer print:hidden" id="multipage-nav-toggle"> <p class="text-sm text-primary justify-start">Contents</p> <div class="justify-end"> <span class="icon icon-search text-primary" id="multipage-search-button"></span> <span class="icon icon-pointer-down text-primary"></span> </div> </div> <aside class="col-span-4 md:col-span-1 hidden md:block motion-safe:transition-all motion-safe:duration-200 overflow-hidden md:overflow-auto max-h-0 md:max-h-fit mb-6 md:mb-0" id="multipage-nav"> <form id="multipage-search" class="mb-3 flex" method="get"> <label for="multipage-search-input" class="sr-only">Search this document</label> <input type="search" name="search" value="" class="w-full py-2 px-2 text-sm bg-slate-100 border-r-0" id="multipage-search-input" /> <button type="submit" title="Search" class="icon icon-search px-2 bg-slate-100 border border-solid border-l-0 border-slate-700"> </button> </form> <nav> <ul> <li> <div class="mb-2 pb-2 border-b-2 border-dotted border-neutral-200"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5616"> <span>A guide to individual rights</span> </a> </div> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-be-informed/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid bg-neutral-100 text-neutral-600 border-theme-yellow pl-[10px]" data-id="5661"> <span>Right to be informed</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-of-access/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5669"> <span>Right of access</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-rectification/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5674"> <span>Right to rectification</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-erasure/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5678"> <span>Right to erasure</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-restrict-processing/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5683"> <span>Right to restrict processing</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-data-portability/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5690"> <span>Right to data portability</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-object/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5700"> <span>Right to object</span> </a> </div> </li> </ul> <ul> <li> <div> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/rights-related-to-automated-decision-making-including-profiling/" class="pt-2 pr-2 pb-2 flex justify-between text-sm border-l-4 border-solid text-link border-transparent hover:border-neutral-200 hover:bg-neutral-100 pl-[10px]" data-id="5705"> <span>Rights related to automated decision making including profiling</span> </a> </div> </li> </ul> </li> </ul> </nav> </aside> <div class="col-span-4 md:col-span-3 md:pl-10"> <div class="mb-10"> <div class="umb-block-grid" data-grid-columns="12;" style="--umb-block-grid--grid-columns: 12;"> <div class="umb-block-grid__layout-container"> <div class="umb-block-grid__layout-item" data-content-element-type-alias="richTextBlock" data-content-element-type-key="d7ec1d8a-2a00-439e-95b4-9f3537f5ece4" data-element-udi="umb://element/d75601b57da54257b0625b7106832cc5" data-col-span="12" data-row-span="1" style=" --umb-block-grid--item-column-span: 12; --umb-block-grid--item-row-span: 1; "> <div class="prose prose-sm md:prose-base prose-h2:font-serif sm:prose-h2:border-l-10 sm:prose-h2:pl-3 sm:prose-h2:-ml-3 sm:prose-h2:relative sm:prose-h2:left-[-10px] prose-h3:font-serif sm:prose-lead:border-l-10 sm:prose-lead:pl-3 sm:prose-lead:-ml-3 sm:prose-lead:relative sm:prose-lead:left-[-10px] prose-hr:my-4 prose-h2:border-theme-yellow-light prose-lead:border-theme-yellow-light prose-theme-yellow sm:ml-[10px] sm:pl-3"> <h2>At a glance</h2><ul> <li>Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the UK GDPR.</li> <li>You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.</li> </ul><ul> <li>You must provide privacy information to individuals at the time you collect their personal data from them.</li> </ul><ul> <li>If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.</li> </ul><ul> <li>There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.</li> </ul><ul> <li>The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.</li> </ul><ul> <li>It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.</li> </ul><ul> <li>User testing is a good way to get feedback on how effective the delivery of your privacy information is.</li> </ul><ul> <li>You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.</li> <li>Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage.</li> </ul><h2>Checklists</h2><div class="rt-block rt-letter"> <p><strong>What to provide</strong></p> <p>We provide individuals with all the following privacy information:</p> <p><span>☐ </span>The name and contact details of our organisation.</p> <p><span>☐ </span>The name and contact details of our representative (if applicable).</p> <p><span>☐ </span>The contact details of our data protection officer (if applicable).</p> <p><span>☐ </span>The purposes of the processing.</p> <p><span>☐ </span>The lawful basis for the processing.</p> <p><span>☐ </span>The legitimate interests for the processing (if applicable).</p> <p><span>☐ </span>The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).</p> <p><span>☐ </span>The recipients or categories of recipients of the personal data.</p> <p><span>☐ </span>The details of transfers of the personal data to any third countries or international organisations (if applicable).</p> <p><span>☐ </span>The retention periods for the personal data.</p> <p><span>☐ </span>The rights available to individuals in respect of the processing.</p> <p><span>☐ </span>The right to withdraw consent (if applicable).</p> <p><span>☐ </span>The right to lodge a complaint with a supervisory authority.</p> <p><span>☐ </span>The source of the personal data (if the personal data is not obtained from the individual it relates to).</p> <p><span>☐ </span>The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).</p> <p><span>☐ </span>The details of the existence of automated decision-making, including profiling (if applicable).</p> <p><strong><br>When to provide it</strong></p> <p><span>☐ </span>We provide individuals with privacy information at the time we collect their personal data from them.</p> <p>If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information:</p> <p style="padding-left: 30px;"><span>☐ </span>within a reasonable period of obtaining the personal data and no later than one month;</p> <p style="padding-left: 30px;"><span>☐ </span>if we plan to communicate with the individual, at the latest, when the first communication takes place; or</p> <p style="padding-left: 30px;"><span>☐ </span>if we plan to disclose the data to someone else, at the latest, when the data is disclosed.</p> <p><strong><br>How to provide it</strong></p> <p>We provide the information in a way that is: </p> <p style="padding-left: 30px;"><span>☐ concise;</span></p> <p style="padding-left: 30px;"><span>☐ transparent;</span></p> <p style="padding-left: 30px;"><span>☐ intelligible;</span></p> <p style="padding-left: 30px;"><span>☐ </span>easily accessible; and</p> <p style="padding-left: 30px;"><span>☐ </span>uses clear and plain language.</p> <p><strong><br>Changes to the information</strong></p> <p><span>☐ </span>We regularly review and, where necessary, update our privacy information.</p> <p><span>☐ </span>If we plan to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing.</p> <p><strong><br>Best practice – drafting the information</strong></p> <p><span>☐ </span>We undertake an information audit to find out what personal data we hold and what we do with it.</p> <p><span>☐ </span>We put ourselves in the position of the people we’re collecting information about.</p> <p><span>☐ </span>We carry out user testing to evaluate how effective our privacy information is.</p> <p><strong>Best practice – delivering the information</strong></p> <p>When providing our privacy information to individuals, we use a combination of appropriate techniques, such as:</p> <p style="padding-left: 30px;"><span>☐ a layered approach;</span></p> <p style="padding-left: 30px;"><span>☐ </span>dashboards;</p> <p style="padding-left: 30px;"><span>☐ </span>just-in-time notices;</p> <p style="padding-left: 30px;"><span>☐ </span>icons; and</p> <p style="padding-left: 30px;"><span>☐ </span>mobile and smart device functionalities.</p> </div><h2> In brief</h2><ul> <li><a href="#right">What is the right to be informed and why is it important?</a></li> <li><a href="#provide">What privacy information should we provide?</a></li> <li><a href="#when">When should we provide privacy information?</a></li> <li><a href="#exceptions">Are there any exceptions?</a></li> <li><a href="#draft">How should we draft our privacy information?</a></li> <li><a href="#methods">What methods can we use to provide privacy information?</a></li> <li><span><a href="#issues">What common issues might come up in practice</a>?</span></li> <li><a data-id="58cd3930-a152-45b3-9693-248ffcfc0d1f" href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/the-right-to-be-informed/" title="The right to be informed"><span>The right to be informed in more detail</span></a></li> </ul><h3>What is the right to be informed and why is it important?<a id="right"></a></h3><p>The right to be informed covers some of the key transparency requirements of the UK GDPR. It is about providing individuals with clear and concise information about what you do with their personal data.</p><p>Articles 13 and 14 of the UK GDPR specify what individuals have the right to be informed about. We call this ‘privacy information’.</p><p>Using an effective approach can help you to comply with other aspects of the UK GDPR, foster trust with individuals and obtain more useful information from them.</p><p>Getting this wrong can leave you open to fines and lead to reputational damage.</p><h3><a id="provide"></a>What privacy information should we provide?</h3><p>The table below summarises the information that you must provide. What you need to tell people differs slightly depending on whether you collect personal data from the individual it relates to or obtain it from another source.</p><table border="0"> <tbody> <tr> <th style="border-color: #f7f3f0; background-color: #f7f3f0;" scope="col"><strong>What information do we need to provide?</strong></th> <th style="border-color: #f7f3f0; background-color: #f7f3f0;" scope="col"><strong>Personal data collected from individuals</strong></th> <th style="border-color: #f7f3f0; background-color: #f7f3f0;" scope="col"><strong>Personal data obtained from other sources</strong></th> </tr> <tr> <td>The name and contact details of your organisation</td> <td><strong>✓</strong></td> <td><strong>✓</strong></td> </tr> <tr> <td>The name and contact details of your representative</td> <td><strong>✓</strong></td> <td><strong>✓</strong></td> </tr> <tr> <td>The contact details of your data protection officer</td> <td><strong>✓</strong></td> <td><strong>✓</strong></td> </tr> <tr> <td>The purposes of the processing</td> <td><strong>✓ </strong></td> <td><strong>✓</strong></td> </tr> <tr> <td>The lawful basis for the processing</td> <td><strong>✓</strong></td> <td><strong>✓</strong></td> </tr> <tr> <td>The legitimate interests for the processing</td> <td><strong>✓</strong></td> <td><strong>✓</strong></td> </tr> <tr> <td>The categories of personal data obtained</td> <td> </td> <td><strong>✓</strong></td> </tr> <tr> <td>The recipients or categories of recipients of the personal data</td> <td><strong>✓ </strong></td> <td><strong>✓</strong></td> </tr> <tr> <td>The details of transfers of the personal data to any third countries or international organisations</td> <td><strong>✓ </strong></td> <td><strong>✓ </strong></td> </tr> <tr> <td>The retention periods for the personal data</td> <td><strong>✓</strong></td> <td><strong>✓ </strong></td> </tr> <tr> <td>The rights available to individuals in respect of the processing</td> <td><strong>✓</strong></td> <td><strong>✓ </strong></td> </tr> <tr> <td>The right to withdraw consent</td> <td><strong>✓</strong></td> <td><strong>✓</strong></td> </tr> <tr> <td>The right to lodge a complaint with a supervisory authority</td> <td><strong>✓</strong></td> <td><strong>✓ </strong></td> </tr> <tr> <td>The source of the personal data</td> <td> </td> <td><strong>✓</strong></td> </tr> <tr> <td>The details of whether individuals are under a statutory or contractual obligation to provide the personal data</td> <td><strong>✓</strong></td> <td> </td> </tr> <tr> <td>The details of the existence of automated decision-making, including profiling</td> <td><strong>✓</strong></td> <td><strong>✓</strong></td> </tr> </tbody> </table><h3>When should we provide privacy information?<a id="when"></a></h3><p>When you collect personal data from the individual it relates to, you must provide them with privacy information at the time you obtain their data.</p><p>When you obtain personal data from a source other than the individual it relates to, you need to provide the individual with privacy information:</p><ul> <li>within a reasonable period of obtaining the personal data and no later than one month;</li> <li>if you use the data to communicate with the individual, at the latest, when the first communication takes place; or</li> <li>if you envisage disclosure to someone else, at the latest, when you disclose the data.</li> </ul><p>You must actively provide privacy information to individuals. You can meet this requirement by putting the information on your website, but you must make individuals aware of it and give them an easy way to access it.</p><h3><a id="exceptions"></a>Are there any exceptions?</h3><p>When collecting personal data from individuals, you do not need to provide them with any information that they already have.</p><p>When obtaining personal data from other sources, you do not need to provide individuals with privacy information if:</p><ul> <li>the individual already has the information;</li> <li>providing the information to the individual would be impossible;</li> <li>providing the information to the individual would involve a disproportionate effort;</li> <li>providing the information to the individual would render impossible or seriously impair the achievement of the objectives of the processing;</li> <li>you are required by law to obtain or disclose the personal data; or</li> <li>you are subject to an obligation of professional secrecy regulated by law that covers the personal data.</li> </ul><h3>How should we draft our privacy information?<a id="draft"></a></h3><p>An information audit or data mapping exercise can help you find out what personal data you hold and what you do with it.</p><p>You should think about the intended audience for your privacy information and put yourself in their position.</p><p>If you collect or obtain children’s personal data, you must take particular care to ensure that the information you provide them with is appropriately written, using clear and plain language.</p><p>For all audiences, you must provide information to them in a way that is:</p><ul> <li>concise;</li> <li>transparent;</li> <li>intelligible;</li> <li>easily accessible; and</li> <li>uses clear and plain language.</li> </ul><p>It is good practice to carry out user testing on your draft privacy information to get feedback on how easy it is to access and understand.</p><p>After it is finalised, undertake regular reviews to check it remains accurate and up to date.</p><p>If you plan to use personal data for any new purposes, you must update your privacy information and proactively bring any changes to people’s attention.</p><h3><a id="methods"></a>What methods can we use to provide privacy information?</h3><p>There are a number of techniques you can use to provide people with privacy information. You can use:</p><ul> <li><strong>A layered approach</strong> – short notices containing key privacy information that have additional layers of more detailed information.</li> <li><strong>Dashboards</strong> – preference management tools that inform people how you use their data and allow them to manage what happens with it.</li> <li><strong>Just-in-time notices</strong> – relevant and focused privacy information delivered at the time you collect individual pieces of information about people.</li> <li><strong>Icons</strong> – small, meaningful, symbols that indicate the existence of a particular type of data processing.</li> <li><strong>Mobile and smart device functionalities</strong> – including pop-ups, voice alerts and mobile device gestures.</li> </ul><p>Consider the context in which you are collecting personal data. It is good practice to use the same medium you use to collect personal data to deliver privacy information.</p><p>Taking a blended approach, using more than one of these techniques, is often the most effective way to provide privacy information.</p><h3><a id="issues"></a>What common issues might come up in practice?</h3><p>If you <strong>share</strong> personal data with (or <strong>sell</strong> it to) other organisations:</p><ul> <li>As part of the privacy information you provide, you must tell people who you are giving their information to, unless you are relying on an exception or an exemption.</li> <li>You can tell people the names of the organisations or the categories that they fall within; choose the option that is most meaningful.</li> <li>It is good practice to use a dashboard to let people manage who their data is sold to, or shared with, where they have a choice.</li> </ul><p>If you <strong>buy</strong> personal data from other organisations:</p><ul> <li>You must provide people with your own privacy information, unless you are relying on an exception or an exemption.</li> <li>If you think that it is impossible to provide privacy information to individuals, or it would involve a disproportionate effort, you must carry out a DPIA to find ways to mitigate the risks of the processing.</li> <li>If your purpose for using the personal data is different to that for which it was originally obtained, you must tell people about this, as well as what your lawful basis is for the processing.</li> <li>Provide people with your privacy information within a reasonable period of buying the data, and no later than one month.</li> </ul><p>If you obtain personal data from <strong>publicly accessible sources</strong>:</p><ul> <li>You still have to provide people with privacy information, unless you are relying on an exception or an exemption.</li> <li>If you think that it is impossible to provide privacy information to individuals, or it would involve a disproportionate effort, you must carry out a DPIA to find ways to mitigate the risks of the processing.</li> <li>Be very clear with individuals about any unexpected or intrusive uses of personal data, such as combining information about them from a number of different sources.</li> <li>Provide people with privacy information within a reasonable period of obtaining the data, and no later than one month.</li> </ul><p>If you apply <strong>Artificial Intelligence (AI)</strong> to personal data:</p><ul> <li>Be upfront about it and explain your purposes for using AI.</li> <li>If the purposes for processing are unclear at the outset, give people an indication of what you are going to do with their data. As your processing purposes become clearer, update your privacy information and actively communicate this to people.</li> <li>Inform people about any new uses of personal data before you actually start the processing.</li> <li>If you use AI to make solely automated decisions about people with legal or similarly significant effects, tell them what information you use, why it is relevant and what the likely impact is going to be.</li> <li>Consider using just-in-time notices and dashboards which can help to keep people informed and let them control further uses of their personal data.</li> </ul> </div> </div> <div class="umb-block-grid__layout-item" data-content-element-type-alias="furtherReadingBlock" data-content-element-type-key="349dc532-9e3f-4f24-9fa4-2e5b86aa0eda" data-element-udi="umb://element/2fdea62d329b4adc863ff55227df67e7" data-col-span="12" data-row-span="1" style=" --umb-block-grid--item-column-span: 12; --umb-block-grid--item-row-span: 1; "> <further-Reading x-href="https://www.legislation.gov.uk/eur/2016/679/contents" x-target="_blank" x-title="Relevant provisions in the UK GDPR &#x2013; See Articles 12-14, and Recitals 58 and 60-62" x-location="External link"></further-Reading> </div> <div class="umb-block-grid__layout-item" data-content-element-type-alias="richTextBlock" data-content-element-type-key="d7ec1d8a-2a00-439e-95b4-9f3537f5ece4" data-element-udi="umb://element/f64e689201c94bde96dd1d43b28d6880" data-col-span="12" data-row-span="1" style=" --umb-block-grid--item-column-span: 12; --umb-block-grid--item-row-span: 1; "> <div class="prose prose-sm md:prose-base prose-h2:font-serif sm:prose-h2:border-l-10 sm:prose-h2:pl-3 sm:prose-h2:-ml-3 sm:prose-h2:relative sm:prose-h2:left-[-10px] prose-h3:font-serif sm:prose-lead:border-l-10 sm:prose-lead:pl-3 sm:prose-lead:-ml-3 sm:prose-lead:relative sm:prose-lead:left-[-10px] prose-hr:my-4 prose-h2:border-theme-yellow-light prose-lead:border-theme-yellow-light prose-theme-yellow sm:ml-[10px] sm:pl-3"> <div class="rt-block rt-green"> <p><strong>In more detail – ICO guidance</strong></p> <p>We have published <a data-id="58cd3930-a152-45b3-9693-248ffcfc0d1f" href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/the-right-to-be-informed/" title="The right to be informed">detailed guidance on the right to be informed</a>.</p> <p>The <a href="/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/accountability-framework/individuals-rights/#Informing" title="Individuals’ rights" data-anchor="#Informing">Accountability Framework</a> looks at the ICO’s expectations in relation to data protection by design</p> </div><div class="rt-block rt-amber"> <p><strong>In more detail – European Data Protection Board</strong></p> <p>The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.</p> <p>EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues</p> <p>WP29 adopted guidelines on <a rel="noopener" href="http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en-GB&amp;q=http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id%3D622227&amp;source=gmail&amp;ust=1526723045705000&amp;usg=AFQjCNFsUZ9N3qXu6PMRJxqhsWiacaHYdQ">Transparency</a>, which have been endorsed by the EDPB.</p> </div> </div> </div> </div> </div> </div> <nav class="print:hidden inline-flex flex-col items-start gap-5"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/" class="group text-primary"> <div class="flex items-center"> <i class="icon icon-arrow-left text-4xl"></i> <span class="pl-3 flex flex-col"> <span class="text-lg font-semibold">Previous</span> <span class="text-sm underline underline-offset-4 decoration-dotted decoration-1 group-hover:decoration-solid">A guide to individual rights</span> </span> </div> </a> <a href="/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-of-access/" class="group text-primary"> <div class="flex items-center"> <i class="icon icon-arrow-right text-4xl"></i> <span class="pl-3 flex flex-col"> <span class="text-lg font-semibold">Next</span> <span class="text-sm underline underline-offset-4 decoration-dotted decoration-1 group-hover:decoration-solid">Right of access</span> </span> </div> </a> </nav> </div> </div> </div> </main> <a href="#top" id="button-top" class="transition-opacity duration-500 flex items-center justify-center fixed right-4 bottom-4 z-10 rounded-full outline outline-white w-8 h-8 bg-primary opacity-0 hidden print:hidden"> <span class="icon icon-arrow-up text-white"></span> <span class="sr-only">Back to top</span> </a> <footer class="sticky top-[100vh] print:hidden"> <div class="lg:container px-4 border-t-2 border-dotted border-neutral-200 mt-6"> <div class="py-3"> <button onClick="window.print()" class="flex items-center group"> <i class="icon icon-printer text-lg text-white rounded-full p-1 bg-neutral-400"></i> <span class="ml-2 text-sm text-link group-hover:underline">Print this page</span> </button> </div> </div> <div class="bg-neutral-100"> <div class="lg:container px-4"> <div class="py-5 flex"> <div class="hidden md:block flex-auto"> <ul class="grid gap-4 grid-cols-4"> <li> <div class="mb-3"> <a href="/for-the-public/" class="font-serif text-serif-base text-link hover:underline">For the public</a> </div> <ul class="text-sm text-neutral-600 -mt-1"> <li class="mt-1"> <a href="/for-the-public/official-information/" class="hover:underline">Official information</a> </li> <li class="mt-1"> <a href="/for-the-public/nuisance-calls/" class="hover:underline">Nuisance calls</a> </li> </ul> </li> <li> <div class="mb-3"> <a href="/for-organisations/" class="font-serif text-serif-base text-link hover:underline">For organisations</a> </div> <ul class="text-sm text-neutral-600 -mt-1"> <li class="mt-1"> <a href="/for-organisations/uk-gdpr-guidance-and-resources/" class="hover:underline">UK GDPR guidance and resources</a> </li> <li class="mt-1"> <a href="/for-organisations/foi/" class="hover:underline">Freedom of information</a> </li> <li class="mt-1"> <a href="/for-organisations/eir-and-access-to-information/" class="hover:underline">EIR and access to information</a> </li> <li class="mt-1"> <a href="/for-organisations/direct-marketing-and-privacy-and-electronic-communications/" class="hover:underline">Direct marketing</a> </li> <li class="mt-1"> <a href="/for-organisations/advice-and-services/" class="hover:underline">Advice and services</a> </li> </ul> </li> <li> <div class="mb-3"> <a href="/action-weve-taken/" class="font-serif text-serif-base text-link hover:underline">Action we&#x27;ve taken</a> </div> <ul class="text-sm text-neutral-600 -mt-1"> <li class="mt-1"> <a href="/action-weve-taken/enforcement/" class="hover:underline">Enforcement action</a> </li> <li class="mt-1"> <a href="https://icosearch.ico.org.uk/s/search.html?collection=ico-meta&amp;profile=decisions&amp;query" class="hover:underline">Decision notices</a> </li> <li class="mt-1"> <a href="https://ico.org.uk/action-weve-taken/audits-and-overview-reports/" class="hover:underline">Audits</a> </li> </ul> </li> <li> <div class="mb-3"> <a href="/about-the-ico/" class="font-serif text-serif-base text-link hover:underline">About the ICO</a> </div> <ul class="text-sm text-neutral-600 -mt-1"> <li class="mt-1"> <a href="/about-the-ico/who-we-are/" class="hover:underline">Who we are</a> </li> <li class="mt-1"> <a href="/about-the-ico/what-we-do/" class="hover:underline">What we do</a> </li> <li class="mt-1"> <a href="/about-the-ico/media-centre/" class="hover:underline">Media centre</a> </li> <li class="mt-1"> <a href="/about-the-ico/jobs/" class="hover:underline">Careers</a> </li> <li class="mt-1"> <a href="/about-the-ico/modern-slavery-statement/" class="hover:underline">Modern Slavery Statement</a> </li> </ul> </li> </ul> </div> <div class="hidden md:block flex-auto mx-8 border-l-2 border-dotted border-neutral-400"> </div> <div class="flex-auto"> <div class="font-serif text-serif-base text-link mb-3">Follow us</div> <ul class="flex flex-col sm:flex-row md:flex-col sm:flex-wrap sm:gap-x-4 gap-y-2 text-sm text-neutral-600"> <li class="sm:flex-auto md:flex-none"> <a class="flex items-center hover:underline" href="https://twitter.com/iconews" target="_blank"> <img class="rounded-full mr-2" src="/media2/g1plb1os/twitter.svg?width=24&amp;height=24&amp;v=1db03b86976f0f0" width="24" height="24" alt="Icon for the Twitter @ICONews social link" /> <span>Twitter @ICONews</span> </a> </li> <li class="sm:flex-auto md:flex-none"> <a class="flex items-center hover:underline" href="http://www.youtube.com/user/icocomms" target="_blank"> <img class="rounded-full mr-2" src="/media2/z3vdkkxj/youtube.svg?width=24&amp;height=24&amp;v=1db042ab32beee0" width="24" height="24" alt="Icon for the YouTube social link" /> <span>YouTube</span> </a> </li> <li class="sm:flex-auto md:flex-none"> <a class="flex items-center hover:underline" href="http://linkedin.com/company/information-commissioner&#x27;s-office" target="_blank"> <img class="rounded-full mr-2" src="/media2/cgdpvn4n/linkedin.svg?width=24&amp;height=24&amp;v=1db042ab2dda7d0" width="24" height="24" alt="Icon for the LinkedIn social link" /> <span>LinkedIn</span> </a> </li> <li class="sm:flex-auto md:flex-none"> <a class="flex items-center hover:underline" href="http://facebook.com/ICOnews" target="_blank"> <img class="rounded-full mr-2" src="/media2/g2nhkyjv/facebook.svg?width=24&amp;height=24&amp;v=1db03b86b4b62d0" width="24" height="24" alt="Icon for the Facebook social link" /> <span>Facebook</span> </a> </li> <li class="sm:flex-auto md:flex-none"> <a class="flex items-center hover:underline" href="/about-the-ico/media-centre/e-newsletter/"> <img class="rounded-full mr-2" src="/media2/thzeryz5/envelope.svg?width=24&amp;height=24&amp;v=1db03b86a1d4310" width="24" height="24" alt="Icon for the Subscribe to our e-newsletter social link" /> <span>Subscribe to our e-newsletter</span> </a> </li> </ul> </div> </div> </div> </div> <div class="bg-secondary"> <div class="lg:container px-4"> <div class="py-3 md:hidden"> <div class="font-serif text-center md:text-left text-white text-serif-base md:flex items-end md:pl-8 border-secondary border-dotted md:border-l-2"> <span>The ICO exists to empower you through information.</span> </div> </div> </div> </div> <div class="bg-primary"> <div class="lg:container px-4"> <div class="pt-2"> <ul class="-mx-3 flex flex-wrap text-white text-sm md:text-base"> <li class="mx-3 my-1"> <a href="/global/contact-us/" class="hover:underline">Contact us</a> </li> <li class="mx-3 my-1"> <a href="/global/privacy-notice/" class="hover:underline">Privacy notice</a> </li> <li class="mx-3 my-1"> <a href="/global/cookies/" class="hover:underline">Cookies</a> </li> <li class="mx-3 my-1"> <a href="/global/accessibility/" class="hover:underline">Accessibility</a> </li> <li class="mx-3 my-1"> <a href="/about-the-ico/who-we-are/wales-office/" class="hover:underline">Cymraeg</a> </li> <li class="mx-3 my-1"> <a href="/global/request-publications/" class="hover:underline">Publications</a> </li> <li class="mx-3 my-1"> <a href="/global/disclaimer/" class="hover:underline">Disclaimer</a> </li> <li class="mx-3 my-1"> <a href="/global/copyright-and-re-use-of-materials/" class="hover:underline">&#xA9; Copyright</a> </li> </ul> </div> <div class="py-5"> <div class="md:flex md:items-center"> <div class="pr-4 mb-2 md:mb-0"> <img class="w-10" src="/media2/r34b3hma/ogl.png?width=40&amp;height=16&amp;v=1db03b8684a57d0" width="40" height="16" alt="" /> </div> <div class="prose prose-sm prose-white"> <p>All text content is available under the <a href="http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/">Open Government Licence v3.0</a>, except where otherwise stated.</p> </div> </div> </div> </div> </div> </footer> <script type="text/javascript" src="https://cc.cdn.civiccomputing.com/9/cookieControl-9.9.min.js"></script> <script type="application/json" id="cookie-settings"> {"apiKey":"dbf86e044f3ab8c4df852af5c7c6ceb2dd7678dd","necessaryCookies":[".AspNetCore.Antiforgery.*","language"],"statement":{"description":"For more detailed information, see our","name":"Cookies page","url":"https://ico.org.uk/global/cookies/","updated":"04/09/2024"},"text":{"title":"Cookies on the ICO website","intro":"We use some essential cookies to make this site work. We\u0027d like to set analytics cookies to understand how you use this site. We may use services from Vimeo and YouTube that may also use cookies.","acceptSettings":"Accept non-essential cookies","rejectSettings":"Reject non-essential cookies","necessaryTitle":"Essential cookies","necessaryDescription":"These cookies are necessary for core functionality, such as security and network management. They always need to be on.","closeLabel":"Save and close","cornerButton":"Cookie options","on":"On","off":"Off"},"optionalCookies":[{"name":"analytics","label":"Analytics cookies","description":"We use Silktide to measure how you use the ICO website. These cookies collect information about how you got to the site, the pages you visit and how long you spend on each page, and what you click on."},{"name":"videoPlayer","label":"Video player cookies","description":"We use services from Vimeo and YouTube to show you embedded videos on the ICO website. Vimeo and Google may use cookies to receive information about the videos you watch for analytics and advertising purposes."}]} </script> <script type="text/plain" id="silktide-settings">12d0c703744ea255b679f823daf1645f</script> <script type="text/javascript" src="/js/index.js?v=TYEGb_GH5SkF5NJRh7cZpx-oDut7QIjlT7FB7jistDU"></script> </body> </html>