The ICO exists to empower you through information.

Control measure: Privacy information or notice includes all the required information under Article 13 and 14 of the UK GDPR.

Risk: If the basic requirements are not met, then people have not been properly informed about how their information is processed.

Ways to meet our expectations:

  • Include all relevant contact information, eg the name and contact details of your organisation (and your representative if applicable) and the DPO’s contact details.
  • Include the purposes of the processing and the lawful bases (and, if applicable, the legitimate interests for the processing).
  • Include the types of personal information you obtain and the information source, if the personal information is not obtained from the person it relates to.
  • Include details of all personal information that you share with other organisations and, if applicable, details of transfers to any third countries or international organisations.
  • Include retention periods for the personal information, or if that is not possible, the criteria used to determine the period.
  • Include details about people’s rights including, if applicable, the right to withdraw consent and the right to make a complaint.
  • Include details of whether people are under a statutory or contractual obligation to provide the personal information (if applicable, and if you collect the personal information from the person it relates to).
  • Provide people with privacy information regarding the source of the personal information if you don’t obtain it from the person concerned, eg if the information is from publicly accessible sources such as social media, the open electoral register or Companies House.

Options to consider: 

  • Check staff understand what privacy information is and what it must include.
  • Check that there is separate privacy information about the rights available to people, if you are relying on different lawful bases for different processing.

Have you considered the effectiveness of your accountability measures?

  • Do your staff understand what privacy information is and what must be provided?
  • Are people provided with clear information about the source of personal information, if you don’t obtain it from the person concerned?

 

Control measure: There is a recorded procedure to make sure that people receive privacy information at the right time, unless an exemption applies.

Risk: If people are not provided with privacy information in a timely manner there is a risk they will be unaware of the processing of their information. This may breach articles 13 and 14 of the UK GDPR.

Ways to meet our expectations:

  • Provide people with privacy information when their information is collected (eg when they fill in a form) or by observation (eg when using CCTV or people are tracked online).
  • If you obtain personal information from a source other than the person it relates to, provide privacy information to people, no later than one month after obtaining the information.

Options to consider:

  • Include fair processing training in your organisations data protection training.

Have you considered the effectiveness of your accountability measures?

  • Do your staff understand when and how privacy information should be provided?

 

Control measure: Privacy information is:

  • concise;
  • transparent;
  • intelligible;
  • clear;
  • in plain language; and
  • communicated in a way that is effective for the target audience.

Risk: If people cannot understand the privacy information, they are given then there is a risk they will be unaware of the processing of their personal information. This may breach articles 13 and 14 of the UK GDPR.

Ways to meet our expectations:

  • Proactively make people aware of privacy information and ensure they have a free, easy way to access it.
  • Provide privacy information to people in electronic and hard-copy form, using a combination of appropriate techniques, such as a layered approach, icons and mobile and smart device functionalities.
  • Write privacy information in clear and plain language that the intended audience can understand, and offer it in accessible formats if required.
  • Take particular care to write privacy information for children in clear, plain language, that is age-appropriate, and explains the risks involved in the processing and what safeguards are in place.

Options to consider:

  • Carry out user testing to evaluate how effective privacy information is.

Have you considered the effectiveness of your accountability measures?

  • Would customers say you proactively made them aware of privacy information?
  • Did you use an appropriate form of communication?
  • Was it easy to understand? 

 

Control measure: Processing relating to automated decision-making and profiling is transparent.

Risk: If people are not aware that automated decisions are being made, they will not have the opportunity to question or object to the decisions, or exercise their rights. This may breach articles 13, 15 to 22 of the UK GDPR.

Ways to meet our expectations:

  • Implement procedures for people to access the personal information you use to create profiles, so they can review for accuracy and edit it if needed.
  • If the decision is solely automated and has legal or similarly significant effects, tell people about the processing - including what information you are using, why and what the impact is likely to be.
  • If the purpose is initially unclear, give people an indication of what your organisation is going to do with their information, and proactively update your privacy information as this becomes clearer.
  • If the decision is solely automated and has legal or similarly significant effects, explain the processing in a meaningful way that enables people to exercise their rights including obtaining human intervention, expressing their point of view and contesting the decision. 

Options to consider:

  • Implement procedures to guide staff on how to respond to people challenging the decisions from automated decision making and profiling.

Have you considered the effectiveness of your accountability measures?

  • Would people say that you explained the processing to them in a meaningful way that helped them to exercise their rights?
  • Is it easy for them to access the personal information you used to create profiles?

 

Control measure: Front-line staff are able to explain the necessary privacy information to people and provide guidance.

Risk: If front-line staff are not trained on when and how to provide privacy information to people, there is a risk that the information is not always given consistently, correctly or at all. This may breach articles 13 and 14 of the UK GDPR.

Ways to meet our expectations:

  • Arrange organisation-wide staff training about privacy information.
  • Ensure front-line staff receive more specialised or specific training.
  • Make staff aware of the various ways in which the organisation provides privacy information.

Options to consider:

  • Check staff are aware what privacy information to provide and when using mystery shopping exercises or regular knowledge checks.

Have you considered the effectiveness of your accountability measures?

  • Do your staff have good general knowledge about privacy information and the ways it is provided?
  • Do front-line staff have more detailed knowledge?

 

Control measure: There are procedures in place to review the privacy information provided to people regularly to make sure that it is accurate, up to date and effective.

Risk: If privacy information is inaccurate or out of date, then people have not been properly informed of their rights and how their information is processed. 

Ways to meet our expectations:

  • Review privacy information against the records of processing activities, to ensure it remains up to date and that it accurately explains what happens with people's personal information.
  • Maintain a log of historical privacy notices, including the dates you made any changes, in order to allow a review of what privacy information you provided to people and when.
  • Carry out user testing to evaluate the privacy information’s effectiveness.
  • Analyse complaints from the public about how you use their personal information, and in particular, any complaints about how you explain that use.
  • If your organisation plans to use personal information for a new purpose, implement a procedure to update the privacy information and communicate the changes to people before starting any new processing.

Options to consider:

  • Include steps in your DPIA and change management processes to review existing privacy information as part of the procedure.
  • Assign responsibility for reviewing current privacy information to an appropriate role in your organisation.

Have you considered the effectiveness of your accountability measures?

  • Is there an effective review process?
  • Would people say that you provide effective privacy information?

 

Control measure: There is openness about how personal information is used, and tools are available to support transparency and control, especially when processing children's personal information. 

Risk: If people are limited in the way they can engage with and understand privacy information there is a risk they will not fully understand how their information is used or be able to exercise their rights. 

Ways to meet our expectations:

  • Ensure privacy policies are clear and easy for members of the public to access.
  • Provide people with tools, such as secure self-service systems, dashboards and just-in-time notices, so they can access, determine and manage how your organisation uses their personal information.
  • Offer strong privacy defaults and user-friendly options and controls.
  • Where relevant, have processes in place to help children exercise their data protection rights in an easily accessible way that they understand.
  • Implement appropriate measures to protect children using digital services.

Options to consider:

  • Provide information in alternative languages.
  • Explain complex matters in basic terms, using everyday language. 
  • Use diagrams, cartoons, graphics, video and audio content, and gamified or interactive content that will attract and interest children, rather than relying solely on written communications.
  • Do user testing on your privacy information to confirm it is clear and understandable for children.

Have you considered the effectiveness of your accountability measures?

  • Would the public say that your policies are clear, easy to find and access?
  • Do they feel appropriately supported in accessing, determining and managing how their information is used?
  • Would children say the same?