How we use your information
This privacy notice tells you what to expect when the Information Commissioner’s Office collects personal information. It applies to information we collect about:
- visitors to our websites
- complainants and other individuals in relation to a data protection or freedom of information complaint or enquiry
- people who use our services, eg who subscribe to our newsletter or request a publication from us
- people who notify under the Data Protection Act
- job applicants and our current and former employees
Visitors to our websites
When someone visits www.ico.gov.uk we collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting either of our websites (www.ico.gov.uk or www.ico.jobs). We will not associate any data gathered from this site with any personally identifying information from any source. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
One of the cookies we use is essential for parts of the site to operate and has already been set (see ‘Essential site cookie’ below). A second cookie (see ‘Content Management System cookie’ below) is set on a small number of users’ machines, depending on the browser they use, when they arrive at the ICO site. We do not use this cookie for any purpose and are working with the suppliers of our Content Management System to remove it or find another solution. You may delete and block all cookies from this site, but parts of the site will not work.
|Essential site cookie (for online notification form)
|This cookie is essential for the online notification form – the form that data controllers can use to notify with the ICO – to operate and is set upon your arrival to the ICO site. This cookie is deleted when you close your browser.
Visit the Microsoft website
|Online notification form cookie
|This cookie is used to enhance security on our online notification form – the form that data controllers can use to notify with the ICO. It is set for users of the online notification form only. This cookie is deleted when you close your browser.
Visit the Microsoft website
|Content Management System cookie
This cookie is set by our Content Management System on a small number of browsers, upon arrival to the ICO site. It is not used by the ICO for any purpose. This cookie is deleted when a user closes their browser.
We have recently become aware of this cookie. We are working with the supplier of our content management system to remove it or, if it can’t be removed, to find another solution.
These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where vistors have come to the site from and the pages they visited.
Click here for an overview of privacy at Google
|ICO site cookie acceptance
|Annual report webcast cookie, hosted by Workcast
|This cookie is used to record that users have viewed the webcast. It collects information in an anonymous form. This cookie expires when you close your browser.
|Annual report webcast - attendee cookie
||Some webcasts would use this cookie to record a user’s activity during a webcast, for example if they had asked a question, and would use the cookie to show the user their question and other activity on subsequent visits. This functionality is not available on this webcast. This cookie will record an anonymous ID for each user, but it will not use the information for any purpose. The cookie will last for three months.
|Annual report webcast - authentication cookie
Some webcasts require users to fill in a form to view them; some presentations also require a user to view a number of different webcasts. In those cases, this cookie is used to allow users to view different webcasts without needing to fill in a form again. This functionality is not turned on for this webcast. This cookie will record an anonymous ID for each user, but it will not use the information for any purpose. The cookie will last for 30 days.
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.
We embed videos from our official YouTube channel using YouTube’s privacy-enhanced mode. This mode may set cookies on your computer once you click on the YouTube video player, but YouTube will not store personally-identifiable cookie information for playbacks of embedded videos using the privacy-enhanced mode. To find out more please visit YouTube’s embedding videos information page.
The search engine on our website is designed to be as powerful and easy to use as the popular search engine Google. The search is made possible by a piece of hardware (a search ‘appliance’) supplied by Google that is plugged into our server and continuously indexes the content on our site. All search requests are handled by the appliance and the information is not passed on to any third party, including Google.
People who call our helpline
When you call the ICO's helpline we collect Calling Line Identification (CLI) information. We use this information to help improve its efficiency and effectiveness.
People who make a complaint to us
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile and publish statistics showing information like the number of complaints we receive, but not in a form which identifies anyone.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for four years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
When we take enforcement action against someone, we may publish the identity of the defendant in our Annual Report or elsewhere. Usually we do not, identify any complainants unless the details have already been made public.
People who use ICO services
The ICO offers various services to the public. For example, we send out publications and distribute an electronic newsletter. We use a third party to deal with some publication requests, but they are only allowed to use the information to send out the publications.
We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have requested a publication to carry out a survey to find out if they are happy with the level of service they received. When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this.
People who ‘notify’ under the Data Protection Act 1998
Many businesses are required by law to ‘notify’ certain specified information to the Information Commissioner. This may contain personal information, for example where the business is a sole trader. The ICO compiles this information into a register which it is required by law to make publicly available. The ICO puts technical measures in place to prevent the bulk down-load of the electronic version of the register. However, as the register is publicly available, the ICO cannot give any guarantees as to how the information contained on the register will be used by those accessing it.
When businesses fill in their notification forms, they are asked to provide the contact details of a relevant member of staff. ICO will use this for its own purposes, for example where we have a query about a notification, but will not put it on the public register.
When we request information as part of the notification process, we make it clear where the provision of information is required by law and where it is voluntary.
Job applicants, current and former ICO employees
When individuals apply to work at ICO, we will only use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Criminal Records Bureau we will not do so without informing them beforehand unless the disclosure is required by law.
Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.
Once a person has taken up employment with the ICO, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with ICO has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete it.
Complaints or queries
ICO tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of ICO’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
Access to personal information
ICO tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:
- give you a description of it;
- tell you why we are holding it;
- tell you who it could be disclosed to; and
- let you have a copy of the information in an intelligible form.
To make a request to the ICO for any personal information we may hold you need to put the request in writing addressing it to our Internal Compliance Team, or writing to the address provided below.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the Internal Compliance Team.
Disclosure of personal information
In many circumstances we will not disclose personal data without consent. However when we investigate a complaint, for example, we will need to share personal information with the organisation concerned and with other relevant bodies. Further information is available in our Information Charter about the factors we shall consider when deciding whether information should be disclosed.
You can also get further information on:
- agreements we have with other organisations for sharing information;
- circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics;
- our instructions to staff on how to collect, use and delete personal data; and
- how we check that the information we hold is accurate and up to date.
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit. Please read the ICO's reciprocal linking policy for more information.
Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 28 September 2011.
How to contact us
Internal Compliance Department
Information Commissioner's Office
Read more in our guide to information