Information Commissioner's Office

🆕 The Data (Use and Access) Act 2025 (DUAA) has now received Royal Assent. This new legislation updates key aspects of data protection law, making it easier for UK businesses to protect people’s personal information while growing and innovating their products and services. Read more about the information we’re publishing to support organisations and the public as these changes are introduced: https://lnkd.in/dPaSAa79 📍 What UK organisations need to know The changes are intended to help unlock the secure and effective use of data for the public interest – making the law clearer and easier for organisations to understand and apply; reducing regulatory burden and strengthening public trust. 📍 Key changes • Clarifying how personal information can be used for research; • Lifting restrictions on some automated decision making; • Setting out how to use some cookies without consent; • Allowing charities to send people electronic mail marketing without consent in certain circumstances; • Requiring organisations to have a data protection complaints procedure; and • Introducing a new lawful basis of recognised legitimate interests. The Act provides the ICO with new powers, including the ability to compel witnesses to attend interviews, request technical reports, and issue fines of up to £17.5 million or 4% of global turnover under PECR. 📍 Next steps for organisations The Government will phase implementation of the new law, commencing different changes using secondary legislation. What you can do to get ready: 👉 Review the changes that the DUAA makes to data protection law using our detailed summary: https://lnkd.in/dmyN4vEg 👉 If your organisation provides an online service that children are likely to use, you should make sure you are doing enough to satisfy the new explicit requirement to consider their needs. If you already conform to our Children's code you should be on track; 👉 Start thinking about how your organisation can help people make complaints; and 👉 Consider whether your organisation can work differently or streamline processes to take advantage of the opportunity the changes present. 📍 Stay up to date Over the coming months we will launch new guidance, open consultations, and provide practical tools to help embed the Act’s principles into everyday operations. Get the latest DUAA updates direct to your inbox with our dedicated newsletter: https://lnkd.in/epZhDzXb

What tools or guidance products would make international transfers easier, quicker, or less complicated for your organisation? We want to understand how we can make our International Transfers guidance as clear, practical, and accessible as possible. So we’d like to hear what you think about our current guidance. Your views will help us to make changes that meet your needs and create practical tools to help you and your business. But be quick, this is the last week of the consultation. Get your thoughts to us by 7 August 2025. https://lnkd.in/etaSEWyX

We welcome the decision by The Insolvency Service to disqualify Mohammed Liaqat and Rubani Ghulam as directors of Posh Windows UK Ltd. Nobody should be made to feel uncomfortable or distressed after simply answering the phone, and our investigation found that this company showed complete disregard for both the law and the thousands of people they were aggressively pestering. Our Financial Investigation Unit works closely with the Insolvency Service to bring companies and directors to account. By disrupting the non-compliant activities of directors such as Mohammed Liaqat and Rubani Ghulam, we can help ensure they can’t easily resurface under a different name and continue to cause further harm to people. https://lnkd.in/ghWjk7Kd

NEW: Guidance to help organisations disclose documents to the public. From public authorities handling Freedom of Information requests to organisations responding to Subject Access Requests, many need to regularly disclose documents containing large amounts of information to the public. Personal information can be hidden or not immediately visible in documents. If they are not checked properly, it may be disclosed by accident – sometimes with serious consequences. Our new guidance includes practical steps and how-to videos to help organisations understand how to check documents, including: • Deciding an appropriate format for disclosure to the public • Finding various types of hidden personal information including hidden rows, columns and worksheets, metadata and active filters • Converting documents to simpler formats to reveal hidden data • Avoiding using ineffective techniques to keep information secure • Using software tools designed to help identify hidden personal information (such as Microsoft Document Inspector) • Reviewing the circumstances of a breach to prevent a recurrence • Removing and redacting personal information effectively The new guidance replaces our advisory note issued in the immediate aftermath of high-profile data breaches in 2023. Read the guidance: https://brnw.ch/21wUyJO

NEW: We’ve launched new guidance to help organisations that use profiling tools for online safety. Profiling tools can be effective in detecting illegal and harmful behaviour. But they can also be highly intrusive, due to the wide range of personal information they use and generate. Our new guidance helps organisations to understand the data protection and privacy considerations to take into account when deploying profiling tools for online safety purposes, including where organisations are considering these tools to meet their obligations under the Online Safety Act 2023. This is the second in a series of resources announced in our 2022 joint statement with Ofcom. We remain committed to supporting the development of new online safety technologies while ensuring regulatory alignment. https://lnkd.in/ewxgMudV ❓What does the guidance include? ➡️ It provides clarity for online service providers and organisations on how data protection law and the Privacy and Electronic Communications Regulations (PECR) apply to profiling tools that are used for online safety purposes. ➡️ It provides information for services who are using, or considering using, profiling tools to meet their obligations under the Online Safety Act 2023 (OSA). Read the guidance and contribute to the conversation through our feedback survey: https://lnkd.in/ewrr-NJJ

👉 Public awareness of data protection rights is up to 76% 👉 71% knew they could ask a company or organisation to delete their personal information 👉 83% knew they could opt out of electronic marketing 👉 76% knew they could submit a subject access request We spoke to over 8,500 people to find out about people’s understanding and opinions of privacy and information rights. It’s a complicated picture, but it’s clear that most people have had at least some exposure to data protection. Read the report in full: https://lnkd.in/eNqJPCz8 Would your company or organisation know how to respond to these requests for personal information from your customers, suppliers or employees? We have lots of data protection guidance online for small and medium sized organisations: https://lnkd.in/ebsneCiw

NEW: We have fined a Scottish charity £18,000 following destruction of irreplaceable personal records. Birthlink destroyed approximately 4,800 personal records, up to ten percent of which may be irreplaceable. We found the charity had limited knowledge of data protection obligations and lacked cost effective and easy-to-implement policies, which would likely have prevented the destruction. Sally Anne Poole, ICO Head of Investigations, said: “This case highlights - perhaps more than most - that data protection is about people and how a data breach can have far-reaching ripple effects that continue to affect people’s lives long after it occurs. “The destroyed records had the potential to be an unknown memory, an identity, a sense of belonging, answers – all deeply personal pieces in the jigsaw of a person’s history - some now lost for eternity. “It's inconceivable to think, due to the very nature of its work, that Birthlink had such a poor understanding of both its data protection responsibilities and records management process. However, we welcome the improvements the charity has subsequently put in place, not least by appointing a DPO to monitor compliance and raise awareness of data protection throughout the organisation. Due to the serious nature of the breach, we concluded a fine was appropriate and after considering representations from the charity reduced the amount from £45,000 to £18,000. Since the breach occurred the charity has implemented improvements including digitally recording and storing all physical records, appointing a Data Protection Officer and starting staff training. Anyone who feels they may have been impacted by this incident should contact Birthlink, as the charity will be able to provide further information and access to support services. ❓What happened? In early 2021, Birthlink considered destroying ‘Linked Records’ to make space in the charity’s filing cabinets. Linked Records are files often containing sensitive items like letters from birth parents, photos, and birth certificates. After a Board meeting in February, it was agreed that only replaceable records should be destroyed, and retention periods should apply. However, due to poor record keeping, some irreplaceable records were mistakenly destroyed in April and May 2021. The issue came to light in August 2023 during a Care Inspectorate inspection. Birthlink reported the breach to the ICO. Our investigation found the charity lacked proper data protection policies and staff training. In addition, poor record keeping meant Birthlink were unable to identify people affected by the breach. Read the full details of the case and our advice: https://lnkd.in/e_qjjVW5 Read our advice on records management and deleting data: https://lnkd.in/emmbwc66

In policing, 54% of adults have some concerns that facial recognition technology would impact civil liberties and infringe on people’s right to privacy. A lack of transparency about how organisations use personal information risks undermining public trust in AI and biometric technologies. Without that trust, people are less likely to support or engage with AI-powered services. This creates a barrier to responsible adoption across the UK economy. Our new AI and biometrics strategy sets out how we will: • set clear expectations for responsible AI through a statutory code of practice for organisations developing or deploying AI and automated decision-making, to enable innovation while safeguarding privacy; • secure public confidence in generative AI foundation models by working with developers to ensure they use people’s information responsibly and lawfully in training these models; • ensure that automated decision-making (ADM) systems are governed and used in a way that is fair to people, focusing on how they are used in recruitment and in public services; and • ensure the fair and proportionate use of facial recognition technology (FRT), working with law enforcement to ensure that the technology is effective and people’s rights are protected. Read the full strategy: https://lnkd.in/edZpGM64

It's time to head off for a well-earned summer break, but when it comes to information governance, some responsibilities don’t take time off! Whether you're out of office for a few days or a few weeks, here are some things to consider while you're away: 📬 Make sure someone is covering FOI and data protection requests. Just because you're away doesn’t mean deadlines pause. Ensure your team knows who’s responsible for handling requests in your absence. 📋 Look at your incident response rota If key contacts are away, update your rota so there’s always someone ready to respond to a breach or urgent issue. 🚨 Report breaches promptly — even from abroad. Make sure staff know what to do and who to contact if something goes wrong while you’re away. The 72 hour reporting window doesn't change if you're on holiday!

🚨 We’re hiring! 🚨 Fancy playing a leading role at the heart of data protection and digital rights? We are looking for a Director of Business Services. You will provide strategic leadership to the teams delivering legal compliance advice, guidance, tools and empower businesses of all shapes and sizes to use data, compliantly, in their everyday operations and for growth. We're looking for a motivated and experienced customer service leader for our Business Services directorate. 📍 Flexible across our UK offices (Wilmslow, London, Belfast, Cardiff, Edinburgh) 💼 Permanent role 🔗 Apply here: https://lnkd.in/e3g7EMYH Share this post with someone who you think would be perfect for this role!