Information Commissioner's Office

Are you looking to develop innovative products or services in a secure environment? Would you like advice and support with your innovative projects? Our Sandbox does just that! From helping the development of an online platform to improve how students can access and manage their results, to reducing the impact of financial crime on the UK economy and public through better prevention and detection, we’re proud of the projects we’ve supported through our Sandbox. We’ve helped organisations of varying sizes work through data protection challenges to bring innovative products and services to market to the benefit of the whole economy. If your organisation is working on a product or service that looks to use personal information in an innovative way, or uses emerging technologies, share your expression of interest with our team before the deadline on 31 May: https://lnkd.in/e-jYXd9E

NEW: Our online tracking strategy set out a clear vision for people to be given meaningful control over how they are tracked online, and to provide businesses with certainty to innovate responsibly. We’ve now published an update on how we are delivering on this, and our key achievements stemming from the strategy: https://lnkd.in/eVcjwANA We know that organisations want clear, practical guidance they can rely on, so we’ve also published our finalised guidance on storage and access technologies. This final guidance reflects your feedback, and has been updated following the two consultations we ran during 2025, one of which focussed on the changes introduced by the Data (Use and Access) Act. The guidance includes new examples and points of clarification to help organisations comply with the law. It reflects the law as it currently stands, and sits separately from our ongoing work to review regulation 6 of Privacy and Electronic Communications Regulation (PECR) for online advertising purposes, on which further updates will follow in the coming weeks. Read the guidance in full on our website: https://lnkd.in/dH98uWSA

We're proud to be part of the Digital Regulation Cooperation Forum (DRCF) and welcome the continued focus on supporting innovation, regulatory collaboration and protecting people online. It's great to see the DRCF's workplan for 2026/2027 alongside their latest annual report. We look forward to working closely with our partners to help deliver on these shared priorities.

🆕 Charities now have more flexibility on how they contact their supporters under data law change. Under the recent Data (Use and Access) Act, charities can email, text and direct message supporters on social media without prior consent under a new “soft opt‑in” as long as if strict requirements are met. This change is expected to unlock new fundraising and supporter engagement opportunities. Following public consultation, we have published our updated guidance on marketing using electronic mail. It sets out how charities can use the new provision which is now in force: https://lnkd.in/ePuticvn 👉 What’s changed? Charities can send direct marketing by electronic mail, including emails, texts and direct messages on social media, to people who have expressed an interest in, or offered to support, an organisation’s charitable purpose, without needing to obtain consent first, providing strict requirements have been met. We have worked closely with the Fundraising Regulator and will continue to work with the industry to help charities understand and apply the new rules. Emily Keaney, Deputy Commissioner, Regulatory Policy at the Information Commissioner’s Office, said: “Our guidance is designed to help organisations use the charitable purposes soft opt‑in with confidence, while making sure people’s rights remain protected. Used correctly, this provision can benefit both charities and the individuals who choose to support them.”

Did we answer your question? Over 800 people attended our recent webinar on International Data Transfers. There were lots of questions submitted beforehand, and many more in the chat that we couldn't get around to addressing on the day. We've answered some of the questions raised below and we hope to get through some more soon. A reminder that the webinar is available to watch on demand: https://lnkd.in/eJf6zZwY ❓ What is the ICO definition of 'outside the UK'? We define the UK as the United Kingdom of Great Britain (England, Scotland and Wales) and Northern Ireland. This means organisations located in British Overseas Territories (eg Bermuda and Gibraltar), the Isle of Man and the Channel Islands are outside the UK. Check out our International Transfers Glossary for a list of frequently used terms or phrases used in our transfers guidance and their definitions: https://lnkd.in/edeC3M8k ❓ What does the ICO mean by 'based'? We explain in our guidance that when we talk about transferring personal information outside the UK, we’re talking about where the receiving organisation is based. This means where that organisation is established, not the actual geographical location of the information itself. For a company or registered partnership, the relevant place of establishment is the country in which it is registered. For sole traders or unregistered partnerships, the relevant country is usually the organisation's main place of business. This is likely to be set out in your contract with that organisation. ❓ What if a UK firm outsources some of its operations to a shareholder or partner in another country that doesn't have adequacy? You'll need to apply our three-step test to establish whether you’re making a restricted transfer. If the recipient is a separate legal entity, you'll need to make sure (in the absence of UK adequacy regulations) you put in place appropriate safeguards or rely on an exception. Remember that another company within the same corporate group is still a separate legal entity. You can access all our guidance and recourses: https://lnkd.in/eTPcst3M

Collaborate! Collaborate! Collaborate! The challenge from our Executive Director of Regulatory Risk and Innovation, William Malcolm, at last week's Privacy Symposium to make sure we can scale trust and build responsible #AI.

If you’re working with freedom of information, you’ll know how much the FOI landscape is changing and how challenging it can be. mySociety have an online session that will bring together practitioners, regulators and others involved in FOI to share experiences, discuss pressures such as increasing request volumes and emerging trends, and explore how collaboration could strengthen FOI practice. Find out more, including how to register: https://luma.com/6pu7l2yj

It’s Bowel Cancer Awareness Month and we’re proud of how our staff have been supporting our corporate charity Bowel Cancer UK Colleagues have been sharing their personal reflections to raise awareness of the disease and explain why this partnership is so important. Laura Goose, Team Manager, shared: “It’s important to raise awareness and talk about our health issues. I genuinely believe that if friends and family had not encouraged me to continue to push for answers, I would be sat here today with the same symptoms and not knowing I had bowel cancer. “I was off work recovering from surgery when I found out Bowel Cancer UK was picked as our chosen charity. I knew that I would want to be involved in supporting the charity and raising awareness of the symptoms.” Last year we asked staff to nominate and vote for our corporate charity and, in October 2025, our staff voted to partner with Bowel Cancer UK. Since then, colleagues from across our organisation have been coming together to make a real difference. From a 12 mile walk for International Men’s Day 2025, to a fundraiser last month where colleagues crafted and sold knitted spring animals, our colleagues have raised over £1,700 for this important cause so far! We’re proud to stand with Bowel Cancer UK and continue to be a workplace where employees feel supported, connected and empowered to make a difference to causes that matter.

Your organisation is recruiting and you’re expecting hundreds of applications. You might want to use automated decision-making (ADM) processes to shortlist candidates and think that the contract lawful basis applies. But be careful which lawful basis you use, as this impacts the rights the applicants have. In this case the contract basis only applies to the specific person you're entering into a contract with. At the shortlisting stage, you don't yet know who that is. And you know with certainty that you won't be entering into a contract with most of the applicants. Consent is also difficult here. The power imbalance between employer and applicant makes it hard to argue consent is freely given. So you could look at legitimate interests instead. By carrying out a legitimate interests assessment you can work through whether the purpose is legitimate, whether ADM is necessary to achieve it, and how the impact on applicants' rights can be mitigated. With any use of ADM you need to: • be transparent about its use; • be ready to handle requests to understand the decision; and • guard against bias in the system. Our new draft guidance sets out the full list of factors to consider when selecting the right lawful basis for your organisation’s use of ADM: https://lnkd.in/e9Wvkq2w Our consultation is still open for your views. Make sure to submit your response by 29 May 2026 when the consultation closes: https://lnkd.in/esydWbXW

We have formally accredited SSAIB as the UK’s first ever code of conduct monitoring body, responsible for monitoring member compliance with the ABI’s UK GDPR code of conduct for investigative and litigation support services.   This code, which investigators in the private sector can sign up to, will provide certainty and reassurance to those using their services - ensuring investigators are compliant with the UK GDPR requirements. This will help investigators to navigate the challenges between conducting investigations whilst respecting people’s privacy rights.   Associations and other bodies may create codes of conduct that identify data protection issues that are important to their members. They are a good way of developing specific guidelines to help their members to comply with data protection law and provide assurance that the code and its monitoring are appropriate.   If you’re interested in exploring a code for your sector or profession, visit our website: https://lnkd.in/eQYfpUj2