Skip to content

Your data rights

The Right to Be Informed: What a Privacy Notice Owes You

The quiet right behind every privacy notice, explained as a concept: what an organisation must tell you when it collects your data, what a good privacy notice should actually contain, and where to look when it does not, anchored to the ICO's guidance.

In short

The right to be informed is your UK GDPR right (Articles 13 and 14) to be told, clearly and upfront, what an organisation is doing with your personal data and why. It is usually met through a privacy notice. Unlike most rights, you do not have to ask: the organisation must tell you on its own initiative.

What the right to be informed actually is

The right to be informed is one of the individual rights the UK GDPR gives everyone, set out in Articles 13 and 14. It is the right to be told what an organisation is doing with your personal data, expressed plainly and provided upfront. In most cases this duty is met through a privacy notice, sometimes called a privacy policy or fair-processing notice, which the Information Commissioner's Office (ICO), the UK's data-protection regulator, treats as the standard way to deliver this information.

What sets this right apart from the others is that you do not have to ask for it. With the right of access you send a request and wait for a reply; the right to be informed works the other way round. The organisation has to give you the information on its own initiative, at the moment it collects your data or shortly after, whether or not you ever raise the question. Transparency is something it owes you by default, not a favour granted on request.

The right belongs to you as an individual and concerns your own personal data. It underpins almost everything else in data-protection law: it is hard to exercise a right of access, correction, or erasure over something you were never told was being collected in the first place. This is general information, not legal advice.

What a privacy notice should actually tell you

A privacy notice is meant to be more than legal decoration. The ICO sets out a defined list of points an organisation should cover, so you can read a notice against that list rather than guessing whether it is complete. The exact details differ slightly depending on whether the data came directly from you or was obtained from somewhere else, but the core is the same: who is using your data, for what, on what basis, and what you can do about it.

The information should be concise, transparent, and written in clear, plain language, free of charge and easy to find. A wall of impenetrable terms does not satisfy the spirit of the right. Broadly, a privacy notice should tell you:

  • Who the organisation is, and how to contact it (and its data protection officer, where there is one).
  • The purposes it is using your personal data for, and the lawful basis it relies on.
  • The categories of personal data involved, where the data was not collected directly from you.
  • Who your data may be shared with, such as the recipients or categories of recipient.
  • Whether your data will be transferred outside the UK, and how it is protected if so.
  • How long the data will be kept, or how that period is decided.
  • Your rights, including access, correction, erasure, and the right to complain to the regulator.
  • The source of the data, where the organisation did not collect it directly from you.

When you should be told, and what to do if you are not

Timing is part of the right. Where an organisation collects data directly from you, it should give you this information at the point of collection, not buried somewhere you would only find later. Where it obtained your data from another source, it should normally tell you within a reasonable period and at the latest within one month, or sooner if it contacts you or shares the data before then. There are narrow exceptions, for instance where telling you would be impossible or involve disproportionate effort, but these are limited rather than a general escape route.

Because the right is about transparency rather than a promised result, it does not guarantee that you will agree with what you read, only that you should be able to find out. A privacy notice is usually the first place to look: on a website it is commonly linked in the footer, and in apps or forms it often sits near where you enter your details. Reading it is one of the simplest ways to understand your own digital footprint, since it shows what an organisation intends to do before you decide whether to share anything.

If you cannot find a privacy notice, or one is so vague that you genuinely cannot tell what is being done with your data, you can ask the organisation directly, and you retain the right to complain to the Information Commissioner's Office (ICO). Seeing what an organisation says it does is often the starting point for the next decision, whether to ask for access, to question a use of your data, or to request erasure. You stay in control of each of those choices. This is general information, not legal advice.

Frequently asked questions

Is the right to be informed the same as a privacy notice?

They are closely linked but not identical. The right to be informed is the entitlement the UK GDPR gives you under Articles 13 and 14. A privacy notice is the usual way an organisation meets that duty, the document that delivers the information. So the right is the principle, and the privacy notice is the mechanism. The ICO treats a clear, accessible privacy notice as the standard way of satisfying this right.

Do I have to ask to be informed?

No, and that is what makes this right unusual. Most rights, such as the right of access, are exercised by sending a request. The right to be informed works the other way: the organisation must give you the information on its own initiative, at the point it collects your data or shortly after, whether or not you ever ask. Transparency is owed to you by default.

When should a privacy notice be provided?

Where an organisation collects data directly from you, it should give you the information at the point of collection. Where it obtained your data from another source, the ICO's guidance says it should normally tell you within a reasonable period and at the latest within one month, or sooner if it contacts you or shares the data first. Limited exceptions apply.

What can I do if a privacy notice is missing or unclear?

You can ask the organisation directly to explain what it is doing with your personal data, and you have the right to complain to the data-protection regulator if a notice is missing, inaccessible, or so vague that you genuinely cannot understand it. This is general information, not legal advice.

Related terms

This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.

Reviewed by OSINTA's founding lawyer — 2026-06-27.

Ready to put the right into practice?

OSINTA helps you see your own digital footprint and frame and route your own rights requests — you decide every step. It does not delete data for you and cannot promise any outcome.

See the DSAR guideJoin the waitlist