Skip to main content

Alpha This guidance is in development. You can find current content and publishing guidance on GOV.UK.

Skip past section navigation
Corporate information pages

Personal information charter

Use a personal information charter to explain:

  • the principles used when collecting, holding and processing service users’ personal information
  • how service users can help keep their details up to date
  • the organisation’s data protection policy
  • where people should send subject access requests

Contact your organisation’s data protection officer if you’re not sure which parts of the page you should include.

If you create a personal information charter, a link to it will appear automatically in the ‘Corporate information’ section on your organisation and ‘About us’ pages.

Make sure your content follows the Government Digital Service (GDS) style guide and tone of voice guidance.

What to include

For the summary, adapt this text:

Note:

This charter sets out what you can expect from us when we ask for, or hold, your personal information. It also covers what we ask from you to help us keep your information up to date.

Include a section called ‘Your privacy’, ‘Your rights’ or similar. Use it to explain:

  • the principles the organisation follows when handling service users’ personal data
  • what you ask service users to do to help you keep their personal information accurate and up to date

Use bullet points where possible.

Optional information

You can choose to include your data protection policy. Either:

  • summarise on the page how the organisation meets its obligations under the Data Protection Act 1998
  • attach the policy itself, if it’s a long document

You can also include information about subject access requests. This tells users how to find out what personal information the organisation holds about them. Use the phrase ‘subject access’ for search purposes and explain:

  • how to make a subject access request under the Data Protection Act 1998
  • any fees that may be charged
  • the time limit for responding to subject access requests, and what the organisation will do if it looks like it will take longer

You should also:

  • attach the organisation’s subject access request form or standard letter (if it has one)
  • link to the organisation’s entry in the register of data controllers for people who want to find out more about how the organisation handles personal data

View a good example of a ‘Personal information charter’ page.