Privacy Notice

About this privacy notice

This privacy notice explains how the Independent Commission for Aid Impact (ICAI) collects and uses your personal information in accordance with the law and the General Data Protection Regulation (GDPR). As an organisation we work to improve UK aid and through robust, independent, scrutiny of UK government aid spending.

ICAI is a “data controller”, which means that we hold and use personal information about you. It is important that we ensure the security and privacy of this information, in order to comply with legislation and to ensure the rights of individuals.

The Information Commissioner holds a register of data controllers who process personal information. Data controllers are required to notify and renew their registration on an annual basis. Our ICO registration number is ZA125098

Data Protection Principles

Data protection law states that the personal information owe hold about you must be:

  1. Processed lawfully, fairly and in a transparent manner.
  2. Collected for specific purposes which we have explained to you, and will not be used in any other way which is incompatible with those purposes.
  3. Relevant to the purposes we have explained to you and limited to those purposes only.
  4. Accurate and kept up to date.
  5. Held only for as long as is necessary for the purposes that we have explained to you.
  6. Processed or held in a way that ensures security.

The kind of information we hold about you

Personal information (data) is any information from which an individual can be identified.This does not include personal data where the individual’s identity has been removed (also known as anonymous data). “Special categories” of information are particularly sensitive information which requires a greater level of protection.

As an organisation, ICAI collects, uses and stores various kinds of personal information. This may include:

  • Your personal contact details such as name, address, date of birth, telephone number and email address.

How we collect your information

Personal information is collected where:

  • You make a public enquiry or complaint.
  • You have visited pages on our website (Cookies).
  • You subscribe to our newsletter
  • You engage with our work

How we use your personal information

ICAI will only use your personal information where we are legally allowed to do so. We may use your personal data in order to carry out our functions and responsibilities. We will only use your personal information where:

  • We are required to comply with a legal obligation.
  • It is in our legitimate interest to do so.
  • The information is required for us to perform the contract which we have with you.
  • It is required for official purposes, or it may be in the public interest to do so.
  • We are carrying out a function of the Crown, or a Minister of the Crown.

Your personal information my be processed for the following reasons:

  • Maintaining our accounts and records.
  • Consideration and investigation of complaints.
  • Undertaking research.
  • To prevent fraud.
  • Corporate administration.
  • Where you have asked to be kept informed with development, for example, through subscribing to a newsletter.
  • To help us organise events to discuss our work.
  • The support and management of our staff.

ICAI will only use your personal data for the purpose for which it was collected unless we reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose. If we need to use your personal information for an unrelated or new purpose, we will notify you and we will explain the lawful basis which allows us to do so.

Automated decision-making

Automated decision-making is when an electronic system uses personal data to make a decision without any human involvement. We are allowed to use automated decision-making for the following purposes:

  • ICAI currently does not use any automated decision-making.

Data sharing

In some circumstances we may be required to share your personal information with third parties. This includes third party service providers and other Civil Service organisations.

Third parties are expected to appropriately safeguard your information, in accordance with legislation. In some circumstances your data may be transferred outside the EU. Should this occur, you can expect similar levels of protection in relation to your personal information.

We may share personal data within our organisation or with other bodies where we are permitted to do so by law. There are some cases where we can pass on your data without telling you – for example, to prevent or detect crime, or in order to produce anonymised statistics. In all cases, whether data is shared internally or externally, we will be governed by data protection law.

A small proportion of our records are transferred to the National Archives, in line with legal obligations for the collection, disposal and preservation of records. The Public Records Act governs the selection, transfer and preservation of records and requires those defined as public records to be openly accessible unless exempt under the Freedom of Information Act.

Data Security

ICAI has appropriate procedures and security measures in place in order to protect your personal information. These measures are taken to ensure that your information is not unlawfully accessed or used, and to prevent loss or damage.

In accordance with data protection legislation and the GDPR, your personal information will only be processed by the necessary employees or third parties, meaning that we limit access to your data to only those necessary to carry out our functions and responsibilities. Only employees, agents or contractors that have a business need to know, will have access to your personal information.

We have procedures in place to deal with any suspected data security breach, which includes the notification of the supervisory authority as well as the affected individual/s, where we are required to do so.

Data retention

We will only hold your personal information for as long as is necessary to fulfil the original purpose for which it was collected. This could include the purpose of satisfying legal, reporting or accounting requirements. Our records are maintained in line with DFID’s retention policy which explains the retention periods for various aspects of your personal information.

When establishing appropriate retention periods for personal information, we consider the following:

  • The amount of personal information.
  • The nature of the information.
  • The sensitivity of the information.
  • Any potential risks of the information being unlawfully accessed or used.
  • Why we process the information, and whether we could achieve our purpose through any other means.
  • Any legal requirements.

On some occasion we may anonymise your personal information, which will mean that you cannot be identified from the information. In such cases, we are not required to notify you further. Records will be retained and securely destroyed in accordance with our retention policy, and laws or regulations.

Access to your personal information

Data Protection Officer

ICAI has appointed a Data Protection Officer to ensure compliance with legislation and this privacy notice. Give our size, this officer works for our sponsoring department, the Department for International Development.

If you have any questions relating to this privacy notice or about how we handle your personal information, please contact ICAI on or DFID’s Data Protection Officer at

Changes to this privacy notice

Please be aware that this privacy notice can be updated at any time.