Data Protection Toolkit - Write a Privacy Notice

14 May 2018 Bob Harper    Last updated: 10 Sep 2018

Privacy notices help the people who you process personal data about understand why and what you do with their information. The GDPR specifies what must be included and how they should be written.
AttachmentSize
File Privacy Notice Checklist19.23 KB
File Privacy Notice Template41.74 KB

The concern for transparency and the individual's right to be informed means that you need to communicate your processing activities to your data subjects.

The first data protection principle states that people's data should be:

processed lawfully, fairly and in a transparent manner
First Data Protection Principle

People also have the right to be informed of certain and specific things about your processing where their data is concerned.

A privacy notice is the most common way to achieve the aims of fairness and transparency. It is not the only option, and in some cases you might choose to inform people in another way, such as giving a short notice about a specific piece of information collected from a person.

This checklist makes sure that your privacy notice covers all the required information you need to include.

How do we write a privacy notice?

Your approach will depend on who you data subjects are, as well as how you collect information.

The purpose of a privacy notice is to provide transparent information about how you use personal data. If people don't feel like they've been properly informed, you could be breaching their rights.

The Regulation states that the information must be provided in a:

"concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child"
GDPR Article 12(1)

So a privacy notice should definitely not be written like a legal agreement. It should be written in a way that your intended audience is able to understand.

If your data subjects are children, then you would use very simple language. If you obtain consent from a parent on behalf of a child, you can provide two privacy notices: one for the parent and one for the child.

If the lawfulness of your processing is based on legitimate interests, you should state what those interests are. You should have undertaken a Legitimate Interests Assessment in pursuit of this, so include a short description of the interest you identified as part of doing that.

When you are writing your privacy notice think about what someone should be told so that you are processing their data fairly. Think "what would I want to be told if it was my data being processed?" 

Can we just copy someone else's privacy notice?

In most cases this isn't a good idea. Your privacy notice must be suited to how your organisation use personal information. If you don't feel you're ready yet to express how you collect and use data for yourself, then using another notice isn't going to help inform your subjects.

It may be that you end up including information that isn't relevant to your activities and is therefore misleading or commits you to something that you aren't willing to do. Or, even worse than that, you leave out information about an important processing activity that should be included.

By all means do some research and look for good (and bad) examples of privacy notices before you start writing your own. But keep in mind that you will be doing most of the writing.

Also, if you're part of a close network of voluntary organisations (e.g. you're a local branch of a national charity) then it's likely that either your HQ can supply you with a privacy notice, or you can work together to produce one that can be used by all branches.

We provide a privacy notice template to help you get started. It contains highlighted copy that you will need to change so that your own processing activities and practices are reflected. For example, you will need to insert your own organisation's name and contact details. You will also need to think about what groups of data subjects you hold data about and what lawful basis you have for processing their data.

We have added some general prompts to the template, but if you are processing information about children or involving criminal offence data you may want to consider taking specialist advice. The template is designed to cover the privacy information requirements of the GDPR, but there may be some areas that don't apply to your work (e.g. transfers to third countries) or extra commentary that you think would be sensible to add.

 

 

Every effort is made to ensure that the contents of this document are accurate, but the advice given should not be relied on as a definitive legal statement.
bob.harper@nicva.org's picture
by Bob Harper

Data Development Coordinator

[email protected]