Example Privacy notices
Being transparent and providing accessible information is one of the key themes to the General Data Protection Regulation (the GDPR). The most common way to provide information in this way is through a privacy notice. In compliance with the GDPR your organisation is expected to use privacy notices as a means for letting people know how, why, and on what lawful basis you intend to collect and process their data.
This example guide is intended as an appendix to our GDPR overview, which you should read and understand first, here.
The term privacy notice is used to refer to various types of information and notices used to inform people of your intention and lawful usage of their personal data. It is not always just a short statement and a tick box.
Data controllers (an organisation in control of processing personal data) have to make certain information available to data subjects (the individuals whom the data relates to), so far as feasibly possible:
- who the data controller is (in your case, the Shed if you collect personal data)
- the purpose(s) for which the personal data will be processed
- the reason for collecting and processing the personal data, and;
- the lawful basis on which you are collecting and processing the data
Where you need consent from an individual to process their personal data, you must make it clear in simple terms what you are asking for and why. They must give their consent as a definite action e.g. ticking a box. They should never have to untick an already ticked box if they do not want you to collect their data, for example. It must be a conscious effort to opt in. You must then keep an up to date record of consent, if consent is the lawful basis you chose to justify the collection of data in a particular instance.
The GDPR says that the information you provide to people about how you process their personal data must be:
- concise, transparent, intelligible and easily accessible
- written in clear and plain language, particularly if addressed to a child
- free of charge.
Example privacy notices
Membership
Some of the information you will need to collect to sign up members will be captured with legitimate interest – the person would expect you to need it – however, additional information like email addresses to keep them up to date with Shed news is likely to need consent.
You could use a variation of the below, combined privacy notice for this purpose.
<Shed name> uses information about you from this form to process your membership and manage your subscription. We are committed to transparent and lawful data processing and are collecting this data through legitimate interest. We need all of the information indicated with a star.
In addition to the above, if you agree, we would also like to keep you updated with Shed news, but we will only do this with your consent. Your information will be stored securely and never shared with a third party without specifically asking you first. If you would like to be kept updated, please tick. ▢
You should honestly and clearly differentiate between information you need, in your legitimate interest of processing an individual’s membership, and the information they don’t need to give if they don’t want to.
Donations
This privacy notice could be on a donation form, either paper or electronic.
<Shed name> would like to send you information from time to time by post, email or telephone, to keep you up to date with our progress and to show you what your generous donation helps us to achieve. We are committed to transparent and lawful data processing and will only do this with your consent. If you agree to be contacted in this way, please tick the relevant boxes.
Phone ▢ Email ▢ Telephone ▢
Your personal information will be electronically stored in secure files and will never be shared with any other organisation, unless we are required to do so by law.
Emergency Contact Information
You could use a variation of the following on a Shedder’s emergency contact form.
<Shed name> need to keep your emergency contact information in case of accident or emergency in the Shed, to enable us to get you the help you need without delay and inform your next of kin. In compliance with the General Data Protection Regulation, we have a legitimate interest in the information and will only ever use it for the stated purpose. The information will be stored securely and never shared outside of this purpose. If you are happy for us to securely hold this information and use it in case of emergency, please sign below.
Marketing
From time to time, you might want to promote new services or ask for feedback. You’ll usually need people’s consent to do this. You could amend the following privacy notice for this purpose.
From time to time, <Shed name> would like to use your email address to send you information about our services and get your feedback to help us improve. We will only do this with your consent. Your email address will be securely stored electronically and never shared. If you agree to be contacted in this way, please tick. ▢
Types of privacy notice
The type of privacy notice you give will depend on the lawful basis and purpose of data processing. For example, if the lawful basis is consent, you could give a short privacy statement with a check box, as above. However, there are various other ways of giving privacy notices. These include, but are not limited to:
- Verbally e.g. on the telephone if recording basic data of enquiries.
- In writing
- Through signage
- Electronically, e.g. a just-in-time notice in the form of a pop up when electronically entering an email for newsletter circulation.
Consider ways of drawing attention to privacy notices, for example:
- A coloured box that stands out of a page.
- A clear icon or symbol.
- A privacy dashboard on the front page.
When to give a privacy notice
Actively give a privacy notice if:
- you are collecting sensitive information.
- the intended use of information is unexpected or questionable.
- providing the information, or failing to do so, will have a significant effect on the individual.
- the information will be shared with another organisation in a way that the individual might not expect.
Key points when developing privacy notices
- Never bury privacy notices within large bodies of text, such as ‘small print’. Make it stand out, make it clear.
- Use simple, plain language, adapted to the intended audience, giving extra consideration to those considered ‘at risk’.
- Use clear explanations of purpose, use and why the information is helpful or needed.
- Honest explanation of the outcome of not providing information in specific circumstances i.e. ‘your application will not be affected if you do not wish to provide your email address’.
- Remember to state your lawful basis for collecting the information.
- Use a proactive method for obtaining consent i.e. the data subject must physically tick a box, not notice that a box has already been ticked for them and have to untick it if they object.
Depending on the lawful basis for collecting data, not all of the above will apply to every privacy notice. It is intended as a general guide to good practice.
You can read more detailed information and advice on best practice for privacy notices on the Information Commissioner’s Office (ICO) website, here. The ICO are the UK authority for upholding public information rights.
Download a PDF version of this guide.