Data Protection


Guidance on writing a privacy notice

A privacy notice enables you to fulfil your legal requirement to be open and fair with individuals about what personal data you are collecting.


When do you need a privacy notice

UCL has published ‘Global Privacy Notices’ to cover processing activities in three broad areas: staff, for students, and a ‘General Privacy Notice’ that covers wider requirements website use. 

Between them and in broad terms, these Global Privacy Notices will cover all processing of personal data that UCL undertakes. However GDPR places strong obligations on UCL to be transparent and fair to individuals about how it uses their personal data so ‘local’ privacy notices will often be required to provide such information. Use local privacy notices to:

Provide clear and detailed information to individuals about what you are doing with their personal data.
Convey fully on how you are using personal data that may not be sufficiently covered by the Global Privacy Notices.
When you wish to deviate from the details in these Global Privacy Notices.

Where should a privacy notice be placed

A ‘Local Privacy Notice’ should be placed at the initial point of collection and should be visible to the individual to ensure fairness of processing.

This gives the individual an opportunity to read and review the notice prior to providing their personal data. Where possible, a layered approach using ‘just in time’ methodology should be used to make privacy notices as accessible and as meaningful as possible.

For new Projects: If you are undertaking processing that is likely to result in a high risk to individuals’ interests then you must complete a Data Protection Impact Assessment (DPIA) before starting your project. If you are unsure about the risk, we strongly recommend that you complete a DPIA. This will help you identify what types of personal data you are processing, the risks to privacy involved, and the safeguards or controls you will need to have in place to meet your statutory requirements.

For existing Projects: You should check any previous risk review you have previously undertaken as part your project for risks to privacy. If you had already identified these and put controls in place, it is unlikely that you will require a new DPIA.

If you have not completed a previous risk review with data protection elements, you must complete a Data Protection Impact Assessment DPIA
For all projects new or old, you must schedule in a review of your design against the original risk review to ensure that your purposes, and/or techniques have not changed. 

Once you have defined the types of data you will be collecting as well as the processing which you will be undertaking, you can begin to describe these in your privacy notice.

Below is a template for your privacy notice. If you require any further assitance please contact the GDPR team.


How do I present my privacy notice?

A ‘Local Privacy Notice’ should be placed at the initial point of collection and should be visible to the individual to ensure fairness of processing.

Depending on the scale of your project, your privacy notice could become detailed. There is no prescribed length, however, your privacy notice should be clear, succinct and complete. To do this you can ‘layer’ your privacy notice – in the same way this guidance note is ‘layered’ through the concertina or ‘roll up’ effect. This allows the user to easily identify the areas they would like to read and focus on them.

Note: If you are gathering data on individuals under the age of 18 please see the section below on ‘Privacy Notices for Under 18s

  • The name and contact details of your organisation    ✓
  • The name and contact details of your representative    ✓
  • The contact details of your data protection officer (email and address)    ✓
  • The purposes of the processing    ✓
  • The lawful basis of the processing    ✓
  • The legitimate interests for the processing (if any)    ✓
  • The categories of personal data obtained    ✓
  • The recipients or categories of recipients of the personal data    ✓
  • The details of transfers of the personal data to any third countries or international countries    ✓
  • The retention periods for the personal data (see if your processing is covered under UCLs record retention schedule)    ✓
  • The rights available to individuals in respect of the processing    ✓
  • The right to withdraw consent (if consent is the basis of processing)    ✓
  • The right to lodge a complaint with the ICO    ✓
  • The source of the personal data (if required)    ✓
  • The details of whether individuals are under a statutory or contractual obligation to provide the personal data    ✓
  • The details of the existence of automated decision-making, including profiling    ✓

Privacy notices for under 18s

Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.

Your privacy notices must be clear, and written in plain, age-appropriate language. There is no prescribed “age-appropriate language”, however, a good ‘average’ is a reading age of 14; ie. The language of your ‘Local Privacy Notice’ for persons under 18 should be readable for a 14 year old.

You should ensure that you use child friendly ways of presenting privacy information, such as diagrams, cartoons, graphics and videos, dashboards, layered and ‘just-in-time’ notices, icons and symbols.

You should explain to children why you require the personal data you have asked for, and what you will do with it, in a way which they can understand.

As a matter of good practice, you should explain the risks inherent in the processing, and how you intend to safeguard against them, in a child friendly way, so that children (and their parents) understand the implications of sharing their personal data.

You must tell children what rights they have over their personal data in language they can understand.

As a matter of good practice, if you are relying upon parental consent then you should offer two different versions of our privacy notices; one aimed at the holder of parental responsibility and one aimed at the child.

How often should we review privacy notices

You should review your privacy notice at regular intervals against your DPIA prior to publishing to ensure you have captured the necessary information.

It is good practice to schedule such reviews at regular intervals throughout your project. Privacy notices should be updated when necessary to ensure that individuals are aware of any changes.

 If you require assistance please contact the data protection team.

Please note: the DPO team are not able to write privacy notices for you. They are able to answer specific questions related to your concerns.