Guidance on writing a privacy notice
The General Data Protection Regulation (GDPR), prescribes that you should be open and fair with individuals about what personal data you are collecting, for what purpose and for how long. You can do this is through a ‘Privacy Notice’ (sometimes called a ‘Fair Processing Notice’ or ‘Information Sheet’).
- When do you need a Privacy Notice?
UCL has published ‘Global Privacy Notices’ to cover processing activities in three broad areas: staff, for students, and a ‘General Privacy Notice’ that covers wider requirements website use. Between them and in broad terms, these Global Privacy Notices will cover all processing of personal data that UCL undertakes. However GDPR places strong obligations on UCL to be transparent and fair to individuals about how it uses their personal data so ‘local’ privacy notices will often be required to provide such information. Use local privacy notices to:
Provide clear and detailed information to individuals about what you are doing with their personal data.
Convey fully on how you are using personal data that may not be sufficiently covered by the Global Privacy Notices.
When you wish to deviate from the details in these Global Privacy Notices.
- Where should a 'Privacy Notice’ be placed?
A ‘Local Privacy Notice’ should be placed at the initial point of collection and should be visible to the individual to ensure fairness of processing. This gives the individual an opportunity to read and review the notice prior to providing their personal data. Where possible, a layered approach using ‘just in time’ methodology should be used to make privacy notices as accessible and as meaningful as possible.
- How do I prepare a ‘Privacy Notice’?
For new Projects: If you are undertaking processing that is likely to result in a high risk to individuals’ interests then you must complete a Data Protection Impact Assessment (DPIA) before starting your project. If you are unsure about the risk, we strongly recommend that you complete a DPIA. This will help you identify what types of personal data you are processing, the risks to privacy involved, and the safeguards or controls you will need to have in place to meet your statutory requirements.
For existing Projects: You should check any previous risk review you have previously undertaken as part your project for risks to privacy. If you had already identified these and put controls in place, it is unlikely that you will require a new DPIA.
If you have not completed a previous risk review with data protection elements, you must complete a Data Protection Impact Assessment DPIA
For all projects new or old, you must schedule in a review of your design against the original risk review to ensure that your purposes, and/or techniques have not changed.
Once you have defined the types of data you will be collecting as well as the processing which you will be undertaking, you can begin to describe these in your privacy notice.
- How do I present my ‘Privacy Notice’?
Note: If you are gathering data on individuals under the age of 18 please see the section below on ‘Privacy Notices for Under 18s
Depending on the scale of your project, your privacy notice could become detailed. There is no prescribed length, however, your privacy notice should be clear, succinct and complete. To do this you can ‘layer’ your privacy notice – in the same way this guidance note is ‘layered’ through the concertina or ‘roll up’ effect. This allows the user to easily identify the areas they would like to read and focus on them.
- Where can I check that I have completed my Privacy Notice correctly?
What information do we need to provide? The name and contact details of your organisation ✓ The name and contact details of your representative ✓ The contact details of your Data Protection Officer (email and address) ✓ The purposes of the processing ✓ The lawful basis of the processing ✓ The legitimate interests for the processing (if any) ✓ The categories of personal data obtained ✓ The recipients or categories of recipients of the personal data ✓ The details of transfers of the personal data to any third countries or international countries ✓ The retention periods for the personal data (see if your processing is covered under UCLs record retention schedule) ✓ The rights available to individuals in respect of the processing ✓ The right to withdraw consent (if consent is the basis of processing) ✓ The right to lodge a complaint with the ICO ✓ The source of the personal data (if required) ✓ The details of whether individuals are under a statutory or contractual obligation to provide the personal data ✓ The details of the existence of automated decision-making, incliding profiling ✓
- Privacy Notices for Under 18s
Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.
Your privacy notices must be clear, and written in plain, age-appropriate language. There is no prescribed “age-appropriate language”, however, a good ‘average’ is a reading age of 14; ie. The language of your ‘Local Privacy Notice’ for persons under 18 should be readable for a 14 year old.
You should ensure that you use child friendly ways of presenting privacy information, such as diagrams, cartoons, graphics and videos, dashboards, layered and ‘just-in-time’ notices, icons and symbols.
You should explain to children why you require the personal data you have asked for, and what you will do with it, in a way which they can understand.
As a matter of good practice, you should explain the risks inherent in the processing, and how you intend to safeguard against them, in a child friendly way, so that children (and their parents) understand the implications of sharing their personal data.
You must tell children what rights they have over their personal data in language they can understand.
As a matter of good practice, if you are relying upon parental consent then you should offer two different versions of our privacy notices; one aimed at the holder of parental responsibility and one aimed at the child.
- Where can I get further assistance?
If you require assistance please contact the Data Protection Team.
Please note: the DPO team are not able to write Privacy Notices for you. They are able to review and answer specific questions related to your concerns.