Guidance on writing Privacy Notices

Under data protection legislation we are required to be transparent with individuals about how we use their data.

We are required to supply individuals with the following information:

  • Identity and contact details of the Data Controller (the University) and the Data Protection Officer (Head of Information Assurance)
  • The purpose of processing including any negative impact of the individual not providing the data

  • The legal basis for the processing (Article 6 (1)) and where relevant the legal basis of processing special category data (Article 9(2))
  • Who we share the personal data with

  • If we share the personal data outside of the EU and why
  • How long we retain the data

  • The individual’s rights under data protection law

  • Whether we carry out automated decision making

This information needs to be provided to the individual at the point the data is collected or where the data is received from a third party (i.e. UCAS) within 30 days of the receipt of the data.

All personal data collection forms need to include a Privacy Notice.  This should identify the specific reasons the data is being collected and the lawful basis for processing(also called the condition for processing) and then link to the relevant University Privacy Notice(s) depending on which group of individuals the data relates to.  There are templates provided for staff to use on their personal data collection forms (see ' Templates for Personal Data Colelction Forms Privacy Notices' below)

University Privacy Notices

The University has three main Privacy Notices:

These Privacy Notices are each accompanied by a Record of Processing Activity: The Records of Processing set out:
  • the various data records we hold for each group
  • the legal basis we process the data under
  • whether they include special category data (racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data for the purpose of uniquely identifying someone; data concerning health;
  • data concerning someone’s sex life or sexual orientation);
  • the legal basis for processing this data, whether we share the data, and if we share the data outside the EU.

Where staff are collecting personal data they need to ensure that the relevant forms and data collection notices include a Privacy Notice. In order to minimise the volume of information that needs to be included in these specific Privacy Notices staff can cross refer to the University’s main Privacy Notices.

There are two forms of standard wording for personal data collection form privacy notices which can be accessed here:

Writing a Privacy Notice for a Data Collection Form

When collecting personal information verbally (e.g. during telephone discussions) you need to explain how the individual’s personal data will be use and to whom else it is likely to be disclosed.

If the person asks further questions about how their data is used then they can be referred to the relevant online Privacy Notice.

If the data collection is relying on the individual’s consent as the legal basis for processing (see the relevant Record of Processing) then you must explain what it is you are asking and ensure that the individual understands that they can choose not to give their consent. A file note should be made.

It is good practice to follow up verbal data collection with an email which directs the individual to the appropriate Privacy Notice.

If you maintain a mailing list that is used to promote University services, conferences, events or courses then this is direct marketing for which the legal basis of processing is consent. Therefore, you must ensure that you have the individual’s consent to process their data and maintain their details on your mailing list.

Whilst, this applies to historic mailing lists as well as new mailing lists, if you have already obtained consent you DO NOT need to contact the individual again to seek their consent.

You should ensure that any communications you send to individuals on your mailing list allows the individual the choice to opt out of receiving further communications. For example:

‘To update your preferences and to opt in to future information, please reply to this email with ‘Opt in’ in the subject line’

If you plan to create a mailing list from future conference/event bookings then you need to include, on the booking form, the option for the individual to opt into receiving communications about future events and you should give them options about how they wish to be communicated with i.e. email, telephone, post.

Data protection legislation classes a child as someone under the age of 13 (Note: included in the Data Protection Bill currently awaiting Parliamentary approval).

Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased. An individual’s rights to erasure is particularly relevant if they gave their consent to processing when they were a child.

Privacy notices need child friendly and explain why we require their personal data and what we will do with it in a way that the child will understand. We should explain the risks inherent in processing, and how we intend to safeguard them against them in a child friendly way, so that children (and their parents) under the implications of sharing their data.

We should allow competent children to exercise their own data protection rights. If we are relying on parental consent, it is good practice, that we offer two different versions of our privacy notice; one aimed at the holder of the parental responsibility and one aimed at the child.

If you are processing personal data relating to children please contact the Data Protection Officer for further advice.