Privacy Policy Guidance


___________________________________________  

LEGALLY PRIVILEGED AND STRICTLY  

CONFIDENTIAL FOR CLIENT USE ONLY  

___________________________________________  

This guidance note is intended to be general information only and should not be interpreted  as independent legal advice. English law and European Union law is subject to change, so  while Stephens Scown LLP seeks to ensure the information contained in this guidance note is up to date and accurate, the law can change quickly and no guarantee is made as to its  accuracy which means the information should not be relied upon. 

Briefing notes should not be viewed as an alternative to professional advice and Stephens  Scown LLP does not accept liability for any action taken or not taken as a result of your use of  this guidance note.

Stephens Scown LLP, Curzon House, Southernhay West, Exeter EX1 1RS T: 01392210700 F: 01392274010 DX: 8305 Exeter W: stephens-scown.co.uk  

What is a Privacy Policy? 

Organisations that interact with personal data (anything that serves to identify a living  individual) are legally required to provide a public facing document that sets out the “what,  where, why and how” in relation to that data.  

A privacy policy is also known interchangeably as a “privacy notice” or “data protection notice”. 

Make it simple 

The information you provide in your privacy policy must be in a clear and intelligible language  that is easy to understand and presented in an easy-to-read format. It is sometimes worth  having the document reviewed by someone outside of your organisation, such as a customer,  to see if the content is understood.  

Introduction to this template  

The privacy policy template and guidance are aimed at helping the business comply with data  protection legislation when drafting their privacy policies. The template does not constitute  independent legal advice to the business and the business uses this template and guidance  at their own risk.  

What should a privacy policy should cover:  

Who you are/your contact information. You must identify the legal entity that controls  the personal data and provide your contact information so that an individual can contact  you if they need to exercise their rights or make a complaint. If the entity is a Company or  a Limited Liability Partnership, be sure to include any registered office address and name,  if different to the trading address or name. This is covered in paragraphs 1 and 2 of the  privacy policy template.  

Privacy Officer. This template assumes that you do not need to appoint a statutory Data  Protection Officer, who needs to meet strict legal criteria, and the business has instead  assigned a person to oversee data protection compliance – we have called this person a  privacy officer. You are required to provide details of this person at paragraph 2 of the  template.  

How to make a compliant to the ICO. You must also provide the Information  Commissioners Office (ICO) contact information so that the individual can escalate any  complaint they feel hasn’t been properly dealt with. This is covered by paragraph 2 of the  privacy policy template.  

What data you are processing and how you collect it. “Personal data” means any  personally identifiable information relating to a living individual. The scope can be broad  but the likely common types include first name or surname name, location data, date of  birth, email address, payment data etc. Your privacy policy must explain the ways in which  you collect personal data e.g. where an individual’s name and email address are collected  in order to send out a newsletter.


Be cautious of the categories of personal data that are not immediately apparent such as: 

  • CCTV at offices or premises; 
  • Collection of data for track and trace;  
  • IP addresses through your use of google analytics for marketing purposes.  

You may also use cookies or other tracking technologies on your website, in which case a  cookie policy should be referred to here.  

What data you process and how you collect it is covered in paragraph 3 of the privacy  policy template.  

Whether the data subjects have to provide the data directly to you – this is covered  by paragraph 3, 4, and 10.  

Why you are able to process the information of data subjects and how it will be used  – this is covered in paragraphs 6, and 7 of the privacy policy template.  

What your purpose and lawful basis for processing the data is. Under the Data  Protection Legislation (DPL), you must establish a “lawful basis” for processing personal  data. There are six available lawful bases for the processing of personal data and you  must determine your lawful basis before you begin processing. It is important that you give  this proper consideration as your lawful basis can influence how you must use data in the  future – for example, if you use consent, the person will be freely able at any time to  withdraw that consent, resulting in you having to cease processing. You can learn more  about lawful bases on the ICO website here.  

Your privacy policy should include your lawful basis for processing as well as your  purposes for processing; this is covered by paragraph 6 and 7 of the privacy policy  template.  

Whether there are other recipients of the personal information you hold – this is  covered by paragraph 8 of the privacy policy template.  

Whether you intend to transfer it to another country. Currently, data that is transferred  from the UK to EEA countries is fine, but if you are doing so, you need to mention this in  your privacy policy. The transfer of personal data outside the UK and EAA requires an  additional safeguard to processing, such as standard contractual clauses or relying on an  adequacy decision of an applicable regulatory body. It may not be immediately clear if you  transfer personal data outside of the UK or EEA and we would advise that you look at your  data processing agreements, especially with software providers. A note of caution, many  common online service providers process data outside of the UK and EEA Data transfers  are covered by paragraph 8 and 11 of the privacy policy template. 


How long you store the data for. You should have a separate retention and deletion  policy which can be referred to (and linked) here. Retention of data is covered by  paragraph 13 of the privacy policy template.  

The data subject’s rights – this is covered by paragraph 14 of the privacy policy template.  

Whether you use automated decision-making or profiling – this is covered by  paragraph 14.1.8 of the privacy policy template. This template assumes that you do not  use automatic decision making or profiling. Please contact us if this is not the case.  

Any changes/revisions to your privacy policy – this is covered by paragraph 16 of the  privacy policy template.  

The Principle of Accountability  

The accountability principle requires (amongst other things) that data controllers must be able  to demonstrate compliance. The fact that the accountability principle is expressly mentioned  in the DPL indicates the importance of having demonstrable measures in place that will ensure  compliance. In practice this means (amongst other things), having appropriate data protection  policies. On the ‘front line’, in terms of data protection policies, is your organisations privacy  policy.  

Having a comprehensive and coherent privacy policy (which includes the information listed  above) is a crucial tool which can demonstrate to the ICO that you take your privacy obligations  under the DPL seriously.  

Right to be informed 

As detailed at paragraph 14.1.1 of the template privacy policy, individuals have the right to  know what happens with their data when an organisation collects it and further processes it.  The organisation must provide the relevant and correct privacy information at the time of  collection. This will include but is not limited to, why the organisation is processing the data,  who it will be shared with and when will you stop processing the data. If you obtain the personal  information from another source (third party) you must provide individuals with the relevant  privacy information as soon as possible. You must also list the rights afforded individuals  (subjects) in relation to data protection and your processing of their data.  

Often, the most effective way of achieving this is through the making available of your privacy  policy. Your privacy policy should be easily located from the landing page of your website and  contained in a stand alone page.  

Children 

If you are processing children’s data you may require an age appropriate privacy policy. This  may not need to be in a written format for younger children – it depends on the nature of your  business. The most important thing here is that you are clearly communicating to the child  what it is you are doing with their data. 

It is important to take specialist data protection advice if your business handles children’s  personal data.  

Penalties  

Not complying with data protection law comes with the risk of finding yourself or your business  in receipt of a monetary penalty for infringement. Fines are decided by the ICO on a case by  case basis. The higher maximum amount that the ICO can issue is £20 million or 4% of the  total worldwide turnover of your business.  

It is important that you ensure that you have a privacy policy in place which accurately reflects  the way in which you operate and is easily comprehensible and transparent for data subjects.  

Review 

The processing of data within an organisation often changes. Therefore, it is good practice to  review your privacy policy regularly to ensure it correlates with what you are doing in practice.  A standard retention clause is included at paragraph 12 of the privacy policy template.  

Date: August 2023 

For more information contact: dataprotection@stephens-scown.co.uk or 01392 210700.  

The information in this briefing note is intended to be general information only and should not  be interpreted as legal advice. English law and European Union law is subject to change, so  while Stephens Scown LLP seeks to ensure the information contained in this guidance note is up to date and accurate, the law can change quickly and no guarantee is made as to its  accuracy which means the information should not be relied upon. Guidance notes should not  be viewed as an alternative to professional advice and Stephens Scown LLP does not accept  liability for any action taken or not taken as a result of this information. 

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Related Articles