Privacy Policy Guidance
___________________________________________
LEGALLY PRIVILEGED AND STRICTLY
CONFIDENTIAL FOR CLIENT USE ONLY
___________________________________________
This guidance note is intended to be general information only and should not be interpreted as independent legal advice. English law and European Union law is subject to change, so while Stephens Scown LLP seeks to ensure the information contained in this guidance note is up to date and accurate, the law can change quickly and no guarantee is made as to its accuracy which means the information should not be relied upon.
Briefing notes should not be viewed as an alternative to professional advice and Stephens Scown LLP does not accept liability for any action taken or not taken as a result of your use of this guidance note.
Stephens Scown LLP, Curzon House, Southernhay West, Exeter EX1 1RS T: 01392210700 F: 01392274010 DX: 8305 Exeter W: stephens-scown.co.uk
What is a Privacy Policy?
Organisations that interact with personal data (anything that serves to identify a living individual) are legally required to provide a public facing document that sets out the “what, where, why and how” in relation to that data.
A privacy policy is also known interchangeably as a “privacy notice” or “data protection notice”.
Make it simple
The information you provide in your privacy policy must be in a clear and intelligible language that is easy to understand and presented in an easy-to-read format. It is sometimes worth having the document reviewed by someone outside of your organisation, such as a customer, to see if the content is understood.
Introduction to this template
The privacy policy template and guidance are aimed at helping the business comply with data protection legislation when drafting their privacy policies. The template does not constitute independent legal advice to the business and the business uses this template and guidance at their own risk.
What should a privacy policy should cover:
• Who you are/your contact information. You must identify the legal entity that controls the personal data and provide your contact information so that an individual can contact you if they need to exercise their rights or make a complaint. If the entity is a Company or a Limited Liability Partnership, be sure to include any registered office address and name, if different to the trading address or name. This is covered in paragraphs 1 and 2 of the privacy policy template.
• Privacy Officer. This template assumes that you do not need to appoint a statutory Data Protection Officer, who needs to meet strict legal criteria, and the business has instead assigned a person to oversee data protection compliance – we have called this person a privacy officer. You are required to provide details of this person at paragraph 2 of the template.
• How to make a compliant to the ICO. You must also provide the Information Commissioners Office (ICO) contact information so that the individual can escalate any complaint they feel hasn’t been properly dealt with. This is covered by paragraph 2 of the privacy policy template.
• What data you are processing and how you collect it. “Personal data” means any personally identifiable information relating to a living individual. The scope can be broad but the likely common types include first name or surname name, location data, date of birth, email address, payment data etc. Your privacy policy must explain the ways in which you collect personal data e.g. where an individual’s name and email address are collected in order to send out a newsletter.
Be cautious of the categories of personal data that are not immediately apparent such as:
- CCTV at offices or premises;
- Collection of data for track and trace;
- IP addresses through your use of google analytics for marketing purposes.
You may also use cookies or other tracking technologies on your website, in which case a cookie policy should be referred to here.
What data you process and how you collect it is covered in paragraph 3 of the privacy policy template.
• Whether the data subjects have to provide the data directly to you – this is covered by paragraph 3, 4, and 10.
• Why you are able to process the information of data subjects and how it will be used – this is covered in paragraphs 6, and 7 of the privacy policy template.
• What your purpose and lawful basis for processing the data is. Under the Data Protection Legislation (DPL), you must establish a “lawful basis” for processing personal data. There are six available lawful bases for the processing of personal data and you must determine your lawful basis before you begin processing. It is important that you give this proper consideration as your lawful basis can influence how you must use data in the future – for example, if you use consent, the person will be freely able at any time to withdraw that consent, resulting in you having to cease processing. You can learn more about lawful bases on the ICO website here.
Your privacy policy should include your lawful basis for processing as well as your purposes for processing; this is covered by paragraph 6 and 7 of the privacy policy template.
• Whether there are other recipients of the personal information you hold – this is covered by paragraph 8 of the privacy policy template.
• Whether you intend to transfer it to another country. Currently, data that is transferred from the UK to EEA countries is fine, but if you are doing so, you need to mention this in your privacy policy. The transfer of personal data outside the UK and EAA requires an additional safeguard to processing, such as standard contractual clauses or relying on an adequacy decision of an applicable regulatory body. It may not be immediately clear if you transfer personal data outside of the UK or EEA and we would advise that you look at your data processing agreements, especially with software providers. A note of caution, many common online service providers process data outside of the UK and EEA Data transfers are covered by paragraph 8 and 11 of the privacy policy template.
• How long you store the data for. You should have a separate retention and deletion policy which can be referred to (and linked) here. Retention of data is covered by paragraph 13 of the privacy policy template.
• The data subject’s rights – this is covered by paragraph 14 of the privacy policy template.
• Whether you use automated decision-making or profiling – this is covered by paragraph 14.1.8 of the privacy policy template. This template assumes that you do not use automatic decision making or profiling. Please contact us if this is not the case.
• Any changes/revisions to your privacy policy – this is covered by paragraph 16 of the privacy policy template.
The Principle of Accountability
The accountability principle requires (amongst other things) that data controllers must be able to demonstrate compliance. The fact that the accountability principle is expressly mentioned in the DPL indicates the importance of having demonstrable measures in place that will ensure compliance. In practice this means (amongst other things), having appropriate data protection policies. On the ‘front line’, in terms of data protection policies, is your organisations privacy policy.
Having a comprehensive and coherent privacy policy (which includes the information listed above) is a crucial tool which can demonstrate to the ICO that you take your privacy obligations under the DPL seriously.
Right to be informed
As detailed at paragraph 14.1.1 of the template privacy policy, individuals have the right to know what happens with their data when an organisation collects it and further processes it. The organisation must provide the relevant and correct privacy information at the time of collection. This will include but is not limited to, why the organisation is processing the data, who it will be shared with and when will you stop processing the data. If you obtain the personal information from another source (third party) you must provide individuals with the relevant privacy information as soon as possible. You must also list the rights afforded individuals (subjects) in relation to data protection and your processing of their data.
Often, the most effective way of achieving this is through the making available of your privacy policy. Your privacy policy should be easily located from the landing page of your website and contained in a stand alone page.
Children
If you are processing children’s data you may require an age appropriate privacy policy. This may not need to be in a written format for younger children – it depends on the nature of your business. The most important thing here is that you are clearly communicating to the child what it is you are doing with their data.
It is important to take specialist data protection advice if your business handles children’s personal data.
Penalties
Not complying with data protection law comes with the risk of finding yourself or your business in receipt of a monetary penalty for infringement. Fines are decided by the ICO on a case by case basis. The higher maximum amount that the ICO can issue is £20 million or 4% of the total worldwide turnover of your business.
It is important that you ensure that you have a privacy policy in place which accurately reflects the way in which you operate and is easily comprehensible and transparent for data subjects.
Review
The processing of data within an organisation often changes. Therefore, it is good practice to review your privacy policy regularly to ensure it correlates with what you are doing in practice. A standard retention clause is included at paragraph 12 of the privacy policy template.
Date: August 2023
For more information contact: dataprotection@stephens-scown.co.uk or 01392 210700.
The information in this briefing note is intended to be general information only and should not be interpreted as legal advice. English law and European Union law is subject to change, so while Stephens Scown LLP seeks to ensure the information contained in this guidance note is up to date and accurate, the law can change quickly and no guarantee is made as to its accuracy which means the information should not be relied upon. Guidance notes should not be viewed as an alternative to professional advice and Stephens Scown LLP does not accept liability for any action taken or not taken as a result of this information.