Privacy notices (sometimes known as privacy policies, or data collection policies) are a way of explaining to people how we use their personal This article explains what a privacy notice needs to include, and some pointers on how to write it. Once you have your draft it should be submitted to the Information Assurance Manager to be approved.
Your privacy notice should:
- Be clear, easy to understand, and use everyday language.
- Relate clearly to a specific set of activities, a specific service, or a specific group of people.
- Give specific examples - if you share with third parties, for example, list or describe them.
- Avoid meaningless references to legislation such as "your information will only be shared in accordance with data protection law".
- Avoid vague unspecified scenarios such as "we may share your information with other people" - explain who the other people might be, and what circumstance would trigger the sharing.
- Be truthful - don't say that information will never be shared if you have a need to share it.
There are several things your notice needs to include:
- Who we are. That's particularly important if the people you are working with a software system or a website where it might not be immediately clear that you are part of the University of Essex.
- An explanation of what you are using the information for
- Your legal basis for using the data - you'll need to seek advice on this from the Information Assurance Manager
- Who you share the information with. This is especially important if you are sharing outside your team or outside the University. Don't forget to include the provider of your software system or website, if that's an external organisation.
- Whether the data will be stored outside the UK.
- How long you will be keeping the information for. The retention schedules may help guide you.
- Whether you will using the information to make any automated decisions.
- The list of rights that individuals have. These are the right to object to their information being used, the right to data portability, the right to access their own data, and the right to have their data removed.
- The email@example.com email address, which is the contact for the University's Data Protection Officer
There may be other things you need to include, depending on where your information comes from. The Information Assurance Manager can advise on this.
Examples of privacy policies