Guidance on Writing Privacy Notices

Where staff are collecting personal data they need to ensure that the relevant forms and data collection notices include a Privacy Notice. In order to minimise the volume of information that needs to be included in these specific Privacy Notices staff can cross refer to the University’s main Privacy Notices.

There are two forms of standard wording for personal data collection form privacy notices which can be accessed here:

Writing a Privacy Notice for a Data Collection Form

When collecting personal information verbally (e.g. during telephone discussions) you need to explain how the individual’s personal data will be use and to whom else it is likely to be disclosed.

If the person asks further questions about how their data is used then they can be referred to the relevant online Privacy Notice.

If the data collection is relying on the individual’s consent as the legal basis for processing (see the relevant Record of Processing) then you must explain what it is you are asking and ensure that the individual understands that they can choose not to give their consent. A file note should be made.

It is good practice to follow up verbal data collection with an email which directs the individual to the appropriate Privacy Notice.

If you maintain a mailing list that is used to promote University services, conferences, events or courses then this is direct marketing for which the legal basis of processing is consent. Therefore, you must ensure that you have the individual’s consent to process their data and maintain their details on your mailing list.

Whilst, this applies to historic mailing lists as well as new mailing lists, if you have already obtained consent you DO NOT need to contact the individual again to seek their consent.

You should ensure that any communications you send to individuals on your mailing list allows the individual the choice to opt out of receiving further communications. For example:

‘To update your preferences and to opt in to future information, please reply to this email with ‘Opt in’ in the subject line’

If you plan to create a mailing list from future conference/event bookings then you need to include, on the booking form, the option for the individual to opt into receiving communications about future events and you should give them options about how they wish to be communicated with i.e. email, telephone, post.

Data protection legislation classes a child as someone under the age of 13. Individuals aged 13 and over are able to consent to the processing of their personal data.

Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased. An individual’s rights to erasure is particularly relevant if they gave their consent to processing when they were a child.

Privacy notices need to be child friendly and explain why we require their personal data and what we will do with it in a way that they will understand. We should explain the risks inherent in processing, and how we intend to safeguard them against them in a child friendly way, so that children (and their parents) under the implications of sharing their data.

We should allow competent children to exercise their own data protection rights. If we are relying on parental consent, it is good practice, that we offer two different versions of our privacy notice; one aimed at the holder of the parental responsibility and one aimed at the child.

If you are processing personal data relating to children please contact the Information Governance Officer for further advice.