Privacy Notices & Transparency

ICO Code of practice for Privacy Notices can be found by clicking here

The GDPR sets out the information that we should supply to people whose personal data we process and when those individuals should be informed. Remember we process many different categories of personal data across the University including students, employees, visitors, other customers (e.g. conferences/events),  collaborators, suppliers and so on. Each has a right to be informed of how we process their data. This is all about being transparent and fair.

The information we supply is determined by whether or not we obtained the personal data directly from individuals. See the table below.

Much of the information we should supply is consistent with our current obligations under the Data Protection Act, but there is some further information we are explicitly required to provide.

The information we supply about the processing of personal data must be:

  • Concise (despite the long list of requirements!), transparent, intelligible and easily accessible;
  • Written in clear and plain language (particularly if addressed to a child), and
  • Free of charge

We should also consider whether we can provide the information in a 'layered' approach i.e. not necessarily all given in one long notice but structured in a way where essential information is given at the 'top layer' and more details information is perhaps given in further expandable boxes for example or links (note this needs to be balanced with avoiding making it too complicated or having to click on multiple links to find the information (the ICO guidance above has more information on this)

These requirements are about ensuring that privacy information is clear and understandable for data subjects. 

What information should we provide?

 

What Information should be supplied?

Data obtained directly from the data subject

Data not obtained directly from the data subject

Identity and contact details of the controller (and the controllers representative if applicable)

Remember the Data Controller is the organisation (i.e. Keele University – not an individual).

So we could use a statement like:

‘The University of Keele will be what’s known as the ‘Data Controller’ of the personal data we hold about you.’

 X

 X

Contact details of the Data Protection Officer

GDPR requires us to give the contact detail for our DPO. Therefore a recommended text for this would be:

Our Data Protection Officer can be contacted at – governance.dpo@keele.ac.uk or by post to Data Protection Officer, Governance Dept, Keele University, Keele, Staffordshire ST5 5BG.

 X

 X

Purpose of the processing

Detail here what the general purpose of Keele processing the data.

Examples could include:

‘We need to know your basic personal data in order to provide you with the Business Gateway services. We will not collect any personal data from you we do not need in order to provide and oversee this service to you.’

 X

 X

Legal basis of the processing (if this is legitimate interest –then state what the legitimate interest is)

See guidance on Legal basis for Processing [link]

e.g. Consent – clearly if you are relying on consent then the statement confirming this will suffice. 

For example : ‘By signing this form you confirm that you are happy for us to process the data as detailed in this notice’

Or

‘Tick here to confirm you are happy for us to contact you ….(give details of how you intend to contact them (do they have an option of which medium?)

 X

 X

Categories of personal data

Where relevant i.e. we’re not required to list the categories of personal data which we get directly from the data subject (as obviously they know what they’ve given us!) – so not needed if you’re getting the information from a form for instance

 

 X

Any recipient or categories of recipients of the personal data

For this we can detail the specific organisations (or categories of organisations) we may share the information with.

Examples: ‘We may share your information with local Councils in order to confirm your eligibility for a Council Tax exemption’

 X

 X

Details of transfers to third country and safeguards

For this section provide the details of any third county (see guidance on ‘Sharing Data Abroad’ [link]

Examples: ‘Your information may be stored or processed on services outside the EU. Where this is the case we will......

 X

 X

Retention period or criteria used to determine the retention criteria

We need to tell the Data Subjects how long we intend to keep the data for. This should have been determined during the design phase of the project and will be recorded in the Information Asset Register [link to Information Asset Register Guidance]

 X

 X

The existence of each of the data subject’s rights*

Option One:

Just provide a link to the University webpages which detail all the data subjects rights;

e.g.   A full list of your rights can be found on our website (www.keele.ac.uk/dpa) or at the ICO’s website (www.ico.org.uk).

Option Two:

List the main rights and add link to the University webpage for more information

 X

 X

The right to withdraw consent at any time  (where relevant)

Obviously only applicable if you’re relying on consent as (one of) your legal basis for processing.

 X

 X

The right to lodge a complaint with the ICO*

 X

 X

The source the personal data originates from and whether it came from publicly accessible sources

 

 X

Whether the provision of personal data is part of a statutory or contractual requirement

 X

The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences

 X

 X

When should information be provided?

At the time the data is obtained. E.g. on a form collecting the data

Within a reasonable period of having obtained the data (within 1 month) 

If the data is used to communicate with the individual, at the latest, when the 1st commincation takes place.

If disclosure to another recipient is envisaged, at the latest, before the data is disclosed