This post helps you understand privacy policies, privacy notices and what you need to do in this area to comply with data protection legislation. At the bottom of the post is a privacy policy template for you to modify and use in your organisation.
As with our data protection policy post, we have tried to decode the guidance provided by the ICO (the government body that oversees data protection in the UK) and interpret it in a way that helps membership organisations understand the key provisions and adopt a proportionate response considering their own size and audience.
This post comes with the important caveat that we are not lawyers! We provide free support and guidance to our community of membership organisations and while these resources should save you a lot of time, it’s prudent to get a lawyer to check them over too.
Privacy Notice vs Privacy Policy
As we discussed in our GDPR guide for associations, societies and membership organisations, the new data protection legislation adds clarity to many requirements that already existed. One such area is privacy notices and policies. The key term used in the legislation and guidance is ‘privacy notice’ but this is a slippery term that has given rise to a lot of confusion.
Previously, lots of organisations published ‘privacy policies’ but the terminology in GDPR, as implemented in the Data Protection Act 2018, has left organisations wondering whether they should rename their policies. However, as we explain below, these terms are describing two different things.
According to the ICO the term ‘privacy notice’ is used to:
“Describe all the privacy information that you make available or provide to individuals when you collect information about them… This is why the ICO believes that it is good practice to develop a blended approach, using a number of techniques to present privacy information to individuals.“
In this light, it seems that ‘privacy policy’ is still the best name for the overarching statement of your approach to privacy. This term describes a document.
In contrast, each time you collect data from someone you need to think through your ‘privacy notice’. This term explains the individual’s particular experience when they give you data.
In some cases, the only privacy notice required may be to make your privacy policy available in the footer of your website for the individual to read if they wish. But in other situations, you will need to provide information more proactively to make it sufficiently clear how an individual’s data will be used.
The underlying principle seems clear:
Make it simpler for people, who interact with your organisation, to understand what you will do with their data. The greater the chance they will have concerns, the more actively you should explain your approach.
How to deliver privacy notices
In general terms you need to explain:
✔ What data is being processed
✔ The lawful basis for this processing
✔ The purpose of this processing
All three aspects of this are clearly set out in the attached privacy policy example. As mentioned above, in some cases all you will need to do is have your privacy policy available and easy to find on your website. However, you should also consider if the data being collected requires you to more actively flag up specific information about how you will deal with data being collected.
Passive notices
According to the ICO, It’s fine to require an individual to go and find privacy info when their data is being used for a purpose that a reasonable person might expect to be necessary, such as using their address details to send them a product they have ordered.
Active notices
The ICO guidance on active notices is not prescriptive (i.e. you’ll still need to interpret it for your situation) but it is clear and concise so we’ll quote it here:
“The need to actively provide privacy information is strongest where:
- you are collecting sensitive information;
- the intended use of the information is likely to be unexpected or objectionable;
- providing personal information, or failing to do so, will have a significant effect on the individual; or
- the information will be shared with another organisation in a way that individuals would not expect.”
So what documents do you need?
Documents alone do not achieve compliance. The GDPR is, in large part, about providing individuals with more transparency. So as a membership organisation you should think about your documents as a toolkit to help you improve the experience of individuals who engage with your organisation.
This list sets out the key tools you should have in place. Items 1 and 2 are standalone documents and items 3 & 4 are snippets of text that will change dependent on the context in which they are shown.
1. Data Protection Policy
This is an internal document explaining how you as a membership organisation ensure you will manage data responsibly in a way that continues to comply with data protection legislation. For more on this read this post and associated template on data protection policies.
2. Privacy Policy
This document contains a complete public statement about how your organisation deals with personal data.
3. Consent statement
For the purpose of direct marketing (i.e. sending people updates about your work or requests for support), you are likely to rely on consent as your ‘lawful basis’ for processing this data. The consent statement answers the question ‘what am I signing up for?’ It should be clear and specific but you should also think broadly about the future because if you change this statement and the materials you send out your old consents may become invalid.
4. Supplementary privacy notice
These supplementary notices deal with the situation where, due to the nature of data being collected, you need to flag up information more actively about how you will handle the information. Passive and active notices are discussed more in the previous section.
Passing data to third parties
The ICO makes a big deal about making your privacy policy easy to read and understand. This means avoiding the temptation to draft a huge document and this requires knowing not only what is needed but also what can be left out.
One area that has caused some confusion is how much information is needed in your privacy policy about third parties. If you had to list every third party you used to handle data that would significantly increase the size of your privacy policy.
Thankfully, the ICO has made it clear that you do not have to include details of all third parties. The key distinction is whether third parties are Data Processors or Data Controllers. These terms can be a little confusing since under the GDPR both data processors and data controllers ‘process’ data.
A Data Controller determines the purposes and means of handling personal data. When you collect data from people you will normally be the data controller. If you pass data to another data controller this is a big deal. Examples of third-party data controllers are organisations to whom you refer clients or to whom you pass on data for the purposes of marketing. Where you do this you must almost always seek active informed consent that names the data controller to whom you’ll be passing data.
A Data Processor is responsible for processing personal data on behalf of a data controller. An example of this is a payment provider. As long as you have an appropriate agreement in place with the payment provider, there should be no need to tell people the details or request their consent. In our accompanying privacy policy template, we include a short paragraph you can use to explain to people that you may use third-party services as data processors and what you do to ensure they handle this data appropriately.
Download the template
We’ve created a free template to accompany this guide. If you find this useful please consider sharing this page!