Home > Publications > Forms & Guidance > Guidance for professionals > Privacy statements

Privacy Statements

Service Specific Statements

Whenever you collect personal information about people, they have a right to know who you are, why you are collecting their information, what you will do with it, what their rights are and where they can find further information. The public sector's commitment to these rights is set out in the Guarantee which public bodies are encouraged to make accessible to customers.

The information provided in a privacy statement should be service specific. So, for example, a local authority should not produce one over-arching statement of the way it protects all personal information, but should produce separate statements for each of its services so that service users can clearly see within a specific context why their information is needed and what will happen to it.

We recommend that service specific statements be short and concise: readers do not want to be overwhelmed with a mass of detail. However, they should be told where they can get more information, should they wish.

We recommend that the statement contain the following:

Who you are. This may seem obvious, but it is a requirement of the Data Protection Act that people are informed of the identity of the data controller or controllers.
Why you need people's personal information. Explain why the information you are asking for is necessary for you to provide the service required. This will demonstrate how you comply with the 3^rd data protection principle, that data should be adequate, relevant and not excessive. Consider also whether the information will be used for any secondary purposes, such as research, statistical analysis or staff training and include these.
What you will do with it. Explain how you will use the data to provide a service or services. Also let people know if their information will be passed to another organisation and whether they have a choice about this. If data is shared with other organisations, explain why - e.g. to provide better services. If they have a choice, make sure it is clear that they can say no. If data might be shared without people's knowledge and/or consent, e.g. to prevent fraud or to produce anonymised statistics, this should be mentioned.
When you will dispose of it. This allows you to demonstrate compliance with the 5^th data protection principle that data should not be kept for longer than is necessary. There will be circumstances when it would not be practical to say when data will be destroyed - e.g. when it could enable fraud. In such cases a general assurance should be sufficient.
How you will safeguard it. This allows you to demonstrate how you comply with the 7^th data protection principle. This section should be as non-technical as possible, but should provide general reassurance on staff's commitment to security and confidentiality and to the security of IT systems.
How people can check the information you hold on them. Provide a brief explanation of subject access rights, or tell people where they can get further details on this. Letting people know how they can ask for inaccurate data to be corrected helps demonstrate a commitment to the 4^th data protection principle, to ensure data is accurate and up to date. It may also be helpful to give a brief explanation of how you comply with this principle, e.g. any regular up-dating or validating exercises you carry out.
How to get more information and how to complain. Give full contact details of whom people can go to if they want further details on your information handling policies or to make a complaint.

Examples of some service specific statements are available in our best practice library.

Internet Privacy Statements

There is plenty of advice and help elsewhere on developing internet privacy statements and we therefore only provide links here to other sites.

It is good practice to have a statement or statements on your website letting people know whether you collect information on them and, if so, how it is protected. This statement will differ from a standard fair processing notice since it will include information on items such as cookies, which are only relevant in the context of Internet sites.

Again, these statements should be service specific. Therefore it may be necessary to have one general statement for the website, and separate ones for different services contained on it.

Comprehensive guidelines on Internet privacy policies can be found on the website of The Organisation for Economic Co-operation and Development (OECD) . These have been developed for use by both the public and private sector in any country. You may therefore want to include a statement relating it to UK Data Protection laws. The site includes a privacy statement generator that allows users to assess and develop their policies and practice on safeguarding privacy and to create a privacy statement to place on their websites.

The ICO's website includes tips on website privacy policies and statements in the form of Frequently Asked Questions.

UMIST (University of Manchester Institute of Science & Technology) and the ICO have produced best practice guidance on data protection for systems designers that includes (at Appendix 5) a list of characteristics of an effective privacy statement.

The Platform for Privacy Preferences Project

The World Wide Web Consortium is responsible for the Platform for Privacy Preferences Project (P3P) . This allows Internet users to set privacy preferences on their browsers. When they enter a website that is P3P enabled, the website will then check the preferences against the privacy policy of the website to ensure they match. If not, the user will have this pointed out and asked if they wish to continue. This means that users do not have to actively seek out, and read through, privacy policies each time they visit a website.