Privacy Notices

Why do we need to have privacy notices?

Being transparent and providing accessible information to individuals about how you will use their personal data is a key element of the DPA and GDPR. The most common way to provide this information is in a privacy notice.

GDPR uses the term ‘privacy notice’ to describe all the privacy information that City makes available or provides to subjects when collecting information about them. However, in other situations it will not be effective to use a single document to inform subjects about what City does with personal data so a blended approach should be used.

It is often argued that peoples' expectations about personal data are changing. People are increasingly willing to share information on social media and to allow their data to be collected by mobile apps and they are also unwilling to read lengthy privacy notices.

These factors are sometimes used to support the view that they are relatively unconcerned that their data is being collected and processed. However, there is also evidence that people do have concerns about how organisations handle their data and want to retain some control over its further use. Therefore, it is still of paramount importance for staff to be transparent about their processing and comply with the legal requirements to provide privacy information.

At a glance:

  • Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR (per Principle (a) of the GDPR).
  • You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
  • You must provide privacy information to individuals at the time you collect their personal data from them.
  • If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
  • There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
  • The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
  • It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.
  • You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.
  • Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage.

How to use this guidance

Use this template to create new privacy notices, or adapt your existing ones, so that they are compliant with data protection law. It will guide you through the series of decisions you need to make about what mandatory information to include and also help you to tailor it to your specific needs.

  • The template is split into five steps, which cover all the required elements of a privacy notice
  • general overview of how City handles personal data.
  • what data we will collect and how we will use it.
  • how long the data will be held.
  • nformation about how the data will be shared.
  • data subject rights.

There is also an optional step 6, where you want to use data for other purposes, such as marketing or mailing lists.

Once you have identified what information you need to include, you can tailor and shorten the text for your specific scenario. This guidance includes an example of how a completed privacy notice might look.

Step 1: Provide a general overview of how City handles personal data

Add wording from each section that is relevant to your project.

  1. i.         General wording

Example wording:

Your trust is very important to us. This means City is committed to protecting the privacy and security of your personal information. 

It is important that you read this notice so that you are aware of how and why we are using such information. This privacy notice describes how we collect and use personal information about you during and after your relationship with us, in accordance with data protection law. 

You can find additional information here.

Step 2: Tell users what data we will collect and how we will use it

Add wording from each section that is relevant to your project.

  1. i.         Identify what data will be collected:

Example text:

City will collect and process the personal information that you have provided to us about yourself [and your child]. This personal information is [list the types of personal information here – e.g. name, address, contact details, etc.].

If you are collecting special categories of information, then insert the sentence below. Special categories of information include:
* race or ethnicity.
* political opinions.
* religious or philosophical beliefs.
* trade union membership.
* health, sex life or sexual orientation.
* genetics or biometrics.
* criminal convictions.

  1. ii.         Where collecting special category data:  

Example text:

City will also collect and process certain special categories of more sensitive personal information that you provide. This information is [list the types of special category information here]. We will only ask you to provide such information where we have a lawful basis to do so. If you choose to provide such information, please carefully consider if you wish to disclose such information.

Explain the purposes for which you are collecting information.

  1. iii.         Explain the purposes of processing the data:  

Example text:

The personal information [and special categories of information] that you provide will be processed securely for the purposes of [explain all of the purposes for which you are using the data in simple language].

If you are carrying out any profiling or automated decision-making with data you collect, you need to tell people about this and the logic used.

  1. iv.         Where profiling or automated decision-making:  

Example text:

The personal information that you provide will be processed securely for the purposes of carrying out [e.g. segmentation analysis].

  1. v.         State that City is data controller:  

City is the ‘data controller’ of this information. This means that City decides what your personal information is used for, and the ways in which it is processed.

  1. vi.         State the legal basis for processing the data:  

Example text:

The legal basis on which City processes your personal information is on the basis of: 

Choose from options 1 to 6 below if you are processing regular personal data. If you are processing different kinds of ‘regular’ personal data under different legal bases, you can split these out.

Option 1 City’s legitimate interests in [insert details of the legitimate interest, e.g. providing fit-for-purpose courses. The University (and sometimes third parties) has a broad legitimate interest in activities that connect to the activities and education of students. Subject to those interests not being overridden by the interests of fundamental rights and freedoms of students, it will pursue those interests. A good example of this legitimate interest would be its Alumni activities. You will also need to insert a sentence here about how you have considered and balanced your legitimate interests against the rights, freedoms and interests of the data subject. See the example provided. This must be personalised for each individual privacy notice. You will also need to complete a Legitimate Interests Assessment form.

Option 2 public task – City is an educational and research establishment and in particular its educational and research activity is conducted in a public interest (including your interest and the interest of others).

Option 3 the processing being necessary for compliance with our legal obligation to [identify legal obligation]. City may have legal obligations to provide personal data to others e.g. HESA.

Option 4 performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract. Or e.g. necessary for the performance of your student contract – on many occasions City will process your data to enable it to meet its commitments to you e.g. those relating to education and assessment.

Option 5 your consent. You may withdraw your consent at any time by contacting [insert contact email address for someone in your team].] [Note: If you do rely on consent, you need to (i) ensure consent is obtained via some type of affirmative action; (ii) ensure consent is requested separately for each individual purpose, and the individual is able to refuse/agree to each item separately; (iii) ensure consent can be withdrawn as easily as it can be given, and (iv) retain records evidencing the consent. For more information, see the ICO’s consent page .

Option 6 protecting the vital interest of yourself or another – sometimes in extreme circumstances City will have to release information to protect your interests or the interests of others e.g. in medical emergencies.

  1. vii.         Where processing special category data:

If special category information is processed, include the sentence below and choose one appropriate option from Options 7-12 for each type of special category data.

Where you are collecting special categories of information for diversity monitoring purposes and consent is not appropriate, insert 'Option 11 - For diversity data’.

If criminal conviction data is processed, include 'Option 12 - For criminal conviction data'.

Example text:

The legal basis on which City processes special categories of information you have provided is on the basis of: 

Option 7 your explicit consent. You may withdraw your consent at any time by contacting [insert contact point in your team]. [Note: You should not rely on explicit consent unless there are no other processing grounds available. In addition to the steps for consent outlined above, you will need to ensure you obtain a clear and express consent statement from the data subject, in order to evidence consent. For example, "I consent to City processing my [specific type of data] for the purpose of [specific individual purpose].

Option 6 the processing being necessary for City or your [obligations / rights] in the field of employment, social security and social protection law.

Option 7 the information being manifestly made public by you.

Option 8 the processing being necessary for the establishment, exercise or defence of legal claims. 

Option 9 the substantial public interest in City [tailor as required].

Option 10 the processing being necessary for [historical research purposes / statistical purposes].

Option 11 - For diversity data when consent is not appropriate City will process information about your [racial or ethnic background / sexual orientation /  health / religious or philosophical beliefs] on the basis of the processing being necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between people [of different racial or ethnic backgrounds / holding different religious or philosophical beliefs / with different states of physical or mental health / of different sexual orientation] with a view to enabling such equality to be promoted or maintained. 

Step 3: Say how long you will retain the information

Can you identify the retention period for processing? Choose Option A if you know your retention period. Choose Option B if you don’t know your retention period.

Option A City will retain your information until [insert retention period].

Option B In order to determine the period for which we will retain your information, we consider the following factors: [insert a few bullet points explaining the factors affecting retention, e.g. any business reasons, legal retention requirements, etc.].

Step 4: Say whether you will be sharing your information

Add wording from each section that is relevant to your project.

(i) Sharing data with third parties  

If you intend to make any disclosures to third parties (including suppliers), insert the sentence below]

Example text:

We will share information you provide with [list third parties to whom data is disclosed and explain the purposes for disclosing data to them if this wouldn’t be immediately obvious to individuals. Certain types of suppliers can be listed by category – these include lawyers, auditors, and professional advisers.].

(ii) Transferring data outside the EEA:

If you plan to make any transfers outside the European Economic Area:

Example text:

We will transfer your personal information to the following countries outside the European Economic Area with appropriate safeguards in place: [list the countries].

Step 5: Tell users about their rights

(i) User rights  

Example text:

If you have any questions about how City handles your personal information, or you wish to find out about your rights, please visit City’s Privacy Notice. You will also be able to find out more information about how City processes your information and how you can contact City’s Data Protection Officer via email at dpo@city.ac.uk. Where there is inconsistency between those documents and this notice, this notice shall prevail.

If you raise a concern with City about the way it has handled your personal information, you are entitled to lodge a concern with a supervisory authority. In the UK, the supervisory authority is the Information Commissioner’s Office (ICO).

Step 6: Using data for other purposes, e.g. marketing or mailing lists

Are you going to use details for marketing?
If you are planning on using personal data for the purposes of marketing, you must ensure that you comply with the Privacy and Electronic Communications Regulations (PECR).

PECR sit alongside the Data Protection Act and the GDPR. They give people specific privacy rights in relation to electronic communications.

There are specific rules on:

  • marketing calls, emails, texts and faxes;
  • cookies (and similar technologies);
  • keeping communications services secure; and
  • customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

As part of PECR, organisations must obtain consent before marketing to individuals. More details are available on the ICO website.

Wording to use in a privacy notice for marketing purposes
The following wording can be tailored and used at the point you get someone to opt-in, subject to retaining (i) a statement about express consent and unsubscribing, or (ii) a tick-box allowing opt-in to marketing.

Example text:

Would you like to join our mailing list?*  
We will only contact you for marketing purposes where you have expressly consented for us to do so and you can unsubscribe at any time through selecting the relevant unsubscribe option in the message itself.  [Insert consent mechanism, e.g. (i) a statement about express consent and unsubscribing, or (ii) a tick-box allowing opt-in to marketing].

Example Privacy Notice 1.

Please note that this example is intended as a guide to how you need to think about splitting out your use of different kinds of data and how flexible you can be in your wording, and should not be copied for use in live privacy notices.

Your trust is very important to us. This means City is committed to protecting the privacy and security of your personal information. 

It is important that you read this notice so that you are aware of how and why we are using such information. This privacy notice describes how we collect and use personal information about you during and after your relationship with us, in accordance with data protection law. 

You can find additional information here.

What will we collect and how will we use it?
City will collect and process the personal information that you have provided to us about yourself. This personal information is your name, address, and contact details, as well as any other information you provided in the application form.

City will also collect and process certain special categories of more sensitive personal information that you provide about yourself. This information includes details of [insert special category data]. We will only ask you to provide such information where we have a lawful basis to do so. If you choose to provide such information, please carefully consider if you wish to disclose such information.

The personal information and special categories of information that you provide will be processed for the purposes of registering your details for student support services.

City is the 'data controller' of this information. This means that City decides what your personal information is used for, and the ways in which it is processed. 

The legal basis on which City processes your personal information for purposes is on the basis of City’s legitimate interests in providing fit-for-purpose student support services. City has considered and balanced your legitimate interests against the rights, freedoms and interests of the data subject.

Retaining your information
City will retain your information for [insert appropriate period] years.

Your rights and more information

If you have any questions about how City handles your personal information, or you wish to find out about your rights, please visit City’s Privacy Policy. You will also be able to find out more information about how City processes your information and how you can contact City’s Data Protection Officer. Where there is inconsistency between those documents and this notice, this notice shall prevail.

If you raise a concern with City about the way it has handled your personal information, you are entitled to lodge a concern with a supervisory authority. In the UK, the supervisory authority is the Information Commissioner’s Office (ICO).

Example Privacy Notice 2 - Survey

Please note that this example privacy notice for surveys is to be used as a guide only, and you will need to tailor this to fit the specific survey you are conducting.

Please also note that this privacy notice should ideally feature at the end of the survey form.

For further information, please email dataprotection@city.ac.uk and someone from the Information Compliance Team will be able to provide further advice.

Privacy Notice

It is important that you read this notice so that you are aware of how and why we are using such information. This privacy notice describes how we collect and use personal information about you during and after your relationship with us, in accordance with data protection law. You can find additional information at  www.city.ac.uk/about/governance/legal including City’s Data Protection Policy.

City is the ‘data controller’ of this information. This means that City decides what your personal information is used for, and the ways in which it is processed.

What data do we collect?

City will collect and process the personal information that you have provided to us about yourself on this form.  This personal information is [tailor as required e.g. student ID number, name, course name and Academic School, Course, Level and Year of study, Gender, Domicile, Career Stage, Career Stage Detail, Clearing route].

The personal information that you provide will be processed securely for the purposes of [tailor as required e.g. for the purposes of building persona profiles for different groups of students based on their behaviours and drivers which lead them to engage/not engage with the City Careers Service; and allow City Careers Service to identify appropriate persona profiles by Academic School and employment phase to inform the development of service provision, promotion and interventions].

How we will use your data?

The personal information and criminal offence data that you provide will be processed securely for the purposes of considering your application to study at City, University of London.

Lawful basis for processing your data?

The legal basis on which City processes your general personal data is set out in at www.city.ac.uk/about/governance/legal/data-protection.

NB. If you are processing special category data, you will need an additional lawful basis as per Article 9 of the GDPR.

How long will we store your data?

Option A: City will retain your information until [insert retention period].

Option B: In order to determine the period for which we will retain your information, we consider the following factors: [insert a few bullet points explaining the factors affecting retention, e.g. any business reasons, legal retention requirements, etc.]

Who we will share your data with

If you intend to make any disclosures to third parties (including suppliers), insert the sentence below]

Example text:

We will share information you provide with [list third parties to whom data is disclosed and explain the purposes for disclosing data to them if this wouldn’t be immediately obvious to individuals. Certain types of suppliers can be listed by category – these include lawyers, auditors, and professional advisers.].

Further example if using market research agency: We will share information you provide with [Market Research Agency], a third party market research agency, who will carry out the data analysis on the survey responses on City’s behalf. We have signed a data processing agreement with this agency to comply with our obligations under Article 28 of the GDPR.

We will not transfer your personal information outside the European Economic Area.

Further information

If you raise a concern with City about the way it has handled your personal information, you are entitled to lodge a concern with a supervisory authority. In the UK, the supervisory authority is the Information Commissioner’s Office (ICO).