Privacy notice (PN)

A Privacy notice (PN) is a document which informs people about how their data is being used, what their rights are under data protection legislation, and how they can exercise them.

A key principle of data protection laws is being transparent with people about how you use and share their information. A privacy notice should be one of your main tools for demonstrating transparency.

Publishing a PN and making it available to the public is also a requirement of the Data Security Protection Toolkit.

The template PN can be used for any use of health and care information or other types of information such as employment data.

However, if you are a sponsor for research or research site you will need to prepare a separate PN about your use of personal data for research. You should refer and link to the HRA’s transparency template for sponsors, or its transparency template for sites, as appropriate. The PN should not be used to cover the use of data for research purposes.

You must ensure that a PN is available to individuals before you start to use or share people’s information.

Any staff member who knows the details of the project or activity can fill out the PN. However, it should be approved by the organisation’s data protection officer (DPO),  information governance (IG) lead or team, or management team at the end of the process.

You will need to know your organisation’s processes for using and sharing information, records management and upholding individual rights. If your organisation has completed a DPIA for the project or activity, the information can be taken from there. All data uses recorded in your IAFR must be reflected in your PN to ensure transparency. For a detailed list of information which should be included in a PN, see the ICO's guidance.

Your PN should be published either on the website, displayed on notice boards or printed and made available, so that it is accessible to staff and members of the public.

The PN should updated whenever it is appropriate to do so. Reasons for necessary updates might be when your policies change, or when a new staff member is appointed to the role of DPO within your organisation.