Website Privacy Policy

This document can be used by any UK based website owner in order to set out the manner in which it processes personal information of its users. When personal information is collected from individuals they are referred to as 'data subjects'.

Why is it important for a website to have privacy documents and policies?

It is important for a website to have such a policy under UK law because:

• businesses are required to provide individuals with very specific information regarding the processing of their data (such as the purpose for collecting the data and the legal bases for processing the data) (Article 13 UK GDPR);
• furthermore, the required information should ordinarily be provided at same time that any personal data is obtained from an individual (Article 13 (1) UK GDPR); and
• the required information should be concise, transparent, easily accessible and provided in plain language (Article 12 UK GDPR).

Role of the privacy policy

As described above, there are requirements placed upon businesses with regards to the various pieces of specific information which they must provide to any data subject. However, there is also a requirement for information to be clear and concise.

In order to strike this balance, the Information Commissioner's Office (the regulatory body which oversees data processing in the United Kingdom), has suggested a layered approach is one of the most efficient ways to properly communicate all the relevant information. For example, key information can be provided to data subjects in a notice or statement, with links or click features to allow data subjects to obtain more detail if needed.

The role of this particular document allows a website to set out its general processing, storage and usage of personal data, in order to fulfil the requirement to supply data subjects with 'transparent' information (Article 13 and 14 of UK GDPR).

A website owner should also hold a shorter simple 'privacy notice' which would be provided to data subjects upon the point of collection in a concise manner (as per the requirement of Article 13 (1) UK GDPR). The shorter notice may have an index system to expand into more detailed guidance (for example to link to this policy) or may have links to more detailed information as per the layered approach.

In addition to the short notice and this general policy, a website owner may wish to have further policy documents to provide even more detail regarding specific areas of processing such as:

• within its terms and conditions of use;
• within a cookie policy; and
• within its terms and conditions of sale, where applicable.

Sensitive data

Where a website processes sensitive date, this fact can be stated within this policy document however there are additional measures which a website must also put in place. In particular, website owners should be aware that, where any sensitive data is collected from data subjects, a further comprehensive policy must be held to address the collection of sensitive data specifically. Where sensitive data is collected, a website will often rely upon consent as the lawful justification for processing data. The website will therefore need to obtain explicit consent/opt-in consent at the time of collection via a separate specialised form.

Sensitive data is personal information which relates to:

• an individual's genetic data
• an individual's biometric data
• an individual's ethnic origin
• an individual's political opinions
• an individual's religious or philosophical beliefs
• information regarding an individual's connection to a trade union
• information regarding an individual's physical or mental health or condition
• information regarding an individual's sexual life.

Criminal offence data

Websites may also sometimes need to process data relating to any criminal offences of data subjects (for example, to meet regulatory requirements or for fraud prevention purposes). Criminal offence data falls into its own category and must also be justified under further very specific grounds. The existence of criminal data processing should be stated in this general policy together with the lawful reasoning, however it is usually necessary for a website to also hold a separate specific policy where criminal data is processed.

Other restrictions and requirements

There are additional restrictions and requirements which may apply to a website's use of personal information in other circumstances. For example, where personal information is transferred outside of the United Kingdom, or where decisions are made using personal information via an automated process. These can be addressed and detailed within this document if so required.

This document is designed for a website which is not aimed at children and where the website does not process child data. Websites still must consider, regardless of the intentions of the website, whether children may access the website and whether there is any possibly of inadvertently processing child data. In those circumstances, a website must consider the Children's code.

How to use this document

This document should be filled out with the relevant information. When personal information is collected directly from a data subject, they should be informed of the relevant privacy information at the time that the data is collected.

Where information is obtained about an individual from another source, they must be informed within a reasonable period and no later than one month after it is collected.

The privacy information must be actively provided to individuals, by making the individuals aware of its existence and by placing the policy on the website in an accessible location.

Where a website processes sensitive information, and is relying upon the data subject's consent for this, the consent must be obtained separately. The website should:

• display a clear and prominent request for the information just prior to the point of collection;
• ask the user to opt-in or consent to the collection of such information;
• provide enough information to enable the user to make an informed choice; and
• record their response.

In a similar manner, where a website is relying upon consent of data subjects in order to justify direct marketing, the consent should be obtained separately.

As set out above, the policy may be used in conjunction with other specific policies, for example where sensitive or criminal offence data is being processed or where cookies are being used by the website.

Relevant law

As of 1 January 2021, the law relating to data protection in the UK is governed by:

• The Data Protection Act 2018
• The retained EU General Data Protection Regulation 2016/679 (UK GDPR).
• The governing/supervisory body for upholding data protection rights is the Information Commissioners Office (the ICO).

Help from a lawyer

You can choose to consult a lawyer if you need help.

The lawyer can answer your questions or help you through the process. You will be offered this option when you complete the document.

How to modify the template

You fill out a form. The document is created before your eyes as you respond to the questions.

At the end, you receive it in Word and PDF formats. You can modify it and reuse it.