What to provide
We provide individuals with all the following privacy information:
☐ The name and contact details of our organisation.
☐ The name and contact details of our representative (if applicable).
☐ The contact details of our data protection officer (if applicable).
☐ The purposes of the processing.
☐ The lawful basis for the processing.
☐ The legitimate interests for the processing (if applicable).
☐ The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
☐ The recipients or categories of recipients of the personal data.
☐ The details of transfers of the personal data to any third countries or international organisations (if applicable).
☐ The retention periods for the personal data.
☐ The rights available to individuals in respect of the processing.
☐ The right to withdraw consent (if applicable).
☐ The right to lodge a complaint with a supervisory authority.
☐ The source of the personal data (if the personal data is not obtained from the individual it relates to).
☐ The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
☐ The details of the existence of automated decision-making, including profiling (if applicable).
When to provide it
☐ We provide individuals with privacy information at the time we collect their personal data from them.
If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information:
☐ within a reasonable period of obtaining the personal data and no later than one month;
☐ if we plan to communicate with the individual, at the latest, when the first communication takes place; or
☐ if we plan to disclose the data to someone else, at the latest, when the data is disclosed.
How to provide it
We provide the information in a way that is:
☐ easily accessible; and
☐ uses clear and plain language.
Changes to the information
☐ We regularly review and, where necessary, update our privacy information.
☐ If we plan to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing.
Best practice – drafting the information
☐ We undertake an information audit to find out what personal data we hold and what we do with it.
☐ We put ourselves in the position of the people we’re collecting information about.
☐ We carry out user testing to evaluate how effective our privacy information is.
Best practice – delivering the information
When providing our privacy information to individuals, we use a combination of appropriate techniques, such as:
☐ a layered approach;
☐ just-in-time notices;
☐ icons; and
☐ mobile and smart device functionalities.