Privacy Policy: template for charities

Privacy policy template

This post helps you understand privacy policies, privacy notices and what you need to do in this area to comply with the GDPR. 

As with our other data protection resources, we have tried to decode the guidance provided by the Information Commissioner’s Office ('ICO' - the government body that oversees data protection in the UK) and interpret it in a way that helps small charities understand the key provisions and adopt a proportionate response considering their own size and audience. 

This all comes with the important caveat that we are not lawyers! We support small charities with practical no-nonsense guides to communicating well online. So these resources should save you a lot of time but it’s prudent to get a lawyer to check them over too.


Privacy Notice vs Privacy Policy under the GDPR?

As we discussed in our guide to GDPR and data protection for small charities, the new data protection legislation adds clarity to many requirements that already existed. One such area is privacy notices and policies. The key term used in the legislation and guidance is ‘privacy notice’ but this is a slippery term that has given rise to a lot of confusion.

Previously, lots of organisations published ‘privacy policies’ but the terminology in GDPR has left organisations wondering whether they should rename their policies. However, as we explain below, these terms are describing two different things. 

According to the ICO the term ‘privacy notice’  is used to:

  • Describe all the privacy information that you make available or provide to individuals when you collect information about them… This is why the ICO believes that it is good practice to develop a blended approach, using a number of techniques to present privacy information to individuals.

In this light, it seems that ‘privacy policy’ is still the best name for the overarching statement of your approach to privacy. This term describes a document. 

In contrast, each time you collect data from someone you need to think through your ‘privacy notice’. This term explains the individual’s particular experience when they give you data. 

In some cases, the only privacy notice required may be to make your privacy policy available in the footer of your website for the individual to read if they wish. But in other situations, you will need to provide information more proactively to make it sufficiently clear how an individual’s data will be used.

The underlying principle seems clear:

  • Make it simpler for people, who interact with your organisation, to understand what you will do with their data. The greater the chance they will have concerns, the more actively you should explain your approach.

How to deliver privacy notices

In general terms you need to explain:

  • What data is being processed
  • The lawful basis for this processing
  • The purpose of this processing

All three aspects of this are clearly set out in the attached privacy policy example. As mentioned above, in some cases all you will need to do is have your privacy policy available and easy to find on your website. However, you should also consider if the data being collected requires you to more actively flag up specific information about how you will deal with data being collected. 

Passive notices

According to the ICO, It’s fine to require an individual to go and find privacy info when their data is being used for a purpose that a reasonable person might expect to be necessary, such as using their address details to send them a product they have ordered. 

Active notices

The ICO guidance on active notices is not prescriptive (i.e. you’ll still need to interpret it for your situation) but it is clear and concise so we’ll quote it here:

“The need to actively provide privacy information is strongest where:

  • you are collecting sensitive information;
  • the intended use of the information is likely to be unexpected or objectionable;
  • providing personal information, or failing to do so, will have a significant effect on the individual; or
  • the information will be shared with another organisation in a way that individuals would not expect.”

So what documents do you need?

Documents alone do not achieve compliance. The GDPR is, in large part, about providing individuals with more transparency. So as a small charity you should think about your documents as a toolkit to help you improve the experience of individuals who engage with your charity. 

This list sets out the key tools you should have in place. Items 1 and 2 are standalone documents and items 3 & 4 are snippets of text that will change dependent on the context in which they are shown. 

1. Data Protection Policy

This is an internal document explaining how you as a charity ensure you will manage data responsibly in a way that continues to comply with data protection legislation. For more on this read this post and associated template on data protection policies.

2. Privacy Policy

This document contains a complete public statement about how your organisation deals with personal data. 

3. Consent statement

For the purpose of direct marketing (i.e. sending people updates about your work or requests for support), you are likely to rely on consent as your ‘lawful basis’ for processing this data. The consent statement answers the question ‘what am I signing up for?’ It should be clear and specific but you should also think broadly about the future because if you change this statement and the materials you send out your old consents may become invalid. 

4. Supplementary privacy notice

These supplementary notices deal with the situation where, due to the nature of data being collected, you need to flag up information more actively about how you will handle the information. Passive and active notices are discussed more in the previous section. 


Passing data to third parties

The ICO makes a big deal about making your privacy policy easy to read and understand. This means avoiding the temptation to draft a huge document and this requires knowing not only what is needed but also what can be left out. 

One area that has caused some confusion is how much information is needed in your privacy policy about third parties. If you had to list every third party you used to handle data that would significantly increase the size of your privacy policy. 

Thankfully, the ICO has made it clear that you do not have to include details of all third parties. The key distinction is whether third parties are Data Processors or Data Controllers. These terms can be a little confusing since under the GDPR both data processors and data controllers ‘process’ data. 

A Data Controller determines the purposes and means of handling personal data. When you collect data from people you will normally be the data controller. If you pass data to another data controller this is a big deal. Examples of third-party data controllers are organisations to whom you refer clients or to whom you pass on data for the purposes of marketing. Where you do this you must almost always seek active informed consent that names the data controller to whom you’ll be passing data.

A Data Processor is responsible for processing personal data on behalf of a data controller. An example of this is a payment provider. As long as you have an appropriate agreement in place with the payment provider, there should be no need to tell people the details or request their consent. In our accompanying privacy policy template, we include a short paragraph you can use to explain to people that you may use third-party services as data processors and what you do to ensure they handle this data appropriately.

Don't forget to download the template

Go back up to the template

Date: 
21 May 2018
Andy Pearson