Privacy Notices

The GDPR principles include a requirement on Data Controllers to be ‘transparent’ about the Personal data processing that we do, and for this to include specific and explicit explanations about the purposes of this processing.

This is supported by the GDPR rights to be informed about the processing when data is being collected directly by us, and when it is being collected indirectly (i.e. from another organisation)

In short, we must not do anything with personal data without having taken steps to inform the individuals about it. To process without informing is a breach of the law, unless the Data Protection Act provides a valid exemption. The main means of informing is through ‘Privacy Notices’, and ARU provides comprehensive information on all of our routine processing on our Corporate Privacy Policy.

The Right to be Informed

Information required

The law says that the act of informing a Data Subject requires the following information to be made available:

  • Who we are, and the name of our Data Protection Officer and their contact details.
  • A description of the type of data we collect
  • The purpose why we need this data
  • An explanation of how the law allows us to hold and use the data
  • Who we might share the data with (either because they provide a service on our behalf or they need it for their own purposes and the law allows this)
  • Whether data may be sent to or stored in a country that is outside the European Economic Area (EEA)
  • When will we no longer need the data and how soon after this we’ll delete it
  • Which of the rights a data subject is able to use, including the right to withdraw consent (if this is what allows us to hold your data)
  • How to complain to the Information Commissioner’s Office (ICO)
  • Where we got the data from (if the Data Subject didn’t give it to us directly)
  • Whether we use the data to make automated-decisions or to do profiling

When the information should be made available

The required information should be made available to the Data Subject:

  • In advance of or at the time they share their data with us, or
  • When it has been shared with us by another organisation:
    • No later than a month after we receive it
    • The first time we contact the Data Subject about this data, or sooner
    • Before or when we share the data with someone else

Where we obtain data directly from the Data Subject this is usually done by asking them to fill in a form (manually or on a website), obtained verbally (we write or make audio/ video recordings of information given) or we take photographs. In advance of or at the time that these events are occurring, we need to make available the information that allows a Data Subject to make a decision about whether they are comfortable with how we intend to process their data.

How the information is presented

This information must be presented in a way that is:
“concise, transparent, intelligible and [in an] easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”

Layered approach

At ARU we follow the regulator’s best practice guidance which allows for presenting this information in what is known as a ‘layered approach’, meaning we try to sign-post a Data Subject to resources where the ‘informing’ data is held. This means that the forms we use to collect the data do not have to contain excessive information and become difficult to produce and to understand. We will typically provide a simple summary statement about Data Protection on forms which provide either a weblink to our main Corporate Privacy Policy, a bespoke ‘Truncated’ notice or detailed content about a project/ initiative. Where more appropriate, we may produce hard-copy versions of this information to present physically to Data Subjects.