Charity privacy notice

Privacy notice for a charity (GDPR compliant)

CO.CHA.153

This Privacy notice for a charity (GDPR compliant) template is designed to provide data subjects with important information about a charity’s use of personal data, as required by the GDPR and the Data Protection Act 2018, and it has been written in the light of best practice established since the GDPR came into effect. It is intended to be an aid to help charity trustees draft a privacy notice appropriate to their charity. It includes a template Subject Access Form (at the end of the Notice) which may be included if desired.

This template provides detail to data subjects in a number of key areas, including how personal data is collected by the charity, the source of that data, how it is used, and how it is shared. It is designed primarily for use offline (or at least with offline data collection).

The document, as a template, has been designed for general application, the provisions included in it are broad, and they will not necessarily apply to all situations. It can therefore only be a starting point in the drafting process and a charity’s trustees will need to tailor the template to the particular circumstances and needs of their charity.

Some of the optional wording in square brackets in this template relates to ‘special category’ (‘sensitive’) personal data, data relating to criminal convictions, and children’s personal data. If your charity will process any such data you may require specific legal advice as to the appropriate wording to be included in this document and about additional measures that may be required.

The document assumes that no data will be stored or transferred by the charity outside the EEA. If, however, any data will be stored or transferred outside the EEA by your charity, you will need to take advice as to suitable provisions to be added to the template and any other measures to be taken.

This template also assumes that there will not be any automated decision-making and/or profiling by the charity, and so it does not include any provisions relevant to automated decision-making and/or profiling. The law features additional restrictions and rights relating to this kind of data processing, and if there will be any such data processing by your charity, you should seek guidance and advice on automated decision-making and profiling. Information that topic is available on the ICO website.

When completing this template, ensure that your privacy notice accurately reflects the types of personal data that your charity collects, how it is collected, how your charity actually uses the personal data that it collects, and associated procedures. Where data is sourced by your charity from a third party, it is important that you specify what type of organisation that third party is, and whether it is a private or public organisation. Whilst it is important to set this all out in some detail, it is also important that the privacy notice should be user-friendly, and as clear and simple as possible.

It is also important to explain the ‘lawful basis’ which allows your charity to collect and uses personal data. There are several lawful bases to choose from, as explained on the ICO website. Consent, the data being necessary for a contract, or ‘legitimate interests’ are, we suggest, the most likely bases for many charities. However, it is important to take care when choosing. ‘Consent’ may appear to be the most straightforward, but this is often not the case. Furthermore, if you opt to rely on ‘legitimate interests’, it is important to explain what those interests are in your charity’s privacy notice.

How long does your charity keep personal data? This is an important question to which individuals need to know the answer. When dealing with this in your charity’s privacy notice, it is important to be as specific as possible. It is also important to keep in mind that some data retention periods may be specified by law, but this will not apply in many cases. Legal advice should always be sought if there is any doubt. Please note that example retention periods are not included in this template.

A further important point to note relates to your charity’s data security arrangements. Users should be able to understand what your charity is doing to keep their personal data safe. When setting out measures such as encryption, ensuring on-going confidentiality, and recovering data in the event of loss, be sure to use user-friendly language.

Optional phrases / clauses are enclosed in square brackets. These should be read carefully and selected so as to be compatible with one another. Unused options should be removed from the document.

This Privacy Notice contains the following parts:

Introduction

1. Information about us

2. What does this Notice cover?

3. What Is “personal data?

4. What are my rights?

5. What personal data do you collect and how?

6. How do you use my personal data?

7. How long will you keep my personal data?

8. How and where do you store or transfer my personal data?

9. Do you share my personal data?

10. How can I access my personal data?

11. How do I contact you?

12. Changes to this privacy notice

Schedule - Subject Access Request Form

This Privacy Notice is in open format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.

Once you have purchased access to the Corporate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.

Top