188体育

Minimise the personal information you collect from users - and make sure you鈥檙e only collecting personal information when it鈥檚 a proportionate way of solving the problem you鈥檙e trying to solve.

Talk to your data protection expert or legal adviser to make sure what you鈥檙e planning to do is proportionate in the circumstances.

Make it as easy as possible for users to understand how you鈥檒l use any personal information you do collect.

Do not collect information you do not need

The first thing to do is remove any questions that you do not need to ask. As well as minimising the personal information you鈥檙e collecting, that will make your service simpler to use.

Make sure you do not accidentally collect personal information by setting up your digital analytics tools correctly, and avoid putting personally identifiable information .

Do not store information any longer than you need to

You do not always need to store personal information at all. For example, let鈥檚 say you need to know if someone is getting a particular benefit so you can tell whether they鈥檙e eligible to use your service.

You may be able to use an application programming interface (API) or so you can just record whether they were eligible or not. And avoid storing the raw personal information they supplied (for example, a scan of the benefit letter that proved their eligibility).

Do not store personal information you do collect for longer than you need to given the purpose you collected it for. This will reduce opportunities for attackers to exploit security vulnerabilities in your service.

Be clear about your legal basis for collecting information

The Data Protection Act 2018 is the UK鈥檚 implementation of the General Data Protection Regulation (GDPR). These rules state that you need to be clear about your legal basis for collecting personal information.

Getting consent from the user is one basis.

But if the information you鈥檙e collecting is an essential part of providing a public service, think carefully about whether it could be better to rely on a different basis, for example, the 鈥榩ublic task鈥� basis.

For example if you鈥檙e running a government service that involves issuing an official document in someone鈥檚 name, it鈥檚 probably not meaningful to ask for consent to collect their name. Because it鈥檚 not possible to provide the service without collecting that information.

Aside from consent, the are:

• 鈥榩ublic task鈥� - you need to collect or process the information to carry out a task in the public interest, or for an official function
• 鈥榗ontract鈥� - you need to collect or process the information to fulfil a contract you鈥檝e entered into with the user - or because they have asked you to do something before entering into a contract (for example, provide a quote)
• 鈥榣egal obligation鈥� - you need to collect or process the information to comply with the law (this does not include contractual obligations)
• 鈥榣egitimate interests鈥� - you need to collect or process the information to protect your interests, or those of a third party (and it鈥檚 reasonable to do so when balanced against the user鈥檚 interests)
• 鈥榲ital interests鈥� - you need to collect or process the information to protect someone鈥檚 life

If you鈥檙e a public body you cannot rely on 鈥榣egitimate interests鈥� for personal information you鈥檙e collecting or processing as part of a public task - only for things that are outside the scope of a public task.

Your data protection expert or legal adviser will be able to advise you what legal basis to rely on. Learn how to identify relevant to your service.

How to ask for consent

If you are relying on consent as the basis for collecting and processing personal information, it has to be meaningful consent. If a user refuses their consent, they must still be able to use the service.

Consent means the user has to explicitly agree to you using their information in a specific way, not just failing to say they disagree. Ask a direct question rather than relying on the user ticking or unticking a check box.

Make it clear what the user is agreeing to. It鈥檚 not consent if the user does not understand what they鈥檙e consenting to.

And be equally clear about what the user should do if they want to withdraw their consent.

For example if you wanted consent to send emails that are not directly related to providing the service, you might:

• ask a direct question like 鈥楥an we send you emails about [X subject]?鈥�
• tell the user how often you usually send the emails, so they can make an informed decision
• tell the user that they can stop the emails at any time, with details of how to do it

Consent must be specific. If you鈥檙e asking users to consent to different things, ask for consent to each thing in a separate question.

Tell users what information you鈥檙e collecting and what you鈥檒l do with it

Use plain language to explain what personal information you鈥檙e collecting and what you鈥檒l do with it.

Put things in terms that will be familiar to your users. For example, you may need to explain things in a different way if your service is aimed at children.

If you鈥檙e doing something that has an especially significant consequence for the user, or it鈥檚 something that the user might not expect to happen, do not rely on them reading the privacy notice to find out about it.

For example, if you鈥檙e collecting information that鈥檚 going to be put on a public register, tell the user in the main flow of the service.

Privacy notices

Create a privacy notice that鈥檚 specific to the service. In an online service, the privacy notice should be available to the user at any point, via a 鈥榩rivacy鈥� link in the footer. Do not bury it in a terms and conditions page. Serve the privacy notice as part of the service, not as a page on 188体育.

Privacy notices and other 鈥榣egal鈥� content must be written in plain English and to 188体育 style, just like any other content.

Explain, clearly and concisely:

• step by step, what you鈥檒l do with the personal information once you鈥檝e collected it
• why you鈥檙e collecting their personal information
• which of the legal bases you鈥檙e using for collecting and processing personal information
• how long you鈥檒l keep the personal information - or, if there鈥檚 no set period, how you鈥檒l decide how long to keep it

If you鈥檙e collecting and storing personal information on the basis of a legitimate interest, you鈥檒l need to explain how you balanced those interests against the user鈥檚 interests.

In the privacy notice, you鈥檒l also need to:

• say who the 鈥榙ata controller鈥� for the service is (usually your department or agency)
• explain in what circumstances you鈥檒l share the information outside your organisation, and who with (including any 鈥榙ata processors鈥� - organisations processing personal information on your behalf)
• provide contact details for any data processors who will be processing personal information on your behalf

If the personal information will be transferred outside the UK as part of the processing, make that clear. And say what you鈥檙e doing to make sure the personal information gets the same level of protection as it would within the UK.

If the service uses an automated decision making process (for example, a computer algorithm), explain clearly how it works.

The Digital Marketplace has .

This is not necessarily a complete list of what should go into a privacy notice. Check the privacy notice with your organisation鈥檚 data protection expert or legal adviser.

Personal information charters

Do not go into detail about the standards your organisation follows when dealing with personal information in the privacy notice - link to your organisation鈥檚 official personal information charter instead.

The personal information charter should include information on how to get in touch with your Data Protection Officer.

It should also explain users鈥� rights - including their rights if they want to see personal information you鈥檙e holding about them.

Or if they want you to erase or restrict processing of personal information you鈥檙e holding about them.

The Cabinet Office has an example of a clearly written personal information charter.

Especially sensitive personal information

There may be additional things to consider if you鈥檙e collecting especially sensitive types of personal information. For example personal information about children, or information relating to ethnicity, health, genetics or biometrics.

Check with your organisation鈥檚 data protection expert or legal adviser.