The ICO exists to empower you through information.

Use this tool to create a bespoke privacy notice for your staff or volunteers.

The tool will ask you questions broken down into simple steps, and then generate a privacy notice that you can download (or copy and paste) and add your own branding. You can then share your privacy notice with people in your organisation.

This tool is for small and medium-sized businesses and charities. It’s not suitable for organisations that:

  • use large amounts of sensitive personal information;
  • carry out automated decision making; or
  • are required to have a data protection officer (DPO).

Before you start

Make sure you have the following information to hand before you create your privacy notice:

☐ A basic understanding of data protection and how it applies to your business

What does this mean?

If you’re new to data protection, we suggest you read our beginner’s guide before using this tool. There are some steps you might need to take before you’re able to get started.

Whether you’re a joint controller

What does this mean?

You need to know whether you work with any joint controllers. A joint controller is someone you work with who uses the personal information for the same purpose. Read our guidance on joint controllers for further information.

☐ Why you collect and use information

What does this mean?

You need to know why you’re collecting and using staff or volunteers' information. Your reasons might be for staff administration, recruitment or health and wellbeing. 

☐ What types of personal information you collect

What does this mean?

You need to know the types of personal information you collect and use, such as names, HR records and bank details.

Personal information is any information that identifies and relates to a living person. This includes information such as employment records.

Find more about what is considered personal information.

☐ Why you are allowed to use personal information

What does this mean?

You need to know all the lawful bases you rely on to collect and use personal information. If you haven't decided this, using our interactive tool will help you. You may have a different lawful basis for each of the reasons you use information.

☐ Where you get people’s information from

What does this mean?

You need to know where you collect people's data from, eg directly from the person, from previous employers, occupational health providers or CCTV.

☐ How long you keep people’s information

What does this mean?

You need to know how long you keep information for, and how you delete or destroy it when you no longer need it. If you don’t have a specific timeframe for how long you keep information, you must tell people how you decide how long you’ll keep their information, eg until a contract ends. Read our guidance on retention for further information.

☐ Which organisations you share information with, and why

What does this mean?

You need to know which organisations you share information with, eg HRMC, data processors or storage platforms.

If you share information with data processors (someone you have hired to do something with personal information for you), you need to know why you share the information with them.

☐ If you share personal information overseas

What does this mean?

You need to know if you are sending information to a separate organisation outside the UK.

This could include:

  • sending information outside the UK by email;
  • giving an international organisation access to one of your databases; or
  • storing personal information on an international server.

It also includes your data processor sharing information for you.

Read more on transferring personal information outside of the UK.


Please note
: Using this tool will help you tell your staff or volunteers how you use their information, but it’s your responsibility to comply with the law by making sure all the information is accurate and complete. You must keep the content up to date.

This privacy notice generator is in beta phase. This means it is being tested, amended and updated following review and feedback.  If you use this privacy notice generator while it is in beta phase you must review your privacy notice and update it once the privacy notice generator is in final form, in the next 12 months.

In any event, in accordance with data protection law you should regularly review your privacy notice to ensure it remains accurate and up to date.  We recommend that you review your privacy notice at least every 12 months, or sooner if you make significant changes.

The privacy notice generator does not cover the use of cookies. Click here to read our cookies guidance.

The information you input will be retained until midnight on the day you submit it. This is necessary so the tool can produce your bespoke privacy notice. The ICO will not access or use this information.