Privacy notice generator for customers or suppliers – health and social care

If you’re new to data protection, we suggest you read our beginner’s guide before using this tool. There are some steps you might need to take before you’re able to get started.

You should also be familiar with key data protection terms including what personal information is. 

Personal information is any information that identifies and relates to a living person. Read our guidance to find out more about what’s considered personal information.

You first need to understand all the types of personal information you are collecting or using in your organisation.

There are some types of personal data that are likely to be more sensitive, and need more protection. These are known as special category data under the UK GDPR.

This includes personal data revealing or concerning:

• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• health;
• a person’s sex life; and
• a person’s sexual orientation.

You can find out more about what you need to do with this type of information by reading If we’re processing special category data, what do we need to do? 

You need to know why you’re collecting and using people's information. For example, your reasons might be to provide patient care or for safeguarding or public protection reasons.

You should also identify the minimum amount of personal information you need to fulfil your purpose. You should hold that much information, but no more. Read our guidance on data minimisation for further information. 

You need to know whose personal information you’re collecting. You also need to understand your target audience so you can make sure your privacy notice is accessible and appropriate for everyone it applies to. You may need to provide different versions depending on who your data subjects are eg consumers or businesses.

You must think about whether you’re collecting information about children, as they need higher protection in how their data is used. If you’re providing online services likely to be accessed by children in the UK, you must take into account the best interests of the child. Read our guidance on the children’s code for further information.

You need to understand if you are using personal information as a controller, joint controller or processor. These technical terms are explained in our guidance on data protection terms. 

Next, look at your contracts or terms and conditions with your customers, suppliers, service providers, insurers, accountants and any others. These may be small or large businesses, charities, clubs and other organisations or sole traders. We use the word “organisation” to mean any of those.

In these documents you may find helpful information, in particular:

• Whether you or the other organisation is acting as a controller, joint controller or processor.
• Why you’re collecting and using personal information.

You need to know all the reasons you can rely on to collect and use personal information (known as lawful bases). You may have a different lawful basis for each of the reasons you use this information. The six lawful bases are: consent, contract, legal obligation, vital interests, public task and legitimate interests. Read our guidance on lawful bases for further information.

If you haven’t decided which lawful basis to rely on, you can use our interactive tool to help you. 

You need to know where you collect people's information from. It may be directly from the person or it may be from other sources, including public sources. There are lots of places you may receive information from, such as family members or carers, social services or other health and care providers.

You need to consider how long you need to keep information for, so you know to delete or destroy it when you no longer need it. If you don’t have a specific timeframe for how long you keep information, you must tell people how you decide how long you’ll keep their information for, eg until a contract ends. Read our guidance on retention for further information.

You need to know which organisations you share information with, including any data processors. Your contract with the organisation should set out if they are a processor.

If you use a service provider to store your data, or to provide your email and other administrative services (these may be cloud services), you will be sharing personal information with them. 

If you allow an organisation to access personal information, which remains on your system, this is also sharing information. 

You need to know if you’re sharing information with a separate organisation based outside the UK. 

You will not be sharing information outside of the UK if the other organisation is a UK based company. Check your contracts or terms and conditions to see if the other organisation is UK based. 
Sharing data overseas could include:

• Sending information outside the UK by email.
• Giving a non-UK organisation access to your database.
• Using a non-UK company as your service provider, for example cloud services, storage or support.

This does not include sending information to a non-UK consumer. A consumer is a living person that you’re providing goods or services to for their own domestic or household purposes, and not relating to their trade, business or profession.

If you’re using a UK based processor, it also includes where that UK processor is sharing information with its sub-processors which are non-UK companies. Your contract with the UK processor should set out this information.

Read our guidance to learn more about transferring personal information outside of the UK.