Checklists
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
What to provide
We provide individuals with all the following privacy information:
☐ The name and contact details of our organisation.
☐ The name and contact details of our representative (if applicable).
☐ The contact details of our data protection officer (if applicable).
☐ The purposes of the processing.
☐ The lawful basis for the processing.
☐ The legitimate interests for the processing (if applicable).
☐ The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
☐ The recipients or categories of recipients of the personal data.
☐ The details of transfers of the personal data to any third countries or international organisations (if applicable).
☐ The retention periods for the personal data.
☐ The rights available to individuals in respect of the processing.
☐ The right to withdraw consent (if applicable).
☐ The right to lodge a complaint with a supervisory authority.
☐ The source of the personal data (if the personal data is not obtained from the individual it relates to).
☐ The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
☐ The details of the existence of automated decision-making, including profiling (if applicable).
When to provide it
☐ We provide individuals with privacy information at the time we collect their personal data from them.
☐ If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information:
☐ within a reasonable of period of obtaining the personal data and no later than one month;
☐ if we plan to communicate with the individual, at the latest, when the first communication takes place; or
☐ if we plan to disclose the data to someone else, at the latest, when the data is disclosed.
How to provide it
We provide the information in a way that is:
☐ concise;
☐ transparent;
☐ intelligible;
☐ easily accessible; and
☐ uses clear and plain language.
Changes to the information
☐ We regularly review and, where necessary, update our privacy information.
☐ If we plan to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing.
Best practice – drafting the information
☐ We undertake an information audit to find out what personal data we hold and what we do with it.
☐ We put ourselves in the position of the people we’re collecting information about.
☐ We carry out user testing to evaluate how effective our privacy information is.
Best practice – delivering the information
When providing our privacy information to individuals, we use a combination of appropriate techniques, such as:
☐ a layered approach;
☐ dashboards;
☐ just-in-time notices;
☐ icons; and
☐ mobile and smart device functionalities.