Our Policies and Procedures
Privacy Information Guidance
Data protection law specifies that controllers must inform data subjects about how they use their personal information. This means that Middlewich & District Foodbank must inform the people that use foodbanks, our supporters, volunteers and other data subjects about how we collect and use their personal information. This is often referred to as ‘privacy information’.
Privacy information must be understandable and accessible, presented legibly, in a reasonable font size, and written in easy to understand language that avoids jargon or overly legalistic terminology.
Privacy information that must be provided
The following privacy information must be provided to data subjects.
- The identity of the controller
- The purpose of the processing and the lawful basis for the processing
- Categories of personal data
- Any recipient or categories of recipients of personal data
- Details of transfers to third parties and safeguards
- The retention period or criteria used to determine the retention period
- The existence of each data subject right
- The right to withdraw consent, where relevant, at any time
- The right to lodge a complaint with a supervisory authority
- The source the personal data originates from and whether it came from publicly accessible sources
- Whether the provision of personal data is part of a statutory or contractual requirement of obligation and possible consequences of failing to provide the personal data
- The existence of automated decision making, profiling and information about how decisions are made, the significance and the consequences
Providing privacy information
It is likely to be inappropriate or impossible to include all the required privacy information at the first point at which personal information is being collected.
The ICO recommends a layered approach and providing information in a range of ways. This layered approach can be useful as it allows you to provide the key privacy information immediately and have more detailed information available elsewhere for those that want it. This is helpful where there is not enough space to provide more detail.
Privacy information can be provided through a variety of media including:
- Orally – face to face or when you speak to someone on the telephone
- In writing – printed media, printed adverts, forms, such as registration forms
- Through signage – for example an information poster in a public area
- Electronically – in text messages, on websites, in emails. In addition to this, it is necessary to include privacy information when collecting personal information in writing or verbally. This privacy information is often called a Fair Processing Notice (FPN) or Privacy Notice / Statement.
Fair Processing Notices
Information usually included in a FPN when collecting personal information is:
- The identity of the controller
- The purpose of the processing and the lawful basis for the processing
- Notice if personal information may be shared with any other organisation (other than for routine third party processing e.g. mailings)
- Notice if personal information may be transferred outside of the EEA
- Notice of any processing of personal information that the data subject might not reasonably expect e.g. automated decision making or profiling
- Reference to where the remainder of the privacy information can be found e.g. a link to a Privacy Policy