Transparency
- Overview
- Model notices and resources
- Child-friendly Privacy Notices
- Accountability Check
- FAQs
- Ask a Question
What Is Transparency
Transparency is about being clear, open and honest with your users about what they can expect from you.
Why is it important?
Transparency is key to the requirement under Article 5(1) of the UK GDPR for the processing of personal data and underpins the fairness element of Article 5(1). If you aren’t clear, open and honest about what you do and why you do it, your original collection and ongoing use of personal data are unlikely to be fair to a data subject.
Transparency and being open and honest about what you do facilitates the exercise of individuals’ rights and gives people greater control over the use of their personal data. This is particularly important if the processing is complex, involves sensitive data or if it relates to a child. Proactively respecting people’s privacy and their rights to privacy can give you the advantage of increasing the confidence of the public, regulators and business partners in your organisation.
The UK GDPR also contains other specific provisions about the information that you must give to data subjects when you process their personal data namely:
- Article 13 (privacy information that you need to provide when you have obtained the personal data directly from the data subject)
- Article14 (privacy information that you need to provide when you have not obtained the personal data directly from the data subject).
- Article 12 which requires you to provide children with privacy information required by Articles 13 and 14 in a way in which they can access and understand.
How can you ensure that you are transparent?
The ICO makes the following recommendations as part of the process of being transparent;
- Provide clear privacy information in your privacy notice as set out in Articles 13 and 14 in a clear and prominent place such as your website;
- Make your privacy notice easy to find and accessible for children and parents who seek out privacy information;
- Do not rely on children or their parents seeking out privacy notice information instead draw their attention to your privacy notice at the point of each collection of personal data;
- Use a ‘bite-sized’ ‘just in time notice” of privacy explanations when necessary and make sure it is suitable for both children and adults to understand;
- Produce a separate privacy notice for use with children and young people;
- Encourage children and young people to speak to an adult before they activate any new use of their data, and always inform them not to proceed if they are uncertain;
- Consider if there are any other points in your user journey when it might be appropriate to provide bite-sized explanations to aid a child or young person's understanding of how their personal data is being used;
- The information you provide for users about your service should be clear and accessible. This includes terms and conditions, policies and community standards;
- In every case you should provide information that is accurate and does not promise protections or standards that are not routinely upheld by you;
- If you believe that you need to draft your terms and conditions in a certain way in order to make them legally robust, then you can provide child-friendly explanations to sit alongside the legal drafting;
- Present information for services aimed at children and young people in a child-friendly way that is likely to appeal to the age of the child who is accessing your service. This may include using diagrams, cartoons, graphics, video and audio content, and gamified or interactive content that will attract and interest children, rather than relying solely on written communications;
- Consider the use of tools such as privacy dashboards, layered information, icons and symbols to aid children’s understanding and to present the information in a child- friendly way. You should consider the modality of your service, and take into account user interaction patterns that do not take place in screen-based environments, as appropriate;
- Dashboards used for online services should be displayed in a way that clearly identifies and differentiates between processing that is essential to the provision of your service and non-essential or optional processing that the child can choose whether to activate;
- Tailor your information to the age of the child. For younger children, with more limited levels of understanding, you may need to provide less detailed information for the child themselves and rely more on parental involvement and understanding. However, never use simplification with the aim of hiding what you are doing with the child’s personal data and consider providing detailed information for parents, to sit alongside any child-directed information;
- You should make all versions of resources, including versions for parents, easily accessible and incorporate mechanisms to allow children or parents to choose which version they see, or to down-scale or up-scale the information depending on their individual level of understanding;
- Depending on the size of your organisation, your number of users, and your assessment of the risk you may decide to carry out user testing to make sure that the information you provide is sufficiently clear and accessible for the age range in question;
- Always document the results of any user testing in your DPIA, or use the DPE Record of Processing tool to support your final conclusions and justify the presentation and content of your final resources. If you decide that user testing isn’t warranted, then you should document the reasons why in your DPIA; and
- Consider any additional responsibilities you may have under any equality legislation applicable to you and set this out
- Consider if you are a school or trust that you may need to re-share your privacy notice at exam or assessment time as per DfE requirements.
Model Privacy Notices - to be adapted
document DPE Model Data Privacy Notice Pupils (4.11 MB)
document DPE Model Data Privacy Notice Workforce (3.57 MB)
document DPE Model Data Privacy Notice General (4.03 MB)
(General notice includes parents, visitors, volunteers, and
governors)
See Child-Friendly Privacy Notices Tab for more.
Updated 22 March 2021 The ICO gives the following advice when communicating privacy matters to children: What information should we give to children? You must provide children with the same information about what you do with their personal data as you would give to adults. In order for processing to be fair, there is the same need for transparency, as this gives an individual control and choice. A full list of the information you must provide, which varies depending upon whether the personal data has been provided by the individual themselves or a third party, is given in our Guide to the GDPR. As one of the reasons why children require specific protection is that they may be less aware of the risks of the processing, it is also good practice, to explain the risks involved in the processing, and any safeguards you have put in place. This will help children (and their parents) understand the implications of sharing their data with you and others, so they can take informed and appropriates actions to protect themselves. You should make your privacy notice clear and accessible and aim to educate the child about the need to protect their personal data. How should we provide privacy information? You should write in a concise, clear and plain style for any information you are directing to children in a privacy notice. It should be child-appropriate and, as far as possible addressed directly to the relevant age group. If your target audience covers a wide age range then you could consider providing different versions of your notice for different ages. If you choose to only have one version then you need to make sure it is accessible to all and can be understood by your youngest age range. You should present your privacy notice in a way that is appealing to a young audience. You should consider using diagrams, cartoons, graphics and videos that will attract and interest them. In an online context, you should consider the use of dashboards, layers, just-in-time notices, icons and symbols. Taking that on board and as part of a review into our model notices and the generation of privacy notices automatically from the Record of Processing data, we've put together some variations of child-friendly privacy notices for you to use. Firstly an infographic approach:
document
(2.39 MB)
Download an editable version in Word to add your school name - prints on two pages. And secondly, a comic-strip with two variations, based on font preference. The first variation uses a traditional comic-strip style font, the second a more easily-readable font that might be better for some readers. Download:
pdf
Child-friendly privacy notice comic strip v1 comic strip font
(1000 KB)
pdf
Child-friendly privacy notice comic-strip v2 easy-read font
(905 KB)
Lastly, we have developed the comic strip into an animation. Feel free to use this as you wish. The embed code is below if you would like to use it on your school website. To embed this on your website, click on the share icon in the video and then "embed".
Have a question about transparency? Ask it here.