Design

Collecting personal information from users

Give feedback about this page

From:
Design community

Minimise the personal information you collect from users - and make sure you바카라 사이트™re only collecting personal information when it바카라 사이트™s a proportionate way of solving the problem you바카라 사이트™re trying to solve.

Talk to your data protection expert or legal adviser to make sure what you바카라 사이트™re planning to do is proportionate in the circumstances.

Make it as easy as possible for users to understand how you바카라 사이트™ll use any personal information you do collect.

If your service uses cookies or similar technologies to store information on a user바카라 사이트™s device, you must follow the guidance about using cookies.

Do not collect information you do not need

The first thing to do is remove any questions that you do not need to ask. As well as minimising the personal information you바카라 사이트™re collecting, that will make your service simpler to use.

Make sure you do not accidentally collect personal information by setting up your digital analytics tools correctly, and avoid putting personally identifiable information .

Do not store information any longer than you need to

You do not always need to store personal information at all. For example, let바카라 사이트™s say you need to know if someone is getting a particular benefit so you can tell whether they바카라 사이트™re eligible to use your service.

You may be able to use an application programming interface (API) or so you can just record whether they were eligible or not. And avoid storing the raw personal information they supplied (for example, a scan of the benefit letter that proved their eligibility).

Do not store personal information you do collect for longer than you need to given the purpose you collected it for. This will reduce opportunities for attackers to exploit security vulnerabilities in your service.

The Data Protection Act 2018 is the UK바카라 사이트™s implementation of the General Data Protection Regulation (GDPR). These rules state that you need to be clear about your legal basis for collecting personal information.

Getting consent from the user is one basis.

But if the information you바카라 사이트™re collecting is an essential part of providing a public service, think carefully about whether it could be better to rely on a different basis, for example, the 바카라 사이트˜public task바카라 사이트™ basis.

For example if you바카라 사이트™re running a government service that involves issuing an official document in someone바카라 사이트™s name, it바카라 사이트™s probably not meaningful to ask for consent to collect their name. Because it바카라 사이트™s not possible to provide the service without collecting that information.

Aside from consent, the are:

  • 바카라 사이트˜public task바카라 사이트™ - you need to collect or process the information to carry out a task in the public interest, or for an official function
  • 바카라 사이트˜contract바카라 사이트™ - you need to collect or process the information to fulfil a contract you바카라 사이트™ve entered into with the user - or because they have asked you to do something before entering into a contract (for example, provide a quote)
  • 바카라 사이트˜legal obligation바카라 사이트™ - you need to collect or process the information to comply with the law (this does not include contractual obligations)
  • 바카라 사이트˜legitimate interests바카라 사이트™ - you need to collect or process the information to protect your interests, or those of a third party (and it바카라 사이트™s reasonable to do so when balanced against the user바카라 사이트™s interests)
  • 바카라 사이트˜vital interests바카라 사이트™ - you need to collect or process the information to protect someone바카라 사이트™s life

If you바카라 사이트™re a public body you cannot rely on 바카라 사이트˜legitimate interests바카라 사이트™ for personal information you바카라 사이트™re collecting or processing as part of a public task - only for things that are outside the scope of a public task.

Your data protection expert or legal adviser will be able to advise you what legal basis to rely on. Learn how to identify relevant to your service.

If you are relying on consent as the basis for collecting and processing personal information, it has to be meaningful consent. If a user refuses their consent, they must still be able to use the service.

Consent means the user has to explicitly agree to you using their information in a specific way, not just failing to say they disagree. Ask a direct question rather than relying on the user ticking or unticking a check box.

Make it clear what the user is agreeing to. It바카라 사이트™s not consent if the user does not understand what they바카라 사이트™re consenting to.

And be equally clear about what the user should do if they want to withdraw their consent.

For example if you wanted consent to send emails that are not directly related to providing the service, you might:

  • ask a direct question like 바카라 사이트˜Can we send you emails about [X subject]?바카라 사이트™
  • tell the user how often you usually send the emails, so they can make an informed decision
  • tell the user that they can stop the emails at any time, with details of how to do it

Consent must be specific. If you바카라 사이트™re asking users to consent to different things, ask for consent to each thing in a separate question.

Tell users what information you바카라 사이트™re collecting and what you바카라 사이트™ll do with it

Use plain language to explain what personal information you바카라 사이트™re collecting and what you바카라 사이트™ll do with it.

Put things in terms that will be familiar to your users. For example, you may need to explain things in a different way if your service is aimed at children.

If you바카라 사이트™re doing something that has an especially significant consequence for the user, or it바카라 사이트™s something that the user might not expect to happen, do not rely on them reading the privacy notice to find out about it.

For example, if you바카라 사이트™re collecting information that바카라 사이트™s going to be put on a public register, tell the user in the main flow of the service.

Privacy notices

Create a privacy notice that바카라 사이트™s specific to the service. In an online service, the privacy notice should be available to the user at any point, via a 바카라 사이트˜privacy바카라 사이트™ link in the footer. Do not bury it in a terms and conditions page. Serve the privacy notice as part of the service, not as a page on 바카라 사이트.

Privacy notices and other 바카라 사이트˜legal바카라 사이트™ content must be written in plain English and to 바카라 사이트 style, just like any other content.

Explain, clearly and concisely:

  • step by step, what you바카라 사이트™ll do with the personal information once you바카라 사이트™ve collected it
  • why you바카라 사이트™re collecting their personal information
  • which of the legal bases you바카라 사이트™re using for collecting and processing personal information
  • how long you바카라 사이트™ll keep the personal information - or, if there바카라 사이트™s no set period, how you바카라 사이트™ll decide how long to keep it

If you바카라 사이트™re collecting and storing personal information on the basis of a legitimate interest, you바카라 사이트™ll need to explain how you balanced those interests against the user바카라 사이트™s interests.

In the privacy notice, you바카라 사이트™ll also need to:

  • say who the 바카라 사이트˜data controller바카라 사이트™ for the service is (usually your department or agency)
  • explain in what circumstances you바카라 사이트™ll share the information outside your organisation, and who with (including any 바카라 사이트˜data processors바카라 사이트™ - organisations processing personal information on your behalf)
  • provide contact details for any data processors who will be processing personal information on your behalf

If the personal information will be transferred outside the UK as part of the processing, make that clear. And say what you바카라 사이트™re doing to make sure the personal information gets the same level of protection as it would within the UK.

If the service uses an automated decision making process (for example, a computer algorithm), explain clearly how it works.

The Digital Marketplace has .

This is not necessarily a complete list of what should go into a privacy notice. Check the privacy notice with your organisation바카라 사이트™s data protection expert or legal adviser.

Personal information charters

Do not go into detail about the standards your organisation follows when dealing with personal information in the privacy notice - link to your organisation바카라 사이트™s official personal information charter instead.

The personal information charter should include information on how to get in touch with your Data Protection Officer.

It should also explain users바카라 사이트™ rights - including their rights if they want to see personal information you바카라 사이트™re holding about them.

Or if they want you to erase or restrict processing of personal information you바카라 사이트™re holding about them.

The Cabinet Office has an example of a clearly written personal information charter.

Especially sensitive personal information

There may be additional things to consider if you바카라 사이트™re collecting especially sensitive types of personal information. For example personal information about children, or information relating to ethnicity, health, genetics or biometrics.

Check with your organisation바카라 사이트™s data protection expert or legal adviser.

From:
Design community
Last updated
2 months ago
Last update:

Adding explicit guidance about excluding personally identifiable information from page titles and H1s.

  1. Integrated guidance about understanding business objectives and user needs, understanding cyber security obligations, and sourcing a threat assessment.

  2. Updated reference to EEA legislation.

  3. Guidance first published