Skip to content
360 Cyber Compliance

template

Privacy Notice Template

A UK GDPR privacy notice template for care providers and SMEs, covering what data you collect, lawful bases, sharing, retention and individuals' rights.

Related service: Data Protection & UK GDPR

A privacy notice explains, in plain language, how you use people’s personal data. Under the UK GDPR you must provide this information at the point you collect data. Use this template as a starting point, replace every [bracketed] field, and delete anything that does not apply to you. Keep the language clear enough for the people you serve to understand.

Who we are

[Organisation name] (“we”, “us”) is the data controller for the personal information described in this notice. You can contact us at:

  • Address: [postal address]
  • Email: [contact email]
  • Telephone: [phone number]
  • Data Protection Officer (if appointed): [name / role / contact — or state that a DPO is not required and give a data protection contact instead]

The personal data we collect

We collect and use the following categories of personal data:

  • [e.g. name, date of birth, contact details]
  • [e.g. care and health records / special category data]
  • [e.g. financial and payment details]
  • [e.g. next of kin and emergency contacts]

Why we use your data and our lawful basis

We use your personal data for the purposes below. For each, we rely on a lawful basis under Article 6 of the UK GDPR (and, for special category data such as health information, a condition under Article 9):

  • [Purpose, e.g. providing care and support] — lawful basis: [e.g. contract / legal obligation / vital interests]; special category condition: [e.g. provision of health or social care]
  • [Purpose, e.g. staff administration] — lawful basis: [e.g. contract / legal obligation]
  • [Purpose, e.g. sending updates you asked for] — lawful basis: [e.g. consent]

Who we share your data with

We may share your personal data with:

  • [e.g. NHS bodies, GPs and other health professionals]
  • [e.g. local authority and commissioners]
  • [e.g. regulators such as the CQC]
  • [e.g. IT and other suppliers who process data on our behalf under a written contract]

We do not sell your personal data. [State whether any data is transferred outside the UK and, if so, the safeguards used.]

How long we keep your data

We keep personal data only for as long as necessary for the purposes above and to meet legal and regulatory requirements. Our retention periods are set out in our records retention schedule. [Summarise key periods, e.g. care records retained for X years after care ends.]

How we protect your data

We use appropriate technical and organisational measures to keep your data secure, including [e.g. access controls, encryption, staff training and regular reviews].

Your rights

Under data protection law you have the right to:

  • Be informed about how we use your data
  • Access your data (a subject access request — we respond within one month)
  • Have inaccurate data corrected
  • Have your data erased in certain circumstances
  • Restrict or object to certain processing
  • Data portability in certain circumstances
  • Withdraw consent at any time where we rely on consent

To exercise any of these rights, contact us using the details above.

Complaints

If you are concerned about how we handle your data, please contact us first. You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk or by calling their helpline.

Changes to this notice

We review this notice regularly. This version was last updated on [date].

Need a privacy notice that fits your exact data flows and services? We can tailor one, alongside your wider documentation, as part of a fixed-fee engagement — see our data protection and GDPR service. Our information governance guides offer further background.

Want this as a ready-to-use document?

We can tailor this to your organisation and complete it with you as part of a transparent, fixed-fee engagement.

Talk to us about this