How to write a privacy statement and cookies policy

Every Healthwatch is required to publish a privacy statement and cookies policy on your website, outlining how you manage data and personal information. This guidance will explain what to include.
A staff member from Healthwatch Cambridgeshire speaking to someone at an event

Privacy Statement

Why do you need a privacy statement?

Healthwatch collects information for different reasons and in different ways. Some of this information will contain personal data. Personal data is information that can be used on its own or with other information to identify a living person, and which relates to them and reveals something about them.

It is important to understand how organisations are required by law to handle information of this type and each local Healthwatch is responsible for ensuring that it is legally compliant.
The General Data Protection Regulation (GDPR) is a European regulation that introduces new data protection requirements throughout the EU.

Under the new GDPR regulations, every Healthwatch is required to publish a privacy notice or statement on your website as part of your information governance process. This is publicly available information that outlines how an organisation manages personal information which may be collected as part of any interaction with a member of the public.

Ten things to include

As part of GDPR, Healthwatch must be able to provide people who have shared data with us (known as data subjects) with the information in the list below. If you are using an Information Asset Register then this will contain most of the relevant information that should be publicly available. Creating a link to the register within your privacy statement is an easy way to meet this requirement.

  1. The name of the Data Controller.
    A Data Controller is the person or organisation who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.
  2. The purpose for recording, storing and using the personal data. This should include the lawful basis for use.
    Lawful bases are described under Article 6 of the GDPR and any personal data that is collected by an organisation (or other) must be processed for one or more of the 6 reasons described in the Article.
  3. Any legitimate interests that may be applicable which detail the benefit derived from processing the data such as the prevention of harm.
  4. The categories of personal data that will be held and used. This includes general data categories as well as special category data.
    General data categories can be the organisation's way of grouping different types of data and helps describe the data type, for example:
  • Employee data
  • Insight/feedback
  • Meeting minutes
  • Contact details

Special category personal data includes:

  • Ethnicity
  • Political
  • Religion
  • Membership
  • Genetic
  • Biometric
  • Health
  • Sexual orientation

5. Recipients of the data.

6. Any transfers of the data abroad.

7. The amount of time the data will be stored for, according to your data retention scheme.

8. The data subject's rights.

9. Information on the right to withdraw consent and how this can be processed.

10. How to lodge a complaint.

How to structure your privacy statement

We have created a privacy statement template for you to download and edit. Please ensure the recommended content below is included in your privacy statement.
1. Introduction

  • Outline the purpose and objectives of your organisation and provide links to any relevant pages on your website or other websites such as Healthwatch England.
  • Provide links to any relevant information and policies, such as your Information Governance Policy or your Information Asset Register. It may be necessary to have a redacted version of your Information Asset Register made publicly available – please check that all content can be shared.
  • Describe the type of personal information that your organisation collects. We would recommend that for each type of information you list, you provide a link to more detailed information.
  • Provide a security statement.

2. Types of Information

  • We have split the types of information collected into three different categories that we know are applicable to all Healthwatch – you may want to add more. For each category you will need to describe how personal information may be collected, why it is collected and what the organisation does to ensure that it is kept safe and secure.
  1. Information collected through websites.
  2. The collection of people’s experiences of health and social care.
  3. The collection of data about employees and volunteers

3. Onward dissemination and the sharing of data

  • It is important to be clear on how information is used by Healthwatch to achieve our business objectives. This should include who the information is intended to influence and what difference it could make.

4. Retention

  • Please include a summary of your retention policy and include a link to your retention schedule.

5. A person’s rights

  • It is essential that a person who leaves their information with Healthwatch understands what their rights are in relation to the information.
  • This needs to include how a person can access their data or ask for it to be deleted or altered.
  • You must include details on how a person can make a complaint about their data and provide contact details.

Download the privacy statement template

We have created an editable template for you to create your own privacy statement.

Cookies policy

What are cookies?

Cookies are small text files which are transferred to your computer or mobile when you visit a website or app. These small text files store small pieces of information, usually tracking the users behaviour on the website.

What is a cookie policy?

A cookie policy is information to your website users about what cookie are active on your website, what data they are tracking, why they are tracking this data and what will happen to this data.

Your policy should also include information on how users can opt out of the cookies or change the settings to control what data is tracked.

Why do I need a cookies policy?

A cookies policy is a legal requirement to have on your website. It can be displayed as part of your privacy statement or as a standalone policy on you website, but it must be present and easy for users to find and understand.

Cookies are a potential privacy risk, because they track and store users behaviour on your website, therefore it is important this policy is regularly updated.

Download the cookies policy template

We have created an editable template to help you create your own cookies policy.

Cookies policy and template

Have you seen our latest resources?

Get the latest guidance to help you carry out your role at Healthwatch.