Privacy notices - GDPR guide for digital health companies

Step-by-step guide to creating a Privacy Notice for GDPR and the NHS Digital Security Protection Toolkit (DSPT)

Privacy notices - GDPR guide for digital health companies

One of the most crucial aspects of compliance is transparency. The GDPR requires you to inform individuals about how you collect, use, and share their personal data. This is called a privacy notice, also known as a transparency notice or privacy statement.

For digital health companies, this is particularly important. You are likely processing sensitive data, requiring you to be especially clear and upfront about your data practices. Your users deserve to know exactly what you're doing with their information, and a robust privacy notice is your key to building trust.

In this blog post, we'll delve into the world of privacy notices. We'll cover:

  • The essential elements of a GDPR-compliant privacy notice.
  • Where to publish your privacy notice
  • Tips for making your notice accessible and understandable
  • How to tailor your notice to your specific digital health service

This is the guide 3/3 in a series of three guides designed for digital health companies on Documenting your data processing activities. We’ll assume you have completed the first two steps of identifying your data assets (IAR), mapping out your processing activities to established a strong legal basis for everything you do (ROPA).

Much of the data which should be in the privacy notice is also in the ROPA. This is why you should complete the first two steps before writing your privacy notice.

What is a privacy notice?

A privacy notice is a document that explains how an organisation collects, uses, and shares personal data about individuals. It's a key element of transparency under the GDPR, giving individuals control over their personal information, and explaining their rights and freedoms.

Think of it as a contract between you and the individual, outlining your data practices in clear and understandable language. This notice should be readily accessible and easy to understand, empowering individuals to make informed decisions about their personal data.

Why is a privacy notice important?

A robust privacy notice is essential for digital health companies for several reasons, going beyond simple legal compliance. Here's why it matters:

1. Complying with the Law

  • The GDPR mandates that all organisations processing personal data must provide individuals with clear and concise information about their data practices. Failure to comply can result in hefty fines and damage your reputation.
  • A well crafted privacy notice is also essential to comply with the NHS Digital Security and Protecion Toolkit (DPST)
  • NHS DPST Evidence Item 1.1.3 The organisation has a framework in place to support Lawfulness, Fairness and Transparency - > Does your organisation have a privacy notice?

2. Building trust

  • Transparency is crucial for building trust with your users. When individuals understand how you handle their data, they feel more confident in your service and are more likely to share their personal information.

3. Empowering individuals

  • A privacy notice gives individuals control over their personal information. They can understand how their data is used, make informed decisions about sharing their data, and exercise their rights, such as requesting access or correction of their data.

4. Enhancing your service:

  • A clear and accessible privacy notice can enhance the user experience. By understanding your data practices, users feel more comfortable and confident interacting with your service.
  • This can lead to increased engagement and a stronger relationship with your users.


What to include in a privacy notice?

You may find it useful to seek a reference template online when producing your privacy notice - our template will provide a representative example for Digital Health companies, covering necessary aspects of GDPR and NHS standards. You can talk to us to receive a copy.

There are several important things to include in your publicly facing privacy notice. These are:

  • Name and contact details of your organisation
  • Name and contact details of your representative and data protection officer (if applicable)
  • Categories of personal data collected
  • Purpose of data processing
  • Lawful basis for processing
  • Data recipients of personal data
  • Details of transfers of the personal data to any third countries or international organisations
  • Data transfer outside the EEA
  • Data retention periods
  • Individual rights (e.g: access, rectification, erasure, restriction, objection, and data portability)
  • The details of the existence of automated decision-making, including profiling
  • Consent withdrawal information
  • Complaint process
  • Tracking Technologies and Cookies (this may live as it’s own “Cookies Policy”)
  • Children’s privacy and the NHS National Data Opt-Out (if applicable)


Where to publish your privacy notice?

Your privacy notice should be made publicly available and easily accessible to individuals - this is most easily done by linking to your privacy notice from your website and from any locations where individuals are providing you with their data.

Remember that when you collect personal data directly from an individual, you must make the privacy notice available to them at the time of data collection.

Here's are some examples of where you should publish your privacy notice:

1. Your website:

  • This is the most common and accessible location.
  • Include a clear link to your privacy notice on your homepage, as well as in the footer or navigation menu.
  • Ensure the notice is easily discoverable, ideally in a dedicated "Privacy" or "Legal" section.

2. In your mobile / web app:

  • For users accessing your services through an app, provide a link to your privacy notice within the app itself.
  • This could be in the app settings, a dedicated "About" section, and /or during the onboarding process. For users with accounts, you can display the privacy notice within their account settings or provide a link to the full document.

3. Sign-up forms:

  • Include a clear reference to your privacy notice on all sign-up forms, making it clear that users are agreeing to your data practices by submitting their information.
  • You can include a direct link to the notice and optionally also provide a brief summary of key points for clarity.

4. Emails:

  • When communicating with users via email, include a link to your privacy notice in your email signature or within the body of emails containing sensitive information.

5. Printed materials:

  • If you provide printed materials, such as brochures or leaflets, include a link to your online privacy notice or a brief summary of your key data practices.

Additional considerations for the NHS Digital Security and Protection Toolkit (DSPT):

Where personal data has not been collected directly from the individual (i.e. it has been collected from a third party) the NHS DSPT asks that you confirm that the privacy notices are made available to the individual within one month of the data being collected.

Tips for making your privacy notice accessible and understandable

It's vital to provide clear and accessible information about their data processing practices to all individuals, including those with disabilities. Here are some tips to ensure your privacy notice is accessible and understandable for all:

1. Keep it concise and clear:

  • Avoid using technical jargon or complex language, instead use simple, everyday language that everyone can understand.
  • Write in a conversational style that feels approachable and easy to read.
  • Use real-world examples to illustrate your data practices. This can help make the information more concrete and relatable for users.

2. Structure for easy navigation:

  • Break down complex information into smaller, digestible sections with clear headings and subheadings.
  • Consider using bullet points, numbered lists, and clear formatting to make the information easy to scan and digest.
  • Include a table of contents to help readers quickly find specific sections.

4. Emphasise key information:

  • Use bolding, italics, or different font sizes to highlight important points.
  • Ensure that critical information, such as the types of data collected, how it's used, and individuals' rights, is clearly visible.

5. Offer multiple formats:

  • Ensure your privacy notice is accessible to all users, regardless of their technological abilities.
  • Web pages, including your published privacy notice, should adhere to Web Content Accessibility Guidelines WCAG2.2 to ensure they are accessible.
  • The NHS DSPT asks that information can be be provided to individuals orally when requested. This means you should have a process in place for when individuals request to receive the content of your privacy notice verbally.

A note on children’s privacy:

Children require specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.

If your organisation is processing information in relation to children (defined under the GDPR as anyone under the age of 18). It is important to ensure that you are providing privacy information in a way that a child can easily understand.

If you aren’t sure whether your data subjects are children, or what age range they fall into, then you usually need to adopt a cautious and risk based approach.

The ICO provides detailed guidance on children’s privacy under the GDPR.


How often do I need to update my privacy notice?

You should ensure your privacy notice is accurate and complete. It should be reviewed and approved by relevant stakeholders such as senior management and your data protection representative.

As with all data processing activities, it is also important that you keep your records up-to-date, and continue to review your Privacy Notice at regular intervals, when making changes, and in the event of a data breach.

Remember that your Privacy Notices, along with your Information Asset Register (IAR) and Record of Proccessing Activities (ROPA) are living documents. They should be regularly reviewed and updated to reflect any changes in your data processing activities. This demonstrates your commitment to continuous improvement and compliance.

If there is any doubt over the contents of your privacy notice or how you are handling personal data, it's always best to seek an expert opinion. If you are unsure, you can book a call with us to talk through any questions.

How to get started

Assuric is a compliance platform built for digital health companies. We can help with:

  • Creating a Privacy Notice specific to digital health companies and compliant with both GDPR and NHS criteria.
  • Keeping your Privacy Notice up-to-date with any changes
  • Reviewing your Privacy Notice to ensure it meets requirements
  • Complying with other aspects of GDPR, the NHS DSPT and NHS DTAC

Talk to us to learn more, ask questions, or request a copy of the Privacy Notice Template:

What next?

Creating a robust IAR, ROPA and Privacy Notices lays a solid foundation for data protection best practices and ongoing compliance journey.

Beyond this, digital health companies should also document other aspects of their data processing, including consent records, data subject rights, personal data breach records, data protection by design and default, third party suppliers and information management.


Assuric is a compliance platform built from the ground up to simplify your compliance journey and ensure nothing is missed. We can help with:

  • Creating, managing, and updating your IAR, ROPA, Privacy Notices and other documentation.
  • Reviewing your documentation and process to ensure it meets requirements
  • Complying with other aspects of GDPR, the NHS DSPT and NHS DTAC.

Talk with us today to learn more about how Assuric can help you achieve compliance and protect your organisation.