MAKE YOUR FREE Consultant Privacy Notice
What we'll cover
What is a Consultant Privacy Notice?
A Consultant Privacy Notice explains how consultants’ personal data (eg their names, addresses or professional qualifications) are processed (eg collected or stored) by the business engaging them (ie the ‘data controller’). Consultant Privacy Notices set out the ‘what, how, where, why and when?’ of the data processing.
This document is GDPR compliant.
When should I use a Consultant Privacy Notice?
Use this Consultant Privacy Notice:
-
if you engage consultants for your business in England, Wales or Scotland
-
to communicate how you collect, store, retain and disclose consultants’ personal data
-
to ensure that your data processing is safe and compliant with data protection laws
Sample Consultant Privacy Notice
The terms in your document will update based on the information you provide
About Consultant Privacy Notices
Learn more about making your Consultant Privacy Notice
-
How to make a Consultant Privacy Notice
Making a Consultant Privacy Notice online is simple. Just answer a few questions and Rocket Lawyer will build your document for you. When you have all of the details prepared in advance, making your document is a quick and easy process.
To make your Consultant Privacy Notice you will need the following information:
Business details
-
What is the name of the business engaging consultants?
-
Who can consultants contact for information about their data rights?
Data transfers
-
Will personal data be transferred outside of the UK and the European Economic Area (EEA)?
Data retention
-
How will information about data retention practices be communicated?
-
If this will be done by way of a Data retention policy, where can a copy of the policy be found?
-
-
-
Common terms in a Consultant Privacy Notice
Consultant Privacy Notices help businesses ensure that they comply with data protection legislation when they engage consultants and process their personal data. To do this, this Consultant Privacy Notice template covers:
Statement and purpose
This section sets out why the business is adopting a Consultant Privacy Notice and explains the business’ commitment to transparency.
What information do we collect?
This section details examples of the types of personal data the business collects. It also explains that consultant personal data is collected through various means and is stored in various locations and provides examples.
Why do we process personal data?
This section provides details as to the reason for the personal data processing. This is provided in a simple, easy-to-understand manner so that consultants can easily understand why the business is processing their personal data.
Who has access to data?
This section sets out that consultant personal data will be shared internally. It also sets out that consultant personal data can be shared externally with third parties that process data on behalf of the business in connection with making payments. Further, this section sets out in what other circumstances the business may share personal data with third parties.
Choice
This section sets out that the business does not currently share the consultants’’s personal data with third parties other than those which fall under the section ‘Who has access to data?’. It explains that, should the business choose to share personal data with other third parties, the consultants will be given a choice regarding the disclosure. In other words, the consultants can opt out of having their personal data shared.
Transfers outside the United Kingdom and European Economic Area
If consultant personal data will be transferred outside the UK and EEA, this section sets out the safeguarding requirements that the business must have in place.
How do we protect data?
This section reiterates that the business takes the security of personal data seriously and highlights that relevant data protection policies are in place.
For how long do we keep data?
This section sets out the periods for which the business will retain (ie keep) a consultant’s personal data. This will always be for the length of the consultant’s engagement, while any specific retention periods post-engagement will be governed by the business’ relevant data protection policies or practices.
Your rights
This section sets out the rights that consultants have in relation to their personal data. It also provides the details of the person within the business that consultants should contact if they wish to exercise their data protection rights.
Complaint Resolution
This section sets out how consultants can complain about how their personal data is processed. While this includes complaining directly to the ICO, the Privacy Notice encourages consultants to first attempt to resolve issues internally with the business.
What if you do not provide personal data?
This section sets out that the consultant has to provide the business with certain information under the terms of engagement. It highlights that without this information the business will not be able to properly manage and administer the consultant’s engagement.
Changes to this Privacy Notice
This section highlights that the Consultant Privacy Notice may be changed by the business whenever thisit is considered necessary and explains that consultants will be provided with an updated copy in due course.
If you want your Consultant Privacy Notice to include further or more detailed provisions, you can edit your document. However, if you do this, you may want a lawyer to review or change the Privacy Notice for you, to make sure it complies with all relevant laws and meets your specific needs. Ask a lawyer for assistance.
-
Legal tips for making a Consultant Privacy Notice
Make sure that you have a legal basis for processing personal data
To process personal data you meet at least one of the stringent legal grounds set out in data protection laws. Before you begin to process personal data belonging to consultants, you have to ensure that you have a legal basis for doing so. Examples include consultants’ consenting to the processing or your business having a legitimate interest in the processing.
Consider what other data protection documents you may need
There are a number of data protection documents you may wish to create to further ensure your compliance with data protection laws. These include, but are not limited to:
-
a Data protection and data security policy - to protect your employees’ and clients' data and provide a clear framework forto compliancey with relevant data protection obligations
-
an Employee privacy notice - this document is similar to a Consultant Privacy Notice but applies to employees instead of consultants
-
a Privacy policy - if you run a website, you should inform users about the types of personal data you are collecting, the reasons for collection and how users can access their data
-
a Data protection impact assessment (DPIA) - if the processing of personal data is likely to result in a high risk to individuals’ rights and freedoms
-
a Data processing agreement (DPA) - if you’re transferring personal data to someone else so they can process it for you (eg a cloud storage service)
Make sure the business follows the right data protection procedures
Recording how your business will meet its data protection obligations is a crucial first step toward compliance. However, simply having a Consultant Privacy Notice in place and providing it to consultants does not mean that you’ve actually complied with your legal obligations. Instead, you need to ensure that the steps outlined in your Privacy Notice and all other relevant data protection documents are implemented and followed. If you need help with data protection compliance, seek GDPR compliance advice.
Understand when to seek advice from a lawyer
Ask a lawyer for advice if:
-
issues arise when consultants’ data is used in a way which could infringe upon their privacy or which could relate to their activities outside of work
-
advice is required on the use of covert monitoring in the workplace
-
an existing Consultant Privacy Notice needs to be changed
-
Consultant Privacy Notice FAQs
-
What is included in a Consultant Privacy Notice?
This Consultant Privacy Notice template covers:
-
details of the business that is engaging consultants
-
the types of personal data that are collected
-
how the data is collected and stored
-
the reasons why the data is processed
-
who has access to the data
-
international transfers of personal data outside of the UK and the European Economic Area (EEA)
-
the measures taken to protect the data
-
how policies on data storage can be accessed
-
the consultants’ rights as data subjects
-
-
Do I need a Consultant Privacy Notice?
Transparency is a key principle of the UK General Data Protection Regulation (GDPR). This means that, to comply with data protection legislation (such as the Data Protection Act 2018), a data controller must be clear and honest with all data subjects regarding how their personal data will be used. Data subjects are the individuals to which personal data relates. For the purposes of the Consultant Privacy Notice, the consultants are the data subjects. Using a Consultant Privacy Notice allows businesses to provide the information necessary to comply with this transparency principle.
-
How can I implement a Consultant Privacy Notice?
This template can be used to create your Consultant Privacy Notice. Once created, the Notice will be incorporated into your business as long as you ensure that it’s readily available for consultants to read.
You should also ensure that consultants know to whom to direct any data protection questions or concerns (eg a data protection officer (DPO)). The Consultant Privacy Notice could also be included in any starter information provided to consultants.
-
For how long can personal data be stored?
The UK GDPR and DPA do not impose a defined time limit for processing or storing data. However, data should not be stored for longer than necessary. Usually, data should be deleted once a the consultant’s engagement has ended. In some cases retaining data for a longer period of time may be justified, for instance on the grounds of a legitimate interest.
How long you retain data for should be set out in a document, for instance, a Data retention policy.
-
Can data be transferred outside of the UK?
Transferring personal data to recipients outside of the UK is prohibited under data protection laws unless certain safeguards are put in place. The international transfer of personal data may be permitted:
-
if the ‘third country’ (ie the country that the recipient is in) has an adequate level of data protection, as determined by the UK’s Information Commissioner's Office (ICO). This includes countries within the EEA
-
on the basis of standard data protection clauses approved by the UK
For more information, read International transfers of personal data.
-
-
What rights do consultants have in relation to their personal data?
Consultants have certain rights relating to personal data held about them, including:
-
the right to access and obtain a copy of their data and to be informed about how their data is being processed
-
the right to have their data rectified if it's inaccurate or incomplete
-
the right to object to the data processing
-
the right to have their data erased in certain circumstances
For more information, read Data protection requests.
-
-
What if a consultant has an issue with your data protection practices?
If a consultant believes that a business hasn’t complied with a Consultant Privacy Notice or has otherwise infringed on their rights under data protection legislation, they are able to file a complaint with the ICO. However, businesses can encourage consultants to engage with them to attempt to resolve any issues before making a complaint.
Our quality guarantee
We guarantee our service is safe and secure, and that properly signed Rocket Lawyer documents are legally enforceable under UK laws.
Need help? No problem!
Ask a question for free or get affordable legal advice from our lawyer.