Step-by-step guide

Create a data and privacy policy

What processes and policies will govern your use of participant data?

Running a mentoring programme involves the collection and processing of personal data. You will need to ensure that you are collecting, storing and using data in a way that is compliant the law.

We’re not legal experts, and the guidance on this page isn’t legal advice on how to meet your obligations under various data protection legislation. You should consult a lawyer or the Information Commissioner’s Office for that.

We’re sharing what we did, which worked for us; you might need something different.

Complying with data protection legislation

If you are in the UK, the UK Information Commissioner’s Office publishes guidance on data protection and guidance on complying with the UK General Data Protection Regulation (UK GDPR) which you may find helpful.

The data protection activities you undertake, and the documentation you are required to produce, depends on the size of your organisation and the types of data you are collecting.

The guidance from the ICO may not be everything you need to consider. Your organisation may have more rules and processes that you must follow when handling data or personal data.

You may have an in-house data protection team in your organisation that can help you to understand how to meet your obligations – both internal to your organisation and for compliance with the law.

Create a data and privacy policy

It’s important to build trust with your participants, and ensure that they know what will happen throughout your programme. You should codify how you will collect, store and manage data as part of the programme, and publish this policy alongside the other documentation you give to participants. This is sometimes referred to as a ‘privacy notice’ or ‘privacy policy’.

The content of the document will be heavily influenced by what kind of organisation you are, the requirements of local data laws and you organisational policies.

The Information Commissioner’s Office provides guidance on what to include, and a template suitable for small organisations.

Your policy is likely to need to explain:

  • what information you are going to collect and hold
  • what you will do with that data and why
  • who you will share the data with
  • how long you will keep the data for

UK data protection laws also requires that you identify a “lawful basis” for collecting and processing data and that you explain this in the policy.

Example

Data and privacy policy

This document contains an example of the data and privacy policy you could provide to participants. You can freely re-use and adapt this document to suit your needs.

This document has not been reviewed by a lawyer. You should seek your own advice on how to comply with data protection laws in your jurisdiction.

Download this example (.DOCX)