Policy on privacy notices

The University is committed to respecting and protecting the privacy of information that is provided to it.

You must provide a prominent link to a copy of the University privacy notice on the front page of all University websites. This applies to all websites with URLS containing leeds.ac.uk and any websites that are operated by or for the University. The only exceptions are purely personal webpages and Leeds University Union, as LUU has its own privacy notice.

The privacy notice is required in order to meet the requirements of the Data Protection Act 1998 and the University’s Code of Practice on Data Protection. It is the personal responsibility of the registered school, faculty, service, group or department webmaster to make sure privacy notices are updated and adhered to.

If you have any questions about data protection, privacy or the legislation, contact the University Webmaster.

Model privacy notice

Every University website  must display a prominent link to the privacy notice on its first page. Since the introduction of the ‘cookie law’, a link at the top of the page rather than the bottom has been suggested, but this may not always be feasible depending on the design or functional constraints of the system used. ‘Privacy and cookies’ is a suitable link.

The University requires that the model below is used as a template privacy notice. All of these sections are required, but you may also need to add specific sections of your own. If the operator of a website asks for any material variation to this model, you will need to obtain permission by emailing the University Webmaster.

In many cases, the privacy notice as www.leeds.ac.uk/privacy can be copied as your own notice with a few relevant changes made. The University website uses Google Analytics, and this section of the table can be copied to your own notice if it serves your purpose.

This notice is intended to be as simple and easy to implement as possible. Contact the University Webmaster with any questions or queries.

Notice template

This is a standard text to be copied into the website privacy notice as-is for University websites. For websites hosted externally, consideration is needed as to who actually collects the data and for whom. For example, an externally hosted website may cause personal data to be collected by the service provider, and that provider also needs to be named here.

1. Purpose of this notice

This notice tells you how the [University of Leeds] will collect and process your personal data when you access this website.

Automated collection notice

This is a standard text to be copied into the website privacy notice as-is

2. Automated collection of personal information

As with most other web servers, when you access these web pages certain information you provide will automatically be recorded by [the University of Leeds][YOUR ISP if not the University]. This may include your IP address, browser type, and information relating to the page you last visited. This information is processed to estimate how much usage of the server is made by different categories of users and in the event of a breach of security may be used to aid detection.

Non-automated collection notice

This is a standard text to be copied into the website privacy notice as-is. It works in conjunction with notices placed where data is gathered, for example on a web form or login button. An alternative is to list in this section the purposes for which data is being gathered, but this is less flexible than stating this at the actual point of collection. Please ask for advice.

3. Non-automated collection

Where you are required under this website to provide personal data the uses of this data will be indicated at the point of collection.

Third party access statement

This is a standard text to be copied into the website privacy notice as-is. If you are passing data please define what you are doing here. Please ask for advice if you need it.

4. Third-party access

Your personal data that you have provided will not routinely be sent to other third-parties (unless notified – see 3. above).

Cookies

This section sets out some generic information about cookies and then lists the ones which your website sets. Please note that this section only covers cookies where we can assume implied consent or where no consent is required. For any other cookie types you must obtain prior consent – please see the section below on obtaining consent for cookies.

5. Cookies

Cookies are small text files that are placed on your device by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

Our website [YOUR WEBSITE URL] uses first party cookies which are set by our web server as opposed to a different web server. They are categorised as strictly necessary, which are essential to the operation of the website, and performance cookies which collect anonymous information about the usage of our website. By using our website you agree that we can place these types of cookies on your device.

We do not use cookies to collect personal information about you. Should you wish to restrict or block cookies which are set by our website you can do this through your browser settings. The ‘help’ function within your browser or the manual that comes with your device should tell you how. You may also wish to visit www.aboutcookies.org which contains comprehensive information on how you can do this on a wide variety of browsers. Please be aware that restricting cookies may impact on the functionality of our website.

The table below explains the cookies we use and why:

Cookie Name Purpose Further information

Give the general name of the service, e.g. Google Analytics List the cookie name(s) Give the purpose the cookie is used for Link here to further information as necessary

Code of Practice link

This is a new section which is to be copied into website privacy notices as-is

6. University Code of Practice

The University’s Data Protection Code of Practice also applies to the use of personal data under this website. The Code can be accessed at http://www.leeds.ac.uk/secretariat/data_protection_code_of_practice.html

Change notice

This section is to be copied into website privacy notices as-is

7. Changes to this notice

This notice and therefore the ways in which your data may be processed can be changed from time to time. Any changes will only be notified via this web page.

Contacts

This is the final section and must have (a) a contact for the website concerned and (b) the standard text indicating that people can contact webmaster@leeds.ac.uk.

8. Further information and Contact

If you have any queries relating to this privacy notice or the way your data is being processed through this website then please contact [YOUR CONTACT HERE]. If you are dissatisfied with their response please contact the University Webmaster, webmaster@leeds.ac.uk.

Obtaining consent for cookies

This section is relevant where you use cookies that are not either strictly necessary for the operation of your website (as opposed to just nice to have) or where implied consent cannot be relied upon. The types of cookies in question include those used for personalisation. It is assumed here that all such cookies are set as a part of, or after a login process. Thus, this section essentially consists of a short statement to be placed alongside a login button on a website. It also incorporates text which is required where Active Directory (ISS login) accounts are taken by the login process.

By logging into this system you consent to us placing [a cookie][cookies] on your device. The purpose of [this cookie][these cookies] is given in our privacy notice [LINK TO IT]

This service is provided by [YOUR FACULTY ETC] for use by [staff][students][define the category carefully] at the University of Leeds. Use of this service must be in compliance with the University’s Use of Computer Systems Policy.

Please note that other similar wording may be acceptable depending on the purpose of the website. It is important to state that a cookie will be set as part of the login process if that is the case, otherwise it may be sufficient to rely solely on your overall privacy notice.

Other issues

There are other issues where consent is required which are not covered above. One particular issue is the growing popularity to include Facebook or Twitter (etc) links on a web page. Care must be taken here, because while a link to Facebook is acceptable, an ‘active’ link of the form which pulls content from Facebook in order to display the link button is not. Such use would usually set a cookie and must only be included where prior consent has been gained.

Please e-mail webmaster@leeds.ac.uk if you require help with or advice on anything relating to privacy notices. Please also contact me if you have more specific requirements within your own privacy notice.