DPIA: DDAR Privacy Notice Communication
This template is an example of how you can record your DPIA process and
outcome. It follows the process set out in our DPIA guidance, and you should
read it alongside that guidance and the
Criteria for an acceptable DPIA set out in
European guidelines on DPIAs.
Step 1: Identify the need for a DPIA
Explain broadly what the project aims to achieve and what type of processing it
involves. You may find it helpful to refer or link to other documents, such as a
project proposal. Summarise why you identified the need for a DPIA.
In May 2018 in light of the implementation of the GDPR the University of Manchester’s
Division of Development and Alumni Relations (DDAR) published a revised Privacy Notice
and Legal Bases Assessment for Processing Personal Information. These two documents
set out the personal information processed by the DDAR, how it is done so, why, the
legal bases for doing so, and the rights of the data subjects in respect of this processing.
The two documents are publicly available here:
Privacy Notice:
https://your.manchester.ac.uk/privacy/
Legal Bases Assessment:
https://your.manchester.ac.uk/privacy/legal-bases-
assessment/
This Data Protection Impact Assessment had been undertaken to record decisions around
communicating the Privacy Notice to the DDAR’s current stakeholders as well as the
rationale behind how this work will be continued in the future. The aim of communicating
the Privacy Notice is to ensure data subjects whose personal information is processed by
the DDAR are informed about the processing and their rights in respect of this; and to
ensure that the DDAR is conducting it’s processing in a fair, transparent manner in line
with all relevant data protection regulation. This document is intended to record the
discussions of Tom Jirat, Head of Operations, and Oliver Taylor, Development Research
Manager, within the DDAR based on their professional expertise and understanding of the
reasonable expectations of and what is most appropriate for DDAR stakeholders, alumni,
supporters and potential supporters; their ongoing work with the University’s DPO and
Information Governance Office to ensure the DDAR and the University operates legally;
and their understanding of the law, available case law, and the University of Manchester’s
institutional stance on data protection.
Step 2: Describe the processing
Describe the nature of the processing: how will you collect, use, store and delete
data? What is the source of the data? Will you be sharing data with anyone? You might
find it useful to refer to a flow diagram or another way of describing data flows. What
types of processing identified as likely high risk are involved?
DPIA template
20180209
v0.3
1
The processing undertaken by the DDAR is contained in the DDAR Privacy Notice. This is
regularly reviewed and updated to ensure the accuracy of the information it provides
reflects the activity of the Division. The purpose of this DPIA is to illustrate the
considerations of the DDAR when determining how to communicate this information to
stakeholders whose personal information is being processed.
Describe the scope of the processing: what is the nature of the data, and does it
include special category or criminal offence data? How much data will you be collecting
and using? How often? How long will you keep it? How many individuals are affected?
What geographical area does it cover?
The table below records the stakeholder groups the Privacy Notice may need to be
communicated to; the suggested method of communication and regularity of this
communication; and the rationale behind these plans.
Stakeholder Method of Communication
Rationale
Group
and Regularity
Current
The Student Data Collection
The DDAR’s relationship with students is
students
notice
‘light touch’ and through established
(http://www.regulations.manc
student communications channels, and
hester.ac.uk/data-collection-
also mentioned in the Student Privacy
notice/) contains a section on
Notice
how details are used after an
(http://www.regulations.manchester.ac.
individual graduates, which
uk/data-collection-notice/). It would
makes reference to the DDAR
not be appropriate to students to
and signposts the DDAR
communicate the DDAR Notice explicitly
Privacy Notice. As this is a
prior to this contact increasing once
layered approach to privacy
students graduate. This is reflected in
the webpage this is accessed
the explicit communication of the short
through contains a one line
Privacy Notice along with the details
explicit reference in the
currently held at the last substantial
summary to the use of data to point of contact with all students prior
keep in touch with individuals
to graduation. This second, more
after they have graduated.
explicit communication of the DDAR
Students are therefore made
Privacy Notice is intended to make clear
aware of the DDAR’s privacy
to graduating students the nature of the
practices at each point they
DDAR’s processing and how and why
are pointed to the Student
this is important to them continuing
Privacy Notice.
their relationship with the University as
alumni. We believe individuals expect a
At the point they register to
‘for life’ relationship with their
attend a graduation ceremony University and presenting their personal
or register to decline their
information to them in this way helps
attendance and ask for their
ensure the information is accurate as
certificate to be posted to
well as ensuring their rights in respect
them individuals are presented of future processing have been made
with the details held on them
clear.
in the student system and a
short version of the DDAR
Privacy Notice explicitly on the
DPIA template
20180209
v0.3
2
same webpage as the
registration (or not) for
graduation), just prior to
seeing the contact details held
on them in the student
system. This informs them of
how the DDAR uses their
personal information (including
a link to the full Privacy
Notice), asks them to update it
and tells them clearly how
they can opt out of contact
from the DDAR.
Alumni
Each summer from 2018
The DDAR wishes to ensure it is
contactable
onwards we have decided to
operating in a transparent and ethical
by email
communicate privacy
way. Subject to an individual’s personal
information by email to all
preferences this is the most cost
alumni who we can contact by effective way of providing them with
this method of communication, information. Based on the data we
subject to their preferences.
have on opt outs and click throughs
This email will include a link to individuals expect this kind of
signpost the reader to the
communication and do not find it
Privacy Notice as well as a call intrusive nor inappropriate. At the time
to action for alumni to check
of writing we are planning to conduct
and where appropriate update this activity each year to ensure
their details. This activity will
individuals are explicitly reminded of
continue indefinitely subject to their rights and freedoms in relation to
it being deemed appropriate
the DDAR’s data processing, although
for the University’s alumni
this approach will be reviewed prior to
engagement strategy and
each year’s communication. In
individuals this work aims to
including the email footer in each email
be of benefit to. In addition,
sent by the DDAR, we are ensuring
every email sent by the DDAR individuals are always reminded of their
contains the short version of
rights and what they can expect from
the DDAR Privacy Notice in its the Division with regards processing of
footer and a link to the full
personal information.
version of the Privacy Notice.
Alumni not
Whilst we are able to contact
The alumni magazine is our most
contactable
the significant majority of our
powerful piece of alumni relations
by email but recent graduates and indeed
collateral and has been deemed an
contactable
many of those who graduated
appropriate vehicle for communicating
by post
some time ago by email there
the DDAR Privacy Notice on the bases
are a number whom we can
of: cost (in that it is cheaper to include
only contact by post (and
as an insert than to send individually);
potentially phone). These
target audiences (in that the magazine
individuals will receive a full
has historically tended to focus on
printed version of the DDAR
individuals for whom post is a primary
Privacy Notice as an enclosure method of contact); and
in their copy of the alumni
appropriateness (in that it is deemed in
magazine should they receive
keeping with the concept to alumni
one, and if they have not yet
engagement to use a warm piece of
seen the Notice. The alumni
engagement material to communicate a
DPIA template
20180209
v0.3
3
magazine is currently sent
factual document like the Privacy
annually.
Notice). All individuals who have not
seen the Privacy Notice will receive it in
this manner as long as they are due to
receive a magazine, as we cannot afford
to send it to everyone. The magazine
segmentation is determined by DDAR
strategy, so focus will be on appropriate
alumni groupings. As the University of
Manchester is a UK institution and the
majority of our graduates are based in
the UK, however, individuals based in
the UK are deemed a priority for
activity. We therefore have committed
to a separate segment to include UK
based individuals who haven’t seen the
Privacy Notice irrespective of whether or
not they were due to receive a
magazine in the first place. Other
international target areas for activity
are considered in the segmentation
planning and included where possible,
but it is not possible include every
country due to costs.
There will therefore be some individuals
outside the UK who we can only contact
by post (and potentially phone) who
have not seen the GDPR version of the
DDAR Privacy Notice but whose
personal information we process. There
are roughly 37,000 individuals who fit
this criteria at the time of writing (5
August 2019). On balance, as these
individuals will have minimal if any
contact with the DDAR anyway (which
would only ever really be a DM ask or
event invite via post if it weren’t an
alumni magazine) we feel we are
justified to keep the data we have on
them as they can reasonably expect us,
as their alma mater, to have this
information. Should an individual
update us with information which
means they can become more involved
(such as an email address) they will
Commented [TJ1]: LMK: I am having concerns
receive Privacy Notice communications
with this sentence:
as per the group they fall into.
Contactable by phone:
Alumni
We are planning to include
These individuals will have minimal if
These individuals will have minimal if any
contact with the DDAR so we feel we are
contactable
these individuals in a segment any contact with the DDAR so but we
justified to keep the data we have on them
by phone
to be telephoned by our
feel we are justified to keep the data we
only
Student Calling Team. This
have on them as they can reasonably
Commented [TJ2]: Wording changed ‘so’ to ‘but’ –
error on our part first time.
DPIA template
20180209
v0.3
4
hasn’t been done yet but there expect us, as their alma mater, to have
are circa 13,000 individuals
this information. This said, as we do
who fit this criteria at the time have a way of contacting them – albeit
of writing (5 August 2019). We one not appropriate to communicate a
have no way of communicating full Privacy Notice - we are committed
the Privacy Notice in writing to to trying to gain further details to
them so need to try and
ensure the Privacy Notice can be
update their details using the
communicated appropriately. Should an
telephone first, before we can
individual from this group update us
follow up with a
with an email or postal address they will
communication of the Notice in receive Privacy Notice communications
an appropriate way (as per the as per the group they fall into. The UK
Commented [AD3]: Will they be checked for TPS if
above).
TPS register is checked weekly for UK
UK? If located overseas there may be other
numbers and international regulations
restrictions on telephone marketing related calls
will be consulted prior to any calling
depending on the territorial scope of those laws
activity.
Commented [TJ4]: Yes, are TPS checked if UK –
Lost alumni
We have no way of
These individuals have no contact at all
we run this once a week. We do undertake
some international calling but have never
communicating with these
at present with the DDAR but we feel
screened these numbers. I will pick this up with
individuals.
we are justified to keep the personal
our Regular Giving team to understand their
information we have on them as they
future plans and we can go from there.
can reasonably expect us, as their alma
Commented [TJ5]: LMK: With regards to the lost
mater, to have this information and we
alumni, I have concerns that we are keeping
would warmly welcome them updating
their details. Have you got any evidence that lost
us with new details and re-engaging
alumni have been in contact in the past and you
have been able to regroup them / resegment in
with their University. Should an
a new group?
individual update us with information
which means they can become more
Commented [TJ6]: As hopefully clarified on
Thursday as graduates of the institution, we
involved they will receive Privacy Notice
keep details for the lifetime of the institution.
communications as per the group they
Once they become ‘found’ they will fall into the
fall into.
appropriate group for communication of the
Future,
At the point of making a
Signposting donors to how we use their
Privacy Notice. This is reflected in the DDAR
data retention schedule in the Privacy Notice.
would be
donation online or via a
information at the point of donation
alumni
physical donation form
wherever possible is deemed the most
Commented [AD7]: What details do we hold on
Ddonors
individuals are signposted to
appropriate and fair way of providing a
these alumni? Are we holding contact details we
know to be wrong?
the DDAR Privacy Notice. This processing notice. In reality, the
is also included on all physical significant majority of donors will have
Commented [TJ8]: We have a mix of people who
would fall into this group – some we’ll have no
donation forms. Donors who
seen the DDAR Privacy Notice before
contact details at all for; and some we’ll have
give over the telephone are
they donate as they are alumni, or high
former contact details which are no longer valid
predominantly alumni and so
level individuals assigned to a
(but which are helpful when trying to trace the
will see (or have seen) the
relationship manager whose emails
individuals).
Privacy Notice as per the
(along with all DDAR staff) have
Commented [TJ9]: Now split to alumni and non-
above; we will use a script to
signposts to the Privacy Notice in their
alumni donors
inform them when they
footers. Furthermore, donors should
donate; andthose who arethey have an expectation of the DDAR’s
will also receive it not alumni
processing given they are undertaking a
will see it at the first point
positive and unforced interaction with
they get a stewardship email
the Division in giving or pledging a gift,
(if they can be contacted by
and indeed, one which the DDAR must
this means).
then act upon in order to fulfil.
The number of individuals alumni who
give via the telephone and have not
DPIA template
20180209
v0.3
5
seen the Privacy Notice by another
means is proportionally very small
indeed. Given the disproportionate
Commented [TJ10]: We unfortunately can’t get an
effort required to separately
exact figure for this but at present we do not
communicate a Privacy Notice to these
actively solicit non-alumni donors by telephone
individuals and the fact that as part of
as a matter of course. For a non-alumnus to
given via phone they would have to seek out
making a donation they can be deemed
something they wanted to fund and then actively
to have a reasonable expectation the
phone the office to do so (see section added
University will process their information
below). This kind of unsolicited giving by non-
to fulfil this action no regular process
donors is very unlikely, especially via phone – if
it did happen we suspect it would more likely be
exists to communicate the Notice to
online.
them separately. We have a script to
use to tell donors how their data will be
Commented [TJ11]: LMK: With regards to donors,
I would suggest that whilst on the phone they
used when they give over telephone
can be directed to our website for details on our
(see below). They will also receive the
privacy notice. Same for Event Registrants, If
Privacy Notice, however, as part of
you do decide to include scripts in the future I
subsequent communications such as
would suggest that you updated this DPIA.
stewardship emails (if they are
Commented [TJ12]: Ok - would be covered by the
contactable by email) which as per all
‘script’. I think this should only be a couple of
DDAR emails have the short DDAR
lines though. This is now included on page 10.
Privacy Notice in the footer and a link to
the full DDAR Privacy Notice. As part of
future developments we will evaluate
the merits of a script to be used when
people call the office to donate, part of
which informs them how their data will
be used. Donor specific
Commented [AD13]: This group, specifically
communications relate to their gift: for
donors that are not alumni poses a greater
example they will receive e-newsletters,
compliance risk in the sense that without
annual update publications, and
consent there is little to justify further electronic
marketing post donation. Sending a privacy
potential invites to donor receptions.
notice which seeks to rely on legitimate interests
Future,
At the point of making a
Signposting donors to how we use their
for those not in the alumni group would be likely
would be
donation online or via a
information at the point of donation
to be considered unfair processing by the ICO
non-alumni
physical donation form
wherever possible is deemed the most
and incompatible with PECR.
donors
individuals are signposted to
appropriate and fair way of providing a
Commented [TJ14]: We have sent an email of the
the DDAR Privacy Notice. The processing notice. In reality, the
Privacy Notice and a link to the giving blog
likelihood of a non-alumnus
significant majority of donors will have
recently and would hope we can cover this under
an ‘administration’ communication. We
with no prior relationship with
seen the DDAR Privacy Notice before
shouldn’t have to do this again now the Privacy
or connection to the University they donate as they are alumni, or high
Notice is provided at each point of donation.
donating via post or phone is
level individuals assigned to a
very low indeed; these kind of relationship manager whose emails
donations are most likely to
(along with all DDAR staff) have
occur via Crowdfunding
signposts to the Privacy Notice in their
projects non-alumni donors
footers. Furthermore, donors should
have a connection to. If non-
have an expectation of the DDAR’s
alumni donors give via the
processing given they are undertaking a
phone we will tell them how
positive and unforced interaction with
their data will be used via a
the Division in giving or pledging a gift,
script (see below). They will
and indeed, one which the DDAR must
also see it the Privacy Notice
then act upon in order to fulfil. Donor
the first point they get a
specific communications relate to their
stewardship email (if they can gift: for example they will receive e-
DPIA template
20180209
v0.3
6
be contacted by this means).
newsletters, annual update publications,
Commented [TJ15]: We do need clarification on
and potential invites to donor
what ‘stewardship’ counts as: is it wrong to see
receptions. We do not currently actively
it as administrative? This influences how we can
re-solicit non-alumni donors by
market, and if we need consent.
telephone. They are occasionally
included in direct mails shots (legitimate
interest). We do have a handful of non-
alumni individuals (27 in total) who
actively indicated (proactive consent)
that they were interested in making a
regular donation to the University on
the Hubbub crowdfunding platform
when this was offered. This option is no
longer present but we believe we have
consent to contact these individuals for
this purpose and need to follow this up.
Non alumni
This group consists of non-
These are individuals who we may
past low
alumni who we have no
resolicit for support in future so it is
level donors
concrete record of proactively
important they see the Privacy Notice.
(given or
communicating the GDPR
Communicating it by email is the most
pledged less DDAR Privacy Notice to but
cost effective method. This activity is
than
who have given non-major gift expected to need to be undertaken once
£10,000)
level donations to the
to cover individuals who did not see the
contactable
University and we can contact GDPR version of the DDAR Privacy
by email
by email. They will receive an Notice when they donated. There is an
email (subject to their
expectation that as donors to the
preferences) which signposts
University these individuals will have an
them to the DDAR Privacy
expectation the institution will process
Notice and the DDAR Giving
their personal information, and (from 24
Blog. This will be undertaken
May 2018 onwards) donors will be
once, in July 2019, and include signposted to the appropriate Privacy
circa 950 individuals.
Notice when they give (for all methods
except telephone donations – see
above).
Commented [AD16]: As above. It is unlikely from
Non alumni
This group consists of non-
These are individuals who we may
previous ICO decisions relating to charities and
past low
alumni who we have no
resolicit for support in future so it is
to the their PECR guidance that the ICO would
level donors
concrete record of proactively
important they see the Privacy Notice.
view electronic marketing to donors as
compatible with PECR without opt-in consent
(given or
communicating the GDPR
Communicating it by post is the only
pledged less DDAR Privacy Notice to but
option we have for this group. This
Commented [TJ17]: As mentioned above: we have
sent an email of the Privacy Notice and a link to
than
who have given non-major gift activity is expected to need to be
the giving blog recently and would hope we can
£10,000) not level donations to the
undertaken once, to cover individuals
cover this under an ‘administration’
contactable
University and we cannot
who did not see the GDPR version of the
communication. We shouldn’t have to do this
by email but contact by email but can by
DDAR Privacy Notice when they
again now based on the above.
contactable
post. They will receive a
donated. There is an expectation that
by post
Privacy Notice insert in a copy as donors to the University these
of the 2019 supporter
individuals will have an expectation the
Commented [AD18]: Legitimate interests is likely
newsletter. Circa 650
institution will process their personal
to be acceptable for this group but only for
individuals fall into this
information, and (from 24 May 2018
postal communications if they were to provide
category at the time of writing onwards) donors will be signposted to
an email address or we obtained one it would be
likely to require opt-in.
(5 August 2019).
the appropriate Privacy Notice when
they give (for all methods except
Commented [TJ19]: Should be ok – will contact
telephone donations – see above).
these with the Privacy Notice via post, with an
insert in the Your Impact publication.
DPIA template
20180209
v0.3
7
Event
At the point of registering for
Signposting event registrants to how we
registrants
an event online, which is how
use their information at the point of
the significant majority of
their registration wherever possible is
registrations are taken,
deemed the most appropriate and fair
individuals are signposted to
way of providing a processing notice.
the DDAR Privacy Notice. We
In reality, event registrants should have
have a script to read out to
an expectation of the DDAR’s
Iindividuals who register over
processing given they are undertaking a
the telephone will not receive
positive and unforced interaction with
direct communication of theto the Division in registering for an event,
signpost them to the Privacy
and indeed, one which the DDAR must
Notice but we are looking into
then act upon in order to fulfil.
Commented [TJ20]: We don’t really do follow up
the feasibility of a script to
marketing other than ‘how did you find the
read out when they do which
The number of individuals who register
event’ as a result of someone attending an
will and alert them to how
via the telephone and have not seen the
event; and don’t treat ‘event registrants’ as a
group to be marketed to because of this
their personal information will
Privacy Notice via another means is
(although some may be alumni, donors etc)
be used (see below). We have small. Given the disproportionate effort
Commented [AD21]: True but possibly only as far
a web script on DDAR website
required to separately communicate a
as event administration goes not follow-up
that looks for pages in the
Privacy Notice to these individuals and
electronic marketing to non-alumni where the
events area that have a form
the fact that aAs part of registering to
event does not involve payment i.e. the
on, and if it finds them it
attend an event they can be deemed to
purchase of goods or services.
displays the privacy notice.
have a reasonable expectation the
Commented [TJ22]: LMK: With regards to donors,
This script runs automatically. University will process their information,
I would suggest that whilst on the phone they
no regular process exists to
can be directed to our website for details on our
communicate the Notice to them
privacy notice. Same for Event Registrants, If
you do decide to include scripts in the future I
separatelybut we will also use a script
would suggest that you updated this DPIA.
to signpost them to the Privacy Notice
during the call. They will will also
receive signposts to the Privacy Notice
as part of emails they are sent from
DDAR, which contain it in the footer.
Commented [TJ23]: As above – don’t market to
We do not currently market to people
event registrants on this basis, only if they fall
based on them solely being an ‘event
into an additional group such as alumni.
registrant’ and will review our practices
should this approach ever be reviewed.
Commented [AD24]: As above, there is risk
Staff and
No bespoke communication.
The significant majority of staff whose
relying on legitimate interests for electronic
former staff
information the DDAR process will fall
marketing off the back of a free event.
into another group, e.g. alumni, donors,
prospects, event registrants or
volunteers and therefore receive the
Privacy Notice owing to this via the
appropriate method. Those who do not
will be key stakeholders in the DDAR
from an internal perspectiveBeyond this
we have c. 1000 staff and c. 650 former
staff who only fall into these
constituency groups – these records are
due to be reviewed and deleted if it is
no longer appropriate to hold them.
These Iindividuals will receive the
Privacy Notice via the email footer of
DDAR staff whenever they communicate
DPIA template
20180209
v0.3
8
by email; there is also a reasonable
expectation that as employees of the
University they can expect a Division of
the organisation such as the DDAR to
process their information. We do,
Commented [TJ25]: Not sure on this one – can we
however, need to explore if we can get
rely on the staff privacy notice to cover it?
the DDAR Privacy Notice signposted to
Seems the most low risk too.
in the Staff Privacy Notice, as Staff and
Former staff are likely to be an
increasingly important constituency
group for engagement in future.
Commented [AD26]: This group is not necessarily
Volunteers
No bespoke communication.
The significant majority of volunteers
one block, there may be differences between the
whose information the DDAR process
groups.
will fall into another group, with the
Commented [TJ27]: Alex – can we do this if I draft
majority being alumni. They will
something up? Our LBA will also need to be
therefore receive the Privacy Notice
updated if we can.
owing to this via the appropriate
method. The DDAR’s alumni and
volunteering portal, the Manchester
Network, also signposts users to the
Commented [AD28]:
appropriate Privacy Notices when they
Again electronic marketing to
volunteers who are not alumni relying on
sign up for the service. We only have
legitimate interests could be an issue
circa 70 volunteers (ever) on record
Commented [TJ29]: We don’t market to these
who are not alumni or donors.
people at present in DDAR – we only
Individuals
No bBespoke communication
These individuals have given significant
communicate with them about volunteering.
with current
when appropriate so as not to
financial support to the University
Commented [AD32]: I think I would actually
or previous
impede the relationship.
(£10,000+) and/or been involved at a
interpret these individuals as having received a
high level
significant level as a supporter, friend or
form of bespoke information as I assume they
involvement
critical partner of the institution. Whilst
receive personalised information
some may no longer have a strong
Commented [TJ30]: LMK With regards to
connection to the University the status
Individuals with previous high level involvement,
of these individuals means that a direct
if we are not writing to them and following your
communication of an updated Privacy
rationale, I would not expect for us to have the
data.
Notice is inappropriate when balanced
against the individuals’ expectations
Commented [TJ31]: Balancing test - not
appropriate to delete data as important to
that the University must process their
maintain a record of their involvement and
data to have a record of their prior
limited impact on the data subjects.
involvement. At the time of writing, we
Commented [AD33]: Agreed
believe there only to be circa 200
individuals who fall into this category
Commented [TJ34]: LMK:
With regards to Non alumni individuals with
(on a database of 580,000+
potential high level involvement, you will need to
constituents). A Privacy Notice will be
rewrite this section as it does not represent what
communicated in a bespoke manner if
you are doing. It seems to say that you do not
and when appropriate so as not to
give the Privacy statement to them when they
impede the relationship.
actually get a more bespoke engagement by one
to one attention, hence more opportunity to be
Non alumni
Individualised communication
These individuals have the potential to
exposed to the privacy notice.
individuals
from relationship manager
offer significant financial support to the
with
when assigned.
University and/or be involved at a
Commented [TJ35]: Not sure about fully re-writing
potential
significant level but who have no prior
here, Laurence, as discussed today as it does
high level
connection to the University. A specific,
reflect what we do, but I have added ‘explicit’ to
involvement
explicit Privacy Notice communication
clarify. This is in line with CASE guidance,
agreed with the ICO – Ollie will forward on for
sent at the point of data collection is
reference!
DPIA template
20180209
v0.3
9
likely to be damaging to the building of
the relationships and the business
objectives of the DDAR. We understand
that these individuals will have a
reasonable expectation that their
personal information (from the public
domain) will be processed in this
manner to allow appropriate approaches
and conversations in line with their
interests. Accordingly, we will ensure
that the DDAR Privacy Notice is included
as relationship managers build these
relationships (usually in the form of an
email footer from an individual
relationship manager’s email account)
but, considering the legitimate business
objectives and what these individuals
would expect, will refrain from sending
direct Privacy Notice communications
before any contact is made.
Commented [AD36]: Agreed
It is a Divisional requirement that all DDAR staff have the short version of the DDAR
Privacy Notice in their email footers. This ensures that any individual in contact with a
DDAR staff member directly, be they alumni, students, prospects, colleagues or
supporters, also receive a signpost to the Privacy Notice as part of that conversation.
The same statement is included on all bulk email communications sent by the DDAR. A
‘micro’ version of the Privacy Notice is included on all data capture forms, and integrated
into all business areas the DDAR is responsible for and obtains information from.
When speaking to individuals on the telephone as a means of data collection (e.g.
registration for an event or giving of a donation) we will use the following script:
Just to let you know, the Division of Development and Alumni Relations processes your
Formatted: Font: Italic
personal information in accordance with all relevant data protection legislation. Our
Privacy Notice is available at https://your.manchester.ac.uk/privacy and you can tell us
Formatted: Font: Italic
how you want to hear from the DDAR at any time by contacting us on
Formatted: Font: Italic
xxxxxx@xxxxxxxxxx.xx.xx or +44 (0)161 306 3066.
Formatted: Font: Italic
Describe the context of the processing: what is the nature of your relationship with
the individuals? How much control will they have? Would they expect you to use their
data in this way? Do they include children or other vulnerable groups? Are there prior
concerns over this type of processing or security flaws? Is it novel in any way? What is
the current state of technology in this area? Are there any current issues of public
concern that you should factor in? Are you signed up to any approved code of conduct or
certification scheme (once any have been approved)?
All individuals whom we wish to see the DDAR Privacy Notice either have a pre-existing
relationship with the University or the potential to have one in the future. As such, we
believe there is an expectation from these individuals that their personal information may
be used by the DDAR to fulfil its mandated functions in support of the University of
Manchester’s core goals of outstanding learning and student experience, world-class
DPIA template
20180209
v0.3
1
0
research, and social responsibility. This said we are committed to ensuring we only
process personal information in ways individuals would reasonably expect and always
balance our approach against their rights and freedoms. Our Privacy Notice and Legal
Bases Assessment are crucial to this, and we believe communicating them appropriately
is (or should be) standard practice.
We are aware that the charitable sector has been subject to considerable media attention
over the past few years which brought to light poor practice in a number of organisations
of which the University was not one. Nonetheless, as a values driven organisation
committed to transparency, ethical practice and doing the best for society as well as the
individuals who trust us with their personal information we have used this climate and
changes to the law as an opportunity to review and where appropriate improve our work.
We are a member of the Fundraising Regulator, and actively keep abreast of policy and
regulation developments from the ICO as well as established sectoral bodies such as the
Council for the Advancement and Support of Education (CASE) and the Institute of
Fundraising (IOF).
Describe the purposes of the processing: what do you want to achieve? What is the
intended effect on individuals? What are the benefits of the processing for you, and more
broadly?
The purpose of this exercise is to ensure data subject stakeholders receive the
appropriate information to ensure that they are aware of what, how and why the DDAR is
processing their information, and what their rights are in respect of this. This is to be
achieved via the communication of the DDAR Privacy Notice. The benefits to the DDAR
are ensuring it is working in an ethical, transparent way that meets the expectations of
its stakeholders whose rights and freedoms have been considered at every stage of the
development of the Division’s approach to legal compliance.
Step 3: Consultation process
Consider how to consult with relevant stakeholders: describe when and how you
will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do
you need to involve within your organisation? Do you need to ask your processors to
assist? Do you plan to consult information security experts, or any other experts?
As part of its preparations for GDPR in January 2017 the DDAR established a
Compliance Working Group which meets once a month and consists of the Deputy
Director – Development Services, Head of Operations and Development Research
Manager. This group is responsible for the Division’s approach to data protection,
working closely with the University’s Information Governance Office. The University
Data Protection Officer is invited to this meeting when appropriate and as required.
The Director of the Division of Development and Alumni Relations and other senior
University stakeholders are kept informed and asked for guidance, steer and input as
appropriate.
Data on interactions and communications with and the behaviour of the University’s
488,000+ alumni has underpinned the decisions taken throughout the GDPR
preparation as it has been our best way of understanding the expectations of data
subjects and as a result the actions we have needed to take. Given the number of
DPIA template
20180209
v0.3
1
1
alumni the University has and the fact the DDAR’s activity has been established for
circa thirty years it was not practicable to seek consultation with them, however
feedback received is always duly considered and actioned as appropriate. We are
keen members of professional networks and rely on the ICO’s guidance to underpin
our approach.
Step 4: Assess necessity and proportionality
Describe compliance and proportionality measures, in particular: what is
your lawful basis for processing? Does the processing actually achieve your
purpose? Is there another way to achieve the same outcome? How will you
prevent function creep? How will you ensure data quality and data minimisation?
What information will you give individuals? How will you help to support their
rights? What measures do you take to ensure processors comply? How do you
safeguard any international transfers?
Our Legal Bases Assessment sets out our lawful bases for processing for all types
of DDAR activity and for all stakeholder groups. This works alongside our Privacy
Notice and both documents are publicly available to ensure transparency. We
believe the decisions taken and documented in Step 2 with regards the
communication of the Privacy Notice are appropriate relative to each stakeholder
groups’ expectations.
Step 5: Identify and assess risks
Describe the source of risk and nature of
Likelihood
Severity of Overall
potential impact on individuals. Include
of harm
harm
risk
associated compliance and corporate risks as
necessary.
DPIA template
20180209
v0.3
1
2
This DPIA covers individuals seeing the DDAR
Remote,
Minimal,
Low,
Privacy Notice at a time and in a way appropriate to possible or significant medium
them and their relationship with the DDAR,
probable
or severe or high
documents the DDAR’s considerations in this
respect, and rationalises the risks involved.
The risks associated with the communication of the
DDAR Privacy Notice to individuals are:
Commented [TJ37]: LMK
1) An individual does not see the Privacy Notice
Overall, I agree with Alex’s evaluation of the risk
and objects either immediately or at a later
RemotePos Remote
LowMedi
raised, which are too low. Additionally there are
a couple of risks to consider, depending on your
date to something contained in it.
sible
um
responses with regards to data being kept but
not accurate potentially (Lost alumni for
2)
An individual sees the Privacy Notice and
example) and there is still a question of
objects to something in it immediately or at a
Remote
retention of the said records if we don’t
later date.
Possible
communicate to them why have we got them?
LowMedi
Remote
um
Commented [TJ38]: Need to retain certain record
3)
for lifetime of the institution in line with the
An individual never gets the chance to see the
University’s and DDAR objectives; these are
Privacy Notice so is unaware the DDAR is
Remote
people who have engaged with us.
processing their information.
Commented [AD39]: For 2 and 3 in particular I
RemoteRe
LowMedi
thin k given we are required to also consider the
3)4)
We communicate to an individual we
mote
um
compliance and corporate risks the overall risk
seek to rely on legitimate interest to carry out
may be higher. We will be communicating to
electronic marketing based on the fact they
Remote
individuals the fact that we seek to rely in
have purchased a service from us, and they
legitimate interests to carry our electronic
Possible
Medium
marketing and for certain groups this is likely to
object to this or disagree with our
be problematic.
interpretation of the law. This is a compliance
and corporate risk although the potential
Formatted: Font: Times New Roman
damage to individuals is low.
Formatted: List Paragraph, No bullets or numbering
Formatted: Font: Verdana
Formatted: Font: Verdana
DPIA template
20180209
v0.3
1
3
Step 6: Identify measures to reduce risk
Identify additional measures you could take to reduce or eliminate risks
identified as medium or high risk in step 5
Risk
Options to reduce or
Effect on
Residual Measure
eliminate risk
risk
risk
approved
Commented [TJ40]: Alex, Laurence – please can
you clarify what this means?
Eliminated, Low,
Yes/no
Formatted Table
reduced or medium
accepted
or high
1) An
individual does Based on the rationales above in
Accepted
Low
not see the
Step 3, the risk here is negligible
N/A
Privacy Notice in the first instance as the
Low
and objects
significant majority of individuals
either
the DDAR processes personal
immediately or information on will have the
at a later date opportunity see the DDAR Privacy
to something Notice on regular basis. For those
contained in it. who do not, a decision has been
taken which balances their
reasonable expectations, rights
and freedoms, and the objectives
of the University. If a data subject
raises any objections to processing
the DDAR will do all it can to
address these effectively and
efficiently at the point they are
raised.
2) An
This will always be a risk in
Accepted
N/A
individual
communicating the Privacy Notice
Low
sees the
proactively. If a data subject
Low
Privacy Notice raises any objections to processing
and objects to the DDAR will do all it can to
something in address these effectively and
it immediately efficiently at the point they are
or at a later raised.
date.
3) An
The DDAR could communicate the
Accepted
individual
DDAR Privacy Notice to every
N/A
never gets
single individual personally before
the chance to any further contact is undertaken.
Low
see the
This is, however, likely to impede
DPIA template
20180209
v0.3
1
4
Privacy Notice the development of a relationship
Low
so is unaware where are very small number of
the DDAR is individuals with unique or bespoke
processing
connections to the Division are
their
concerned and the initial connect
information. is usually undertaken by email.
There will be some individuals who
the DDAR has historical
information on but is now unable
to contact, for example ‘lost’
alumni. For these individuals,
there is a chance they may object
to the DDAR processing their
information but given they have
an established relationship with
the University it is assumed there
is a reasonable expectation from
them the University will process
their data and on balance this
processing does not impede them
in any way, damage their rights
and freedoms, nor cause them
undue harm or distress. If a ‘lost’
individual updates their details in
any way they should see the DDAR
Privacy Notice and be given a
chance to update their preferences
accordingly.
4) We
The data we have suggests that
Formatted: Numbered + Level: 1 + Numbering Style: 1,
communic individuals with a prior connection Accepted
Low
N/A
2, 3, … + Start at: 4 + Alignment: Left + Aligned at: 0.25
ate to an to us expect us to communicate
cm + Indent at: 0.89 cm
individual
with them via email. Our
we seek to publically available Legal Bases
rely on
Assessment
legitimate
(https://your.manchester.ac.uk/pri
interest to
vacy/legal-bases-assessment/)
carry out sets out our position. We have
electronic balanced the potential impact on
marketing individuals who may disagree with
based on our understanding and
the fact
interpretation of the law against
they have the potential benefit this activity
purchased has on society to come to our
a service conclusion.
from us,
and they
object to
this or
disagree
with our
DPIA template
20180209
v0.3
1
5
interpretat
ion of the
law. This
is a
complianc
e and
corporate
risk
although
the
potential
damage to
individuals
is low.
Step 7: Sign off and record outcomes
Item
Name/date
Notes
Measures approved by: JUDE
Integrate actions back into
project plan, with date and
responsibility for completion
Residual risks
N/A
If accepting any residual high risk,
approved by:
consult the ICO before going
ahead
DPO advice provided:
ALEX
DPO should advise on compliance,
step 6 measures and whether
processing can proceed
Summary of DPO advice:
DPO advice accepted
KATE W
If overruled, you must explain
or overruled by:
your reasons
Comments:
DPIA template
20180209
v0.3
1
6
Consultation responses N/A
If your decision departs from
reviewed by:
individuals’ views, you must
explain your reasons
Comments:
This DPIA will be kept
Jude Alldred and Tom Jirat
The DPO should also review
under review by:
ongoing compliance with DPIA
LMK: Overall, I agree with Alex’s evaluation of the risk raised, which are too low.
Additionally there are a couple of risks to consider, depending on your responses with
regards to data being kept but not accurate potentially (Lost alumni for example) and
there is still a question of retention of the said records if we don’t communicate to them
why have we got them?
DPIA template
20180209
v0.3
1
7