Privacy policy

1. Purpose

1.1 To provide a template Privacy Policy that NL Group Limited can adapt to use on their website.

1.2 By using the template Privacy Policy provided, NL Group Limited will ensure that the policy on their website is UK GDPR compliant.

1.3 To support NL Group Limited in meeting the following Key Lines of Enquiry/Quality Statements (New):

Key Question Key Lines of Enquiry Quality Statements (New)
WELL-LED W2: Does the governance framework ensure that responsibilities are clear and that quality performance, risks and regulatory requirements are understood and managed? QSW5: Governance, management and sustainability


1.4 To meet the legal requirements of the regulated activities that {NL Group Limited} is registered to provide:

  • The Privacy and Electronic Communications (EC Directive) Regulations 2003
  • Data Protection Act 2018


2. Scope

2.1 The following roles may be affected by this policy:

  • All staff

2.2 The following Service Users may be affected by this policy:

  • Service Users

2.3 The following stakeholders may be affected by this policy:

  • Family
  • Advocates
  • Representatives
  • Commissioners
  • External health professionals
  • Local Authority
  • NHS


3. Objectives

3.1 To provide assurance that NL Group Limited has a Privacy Policy in place for users of its website that is UK GDPR compliant.

3.2. To establish ways of working in terms of the use, storage, retention and security of personal data.

3.3 To ensure that all Data Subjects, including Service Users, understand the ways in which their personal data is collected and processed by NL Group Limited via their website.


4. Policy

4.1 NL Group Limited understands that if they operate a website, they need to update their Privacy Policy to ensure that it is compliant with UK GDPR. NL Group Limited will use this Privacy Policy as a template for its updated version.

NL Group Limited understands that this Privacy Policy only needs to be uploaded to their website if personal data is collected via the website.

NL Group Limited will use the Fair Processing Notice template to inform all Data Subjects, including Service Users, how their personal data is processed.

4.2 NL Group Limited understands that the Privacy Policy template can be found in the UK GDPR suite within the QCS management system.

NL Group Limited understands that terms in square brackets are optional (depending on whether or not they apply to NL Group Limited).

NL Group Limited must review the Privacy Policy in its entirety to determine which elements are applicable to its website, and which are not relevant.

For example:

  • If the template Privacy Policy refers to personal data that is not collected by NL Group Limited via its website, NL Group Limited can remove this
  • If the website of NL Group Limited does not use cookies, they will delete references to cookies and the Cookie Policy
  • If NL Group Limited does not transfer personal data outside of the EEA, they will delete the section entitled “Where we store your personal data”
  • If NL Group Limited is not required to appoint a Data Protection Officer, they will delete references to the Data Protection Officer
  • NL Group Limited may consider replacing Data Protection Officer references with ‘Privacy
    Officer’ instead, referencing the person nominated to have day-to-day responsibility for data protection and UK GDPR
  • If NL Group Limited uses personal data collected via its website in a way that is not described in the Privacy Policy, it must consider incorporating additional sections

This Privacy Policy directs users to a webpage with a contact form or contact details if they wish to
contact NL Group Limited. NL Group Limited will consider whether to provide an alternative contact method instead, such as an email address and/or phone number.

If NL Group Limited has any concerns or queries in respect of the template Privacy Policy, they must seek legal advice.

4.3 UK GDPR has changed the way cookies should be incorporated into websites which means that NL Group Limited must explain what cookies will be set and what the cookies will do to the users of its website. NL Group Limited must obtain consent from individuals to store certain cookies on devices. Cookies that are not strictly necessary, need consent which is UK GDPR compliant, this means that NL Group Limited can no longer rely on implied consent.

NL Group Limited will ensure that it uses a cookie banner on its website to obtain consent to the use of cookies in line with this policy and that if no consent is obtained, no cookies will be set.

4.4 NL Group Limited must, therefore, update its processes for collecting consent for cookies. In practice, this means:

  • Users must take a clear and positive action to consent to non-essential cookies
  • The websites and apps of NL Group Limited must tell users clearly what cookies will be set and what they do, including any third-party cookies
  • Pre-ticked boxes or any equivalents, such as sliders defaulted to “on”, cannot be used for non- essential cookies
  • The users at NL Group Limited must have control over any non-essential cookies
  • Non-essential cookies must not be set on landing pages before you gain the user’s consent

Consent is not required for cookies that are defined as “strictly necessary” or that fall within the
communication exemption. “Strictly necessary” cookies are those that are essential to providing the service requested by the user. Such cookies must be essential to fulfil their request. Those that are simply helpful or convenient, but not essential, or that are essential for the purposes of NL Group Limited, will still require consent. The communication exemption is about the transmission of a communication over an electronic communications network. For the exemption to apply, the transmission of the communication must be impossible without the use of the cookie. Simply using a cookie to assist the communication is insufficient for the exemption to apply.

NL Group Limited must note, in particular, that cookies used for analytical purposes or those used for marketing and advertising will always need consent as they are considered to be non-essential. This guidance may change as the latest draft legislation is subject to some challenges on this point.

NL Group Limited must read the ICO’s cookie guidance available at: organisations/guide-to-pecr/cookies-and-similar-technologies/ for further information on the types of cookie that require consent.


5. Procedure

5.1 NL Group Limited will consider whether or not it collects personal data via its website (for example, via enquiry forms, requests to be sent newsletters, requests for provision of services) and whether it needs a Privacy Policy. NL Group Limited acknowledges that the use of cookies constitutes processing of personal data via the website.

5.2 NL Group Limited will adapt the Privacy Policy before uploading it to its website to ensure that all aspects of the Privacy Policy are relevant and reflect the ways in which NL Group Limited processes personal data collected via its website.

Where NL Group Limited has any concerns or queries in relation to its own Privacy Statement, NL Group Limited will seek legal advice.

5.3 NL Group Limited will use the Fair Processing Notice template to inform all other Data Subjects, including Service Users, about how NL Group Limited processes personal data other than personal data collected via the website.


6. Definitions

6.1 The Information Commissioner’s Office (ICO)

  • The ICO is the UK’s independent body set up to uphold information rights

6.2 Data Subject

  • The individual whom NL Group Limited has collected personal data

6.3 Data Protection Act 2018

  • The Data Protection Act 2018 is a United Kingdom Act of Parliament that updates data protection laws in the UK. It sits alongside the General Data Protection Regulation and implements the EU’s Law Enforcement Directive


  • General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It became enforceable on 25 May 2018
  • References to GDPR include references to the UK GDPR
  • The UK GDPR is the retained EU law version of GDPR that forms part of English law

6.5 Personal Data

  • Any information about a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV and special categories of data

6.6 Process or Processing

  • Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending or transferring it. NL Group Limited does not need to be doing anything actively with personal data – at the point NL Group Limited collects it, it is processing it

6.7 Special Categories of Data

  • Has an equivalent meaning to “Sensitive Personal Data” under the Data Protection Act 2018. Special categories of data include but are not limited to medical and health records (including information collected as a result of providing health care services), Care Plans and information about a person’s religious beliefs, ethnic origin and race, sexual orientation and political views

6.8 Cookies

  • Cookies are small files which are stored on a user’s computer. They are designed to hold a modest amount of data specific to a particular client and website and can be accessed either by the web server or the client’s computer


Key Facts – Professionals

Professionals providing this service should be aware of the following:

  • The Privacy Policy applies to personal data collected via the website of NL Group Limited


Key Facts – People affected by the service

People affected by this service should be aware of the following:

  • Personal data provided to NL Group Limited via its website will be processed in accordance with the Privacy Policy at NL Group Limited


Further Reading

As well as the information in the ‘underpinning knowledge’ section of the review sheet we recommend that you add to your understanding in this policy area by considering the following materials:

Please find the form below in the Forms section of the GDPR suite of policies within the QCS Management system:

Website Privacy Statement

BBC – What do I need to know about cookies? What do I need to know about cookies? – Using the BBC

ICO cookie guidance:

It is important for NL Group Limited to note that the ePrivacy Regulation which is currently in the draft stage may change the way that consent is required for certain cookies, including analytic cookies. At the time of updating this policy, the draft suggests that using analytic cookies as a simple first-party data analytics tool to learn about website audiences in a non-intrusive way may not require explicit consent. The proposal suggests that cookie consent can be exempted when the data tracked is purely for analytical purposes and the data collected cannot identify an individual. However, it is yet unclear whether external services, such as Google Analytics, will benefit from this exemption.

If NL Group Limited only uses analytical cookies for the purpose of learning about website audiences and its website is low risk, we suggest that NL Group Limited may want to wait until the final draft of the ePrivacy Regulation is adopted, further guidance is issued, and website developers have the tools required before updating its cookie banner to seek explicit consent for analytic cookies.

Outstanding Practice

To be ‘ outstanding ’ in this policy area you could provide evidence that:

  • The wide understanding of the policy is enabled by proactive use of the QCS App
  • NL Group Limited ensures that clear links are available to the privacy policy on its website and that, if a person inputs personal data into the website, they are directed to the policy and required to accept its terms
  • NL Group Limited has modified the template privacy policy to ensure that it includes all information relevant to the collection of personal data via its website and has uploaded a copy to its website



The following forms are included as part of this policy:

Title of form When would the form be used? Created by
Cookies Example Policy Statement – GDPR08 When NL Group Limited has no information on the use of cookies on its website (a Cookie Policy). It can be used with the Website Privacy Statement. QCS
Website Privacy Statement – GDPR08 To explain website users’ personal information will be handled QCS