Step 1: Identify the purpose

How to identify the purpose of processing personal data for a privacy notice

Identify the purposes for processing personal data

Think about the ‘lifecycle’ of the data. List each purpose for which you will use the personal data provided by the data subject. You need to go into sufficient detail to make sure the data subjects fully understand what will happen to their personal data. However, you do not need to go into minute detail.

If you use any ‘data processors’, you must say so.


Examples are provided below of inappropriate amounts of detail, best practice and also what to say when you use data processors.

Inappropriate amounts of detail

Too little detail

  • The personally identifiable information you provide will be processed in accordance with applicable data protection law.”
  • We will process the personal information you provide us so you can study at the University of Edinburgh.”
  • We may share your information with third parties.”

Too much detail

We will send you regular updates about the XYZ School. As soon as you graduate, our school administrator will contact your personal tutor and ask him/her to extract your email address from his/her computer. The school administrator will then enter your email address into the SchoolNews computer system, where it will be stored in a subfolder called ‘alumni’. Every three months, the administrator will then use an email template that will enable him/her to generate an email with a newsletter attachment. The email template will be populated with your email address. This newsletter will then be emailed to you.

Best practice

Examples of best practice

Student application form:

The University holds information about everyone who studies at the University. We use the information to administer your studies, maintain our IT system, monitor your performance and attendance, provide you with support, monitor equal opportunities, make funding arrangements, to gather feedback (including the National Student Survey), and for strategic planning.

Sports Medicine

The information you provide will be used by the University who needs to do so in order to manage your health record and provide treatment.

For newsletters:

D & A process the personal data of our alumni, supporters and other stakeholders, in order to deliver and improve the opportunities and services we provide in a personalised manner, to ensure each individual receives relevant information and to ensure we use resources in the most efficient and effective way. Personal data is processed by the University and affiliated groups to:

- Keep you up to date with news and progress regarding the University

- Promote alumni and supporter events, activities and programmes

- Provide you with any services you have requested and the promotion of benefits and services

- Ensure we only communicate with you about events, opportunities, services or fundraising appeals of interest to you

For events:

We will process information about you to administer your conference attendance, and a week after the event, to send you the presentations by email.


Data processors

If you use a company that provides hosted cloud computing services to store personal data, you must explain this.

Cloud computing example

The University will use an external company to process information about you on the University’s behalf. The University remains responsible for the information and will ensure it is kept securely.

If you use a company that provides you with video-based competency interviews, you would write:

Video-based competency interviews example

The University will use an external company to provide a system that will assist with providing interview questions, randomise these questions during interviews, film the interview and store the footage securely.