Legal content and translation

Legal content

There are several content types which must accompany a service. These are legal pieces of content which allow users to understand how the service works and any impact the service might have on a user.

As legal content can use complex language and be confusing, you have an important role in making sure these content types are readable and accessible as well as factually accurate.

Remember, these content types must be translated into Welsh if your service is also translated.

Terms and conditions

Before your service goes into private beta, you’ll need to create a terms and conditions.

You should be able to work with legal and policy stakeholders to draft the terms and conditions in a user-centred way.

If you can, do some pilot testing with users and iterate.

Legal will take responsibility for signing off the terms and conditions, so it’s important that they have the final say on words. There are certain words that have specific legal meaning so cannot be changed. But, where you can, advocate for clarity and plain English.

Examples of terms and conditions

• Apply for probate terms and conditions
• Check for flooding terms and conditions
• Apply for a passport terms and conditions

Privacy notice

All services must feature a privacy notice, also called a privacy policy, before moving into private beta.

The privacy notice tells users what information will be collected from them and why.

The privacy notice must be specific to the service and available to the user at any point in the service. It must be linked to from the footer.

The service manual says that a privacy notice must explain:

• step by step, what you’ll do with the personal information once you’ve collected it
• why you’re collecting their personal information
• which of the legal bases you’re using for collecting and processing personal information
• how long you’ll keep the personal information - or, if there’s no set period, how you’ll decide how long to keep it

The data protection team must check the privacy notice before it’s published.

Read more about collecting personal information from users and privacy notices.

Examples of privacy notices

• Check for flooding privacy notice
• Check air quality privacy notice

Accessibility statement

The service must have an accessibility audit before moving into public beta. Speak to your service team about the audit and when you expect to receive the report.

An accessibility audit is an expert test which generates a report. The report details how accessible the website is and what you need to fix.

The information from this audit will be used to write and publish the accessibility statement.

The accessibility statement must explain:

• how accessible your service is
• what accessibility issues the service has
• if and how you’re planning to fix the issues

The accessibility statement must be accessible from every page of the service.

You should make a note to revisit and update the accessibility statement as and when is necessary.

Read how to write an accessibility statement on Github.

Once drafted, email a copy to the Defra accessibility team accessibility@defra.gov.uk for their feedback.

You should check whether anyone needs to formally sign off the accessibility statement - for example, a policy colleague. You should discuss this with the wider delivery team.

If the statement says that the service is partially or not compliant then you should get sign off from the senior responsible officer (SRO). You should advise them of the impact on disabled users and the risk of a legal challenge, as the service will not meet the legal standard for accessibility.

Read GDS guidance on how to make your website or app accessible and publish an accessibility statement.

Examples of accessibility statements

• Check for flooding accessibility statement
• Find an apprenticeship accessibility statement

Cookies policy

The service must have a cookie policy for public beta.

Cookies are small data files that a website sends to a user’s device. They store information about how users browse a website or service.

A cookie policy tells users about the cookies we are setting on their device. A user must be able to accept or reject different types of non-essential cookies to manage their data.

Before you can write the cookies policy, you need to have your technical team install Google Analytics and agree performance metrics.

You should draft and agree the content of the policy with the service team following a self assessment. Ask your delivery manager about this process.

The data protection team don't sign off cookie policies but they can provide basic guidance. Contact them early in the process if you need support.

Further guidance:

• Cookies page – GOV.UK Design System
• Working with cookies and similar technologies – Service Manual

Examples of cookies policies

• Teachers: claim back your student loan repayments cookies policy
• GOV.UK Notify cookies policy