The UK’s Information Commissioner’s Office (ICO), the independent authority responsible for the enforcement of the Data Protection Act 1998 (DPA), has issued a revised code of practice (the Code) on communicating privacy information to individuals – usually done so in the form of a privacy notice.
The Code is aimed at all organizations that collect information about people, whether directly or indirectly, and includes activities such as collecting information about shoppers from their loyalty card transactions, recording and retaining the calls customers make to a call center, or asking people to fill in their names, addresses and health information on an electronic or paper form. It also applies in less obvious situations, such as when organizations inform individuals of events going on near them using that person’s location data on their smart phone. The Code does not apply to anonymized or statistical information. However, if an organization anonymizes information after it has collected it, the ICO recommends that it best inform people that it does so. It is therefore advisable that any organization that collects information about people would do well to consider the Code, including if it has website users in the UK (or for that matter the EU).
The publication of the Code comes in the wake of the ICO’s survey of data protection attitudes in the UK, which revealed that only one in four UK adults trust businesses with their personal information, and more than one in ten people have requested a copy of their data from organizations.
Transparency and accessibility of information are key elements in the both the DPA and the impending EU General Data Protection Regulation (GDPR), which comes into force across the EU on 25 May 2018. The Code provides guidance to help ensure organizations achieve these aims.
What do organizations need to know before making a privacy notice?
In order to decide what to include in a privacy notice, organizations need to map out how information (and, importantly, personal data) flows through their organization and how and where it processes data, recognizing that it may be doing several types of processing. For example, although personal data has traditionally been collected directly from individuals (e.g. when they fill in a form), increasingly organizations use data in more complex ways. These include: observed data, where users are tracked online or by smart devices; derived data, where data combined from other data sets; or inferred data, created by using algorithms to analyze a variety of data such as social media and location data. Carrying out a privacy impact assessment (PIA) is a good way to approach these issues. The ICO have issued guidance on PIAs, which can be found here.
What should you include in your privacy notice?
The Code identifies that, as a minimum, privacy notices should tell people:
-
who the organization is;
-
what it is going to do with their personal data ; and
-
who it will share it with.
Other information will depend on the type of processing an organization conducts, for example whether it simply collects the information it needs, or whether it creates derived or inferred data about people by profiling them. PIAs will help organizations answer these questions. The Code also contains a useful checklist for organizations to use when creating or reviewing their privacy notice. Organizations which already have privacy notices in place should test their fitness against the checklist, and keep their notices under regular review.
The Code recommends that organizations processing information for a range of purposes should:
-
explain the different ways it will use the information which is collected; and
-
provide a clear and simple way for individuals to indicate they agree to different types of processing, so that people are not forced to agree to several types of processing simply because the notice only includes an option to agree or disagree at all.
If required, organizations should consider how to gain and record consent. If an organization asks people to consent to receive direct marketing, then in addition to the DPA requirements, specific rules apply under the Privacy and Electronic Communications Regulations.
If an organization shares personal data with other data controllers, and has the consent of the relevant individual to do so, it will still need to tell individuals what it is doing with their data in order for the processing to be fair (unless it is subject to an exemption). In some cases, several data controllers will be involved and each controller will have responsibilities to provide privacy notices to the relevant individuals.
In some circumstances, the ICO suggests that organizations go beyond the basic requirements of the law, by telling people:
-
The consequences of not providing information;
-
The measures it is taking to ensure the security of personal information; and
-
What the organization will not do with their data.
For example, if an organization has no intention of sharing date with third-parties for marketing purposes, it can state this explicitly in its privacy information. However, the organization must be absolutely certain before making this statement, and must amend it if the position changes.
A new “blended” approach
The ICO acknowledges that people are often unwilling to read lengthy privacy notices, and so recommends that organizations adopt a “blended approach” using a number of techniques to present privacy information to individuals. Suggestions from the ICO in this regard include:
-
Layered approach – this is where an organization provides the key privacy information immediately, in the form of a short notice (akin to an executive summary) containing the key information, with a link directing users to a second notice which provides more detailed information. This is an effective way of presenting privacy information in an engaging manner.
-
“Just-in-time” notices –these appear on an individual’s screen at the point where they input personal data, providing a brief message explaining how the information they are about to provide will be used. The individual can either carry on providing the information, or click on the link to find out more information.
-
“Privacy dashboards” – these allow individuals to manage their preferences and to prevent their data being shared where they have a choice. The dashboard acts as one place from which users can manage what is happening to their information. LinkedIn is an example of an organization which effectively operates a privacy dashboard for its users.
The Code also states that privacy notices must be clear and readable on portable devices (e.g. mobile phones and tablets), with the text appearing large enough so that people do not have to zoom in order to read the information. Responsive web design can assist organizations in doing this.
The Code also recommends that any organization working with “big data” should consider whether it needs the data that identifies individuals, or whether it can work with anonymized data.
Of course, previous guidance from the ICO with regard to using clear, accessible and readable language for all these notices remains, and privacy notices should be regularly reviewed in order to ensure that these remain accessible to those individuals who are likely to read them.
Status of the Code and ICO Enforcement
The basic legal requirement for organizations is to comply with the DPA itself; organizations are not legally obliged to comply with the Code. However the ICO confirms that following the good practice recommendations in the Code will assist organizations in meeting the obligations of both the DPA and the GDPR. It is therefore advisable to comply with the Code as the ICO can pursue enforcement action where an organization breaches the requirements of the DPA, and can impose a fine of up to £500,000. Under the GDPR, these penalties increase dramatically, with the highest level of fine being the greater of €20 million or 4% of global turnover.
