Privacy notices, transparency and control - the ICO’s new code of practice

The Information Commissioner’s Office (ICO) has published a code of practice on communicating privacy information to individuals entitled “Privacy notices, transparency and control”, which offers guidance to all institutions processing personal data. The guidance is useful at a time when institutions should be preparing for the more rigorous regime contained in the EU General Data Protection Regulation (GDPR) which comes into force in 2018.

Institutions are required to collect personal information fairly and transparently. Processing data fairly requires institutions to consider individuals’ reasonable expectations with regard to the uses of their personal data and the potential impact processing can have on them.  Individuals should therefore be informed about how their data will be used.  They should be told what information is being collected and how. This applies even if data is not collected directly from individuals but is observed (e.g. by tracking data subjects’ online activity), or is derived or inferred from other data. Privacy notices provide this information to fulfil the requirements of fairness.

A privacy notice should not be restricted to a single document or page on a website. They should not be tucked away in long privacy policies which often discourage users from reading them.  It is good practice to combine a number of techniques of providing information in order to ensure that people know and have realistic expectations of how their information will be used.

Organisations should keep in mind that under the GDPR information given must be concise, transparent, intelligible, in clear and plain language and easily accessible.

The guidance also seeks to help organisations give individuals control and choice over their personal information by, for example, integrating preference management tools. Giving individuals a real choice helps demonstrate that they have freely given specific and informed consent, where there is no other ground to justify using their data (an example of such justification would be where using their data is necessary in order to fulfil contractual obligations).  Therefore, whenever it is possible to allow individuals to decide whether to allow data processing or not, they should be given that opportunity to choose and this entails allowing them later on to withdraw their consent. If on the other hand a choice is not possible, such as in cases when individuals wish to benefit from a particular service which requires certain personal information, they should equally be informed.

The guidelines provided by the ICO are summarised below:

  • A privacy notice should start with information about the data controller, how the information collected will be used and who it will be shared with.
  • An institution should map out its processes in order to identify personal data which it needs, gathers and uses, and different ways how it can be processed.
  • When consent is required for data processing, it is important that it is recorded. Consent should be obtained by means of opt-in boxes as opposed to default selections. Institutions must also think about how they can acquire consent for changes to their privacy notices and how to enable individuals to revoke their consent.
  • Opt-in boxes need to be accompanied with relevant information as otherwise the consent obtained cannot be considered to be informed and therefore valid. For online use, just-in-time notices can be more effective as they provide information when appropriate.
  • Special consideration is required when data is being shared with others. Such sharing needs to be properly communicated to data subjects and each data controller will have an obligation to provide a privacy notice.
  • It may be appropriate in some cases to beyond what is required by law by explaining matters such as the links between different data, the purposes for which different data is collected and the consequences of not providing certain information.
  • It is good practice to use preference management tools which enable data subjects the ability to alter their detailed preferences, including revoking consent, with ease. Such tools give individuals a wider choice and can also facilitate the work of the institution as well. They can provide a good medium for communicating information about changes in privacy policy, and if well-designed they can reduce the number of subject access requests.
  • Information should be given using the same medium which is used for collecting the relative data. When collecting information using an online form the use of just-in-time notices constitutes good practice.
  • When limited space is available, a layered approach by which important information is provided immediately and links to more detailed information which is provided elsewhere, can be useful. Particular attention should be given to providing or at least linking to full information when users of a website bypass parts of the site by accessing pages through a search function.
  • Icons and symbols which indicate to data subjects that a type of processing is happening can also be useful, especially when limited space is available. These would need to be well-designed to sufficiently indicate what kind of processing is taking place.
  • Privacy notices need to be adapted to the device on which they are conveyed. Responsive web design is useful in this regard, as are using a layered approach and just-in-time notices. Short video clips can also be effective to convey key information.
  • Institutions need to put themselves in the shoes of data subjects and consider their level of knowledge and expectations. Institutions need to actively convey information in certain situations such as when individuals cannot reasonably be expected to be aware of how the information will be used.
  • The fact that privacy notices are often not read means that institutions need to make more effort to effectively convey the information. This includes using language which is not technical or legalistic and which can be understood by everyone. Particular care needs to be taken when dealing with vulnerable individuals and when information is collected from persons whose first language is not English.
  • Before issuing a privacy notice institutions should consider asking for feedback from potential customers. After it is rolled out institutions should keep privacy notices updated and accurate. Complaints from individuals concerning how their data is used or concerning the privacy notice also need to be tackled and taken into account.

Institutions should consider the combined effect of this guidance and the wider GDPR with their obligations regarding marketing in relation to the Telephone Preference Service and the Mail Preference Service. Charities also need to consider their obligations in relation to the eventual Fundraising Preference Service which we discuss in the September 2016 edition of our Higher Education Bulletin.

Despite the impending Brexit it is safe to expect that the UK will either retain the same data protection regime or will at least adopt regulation which is equally rigorous, which benefits all private citizens, especially in today’s social and technological context. Companies and organisations having an international dimension will, if they intend on continuing to deal with EU citizens, still be required to abide with the GDPR. Those who fail to comply could be faced with fines of up to 4% of worldwide turnover or EUR20 million, whichever is the higher. In any case, following good practice in the field of data protection is advisable even in the absence of legal requirements, as it helps an organisation gain the trust and confidence of customers or citizens who, although seemingly more willing to share personal data, still show significant concern about how information about them is handled and used.

The full text of the code of practice, including the recommendations, can be found here. The code includes a useful privacy notice checklist, as well as examples of good and bad practices and a short summary of the GDPR requirements regarding privacy notices.

Lauro Fava
T: 0121 631 5245

Comments - No comments posted yet.

Leave a Comment


Please add 5 and 6 and type the answer here: