The ICO has published revised guidance on privacy notices to help organisations get ready for compliance under the GDPR.
What’s the development?
The ICO has published a revised Code of Practice on Privacy Notices, transparency and control (CoP) together with a checklist for privacy notices to help organisations to comply with the Data Protection Act and also the incoming requirements under the GDPR. The ICO recommends adopting a blended approach, using a number of different techniques in order to present information in the most fair and transparent way, taking into account the audience, the available methods of communication and the complexity of the data processing.
What does this mean for you?
The CoP is directed at organisations looking to create, enhance or evaluate their privacy notices. It provides guidance on the essential elements of privacy and at how to present information in the most effective and legally compliant way. Organisations should be reviewing their privacy notices in preparation for the GDPR and this CoP will help them do that.
Privacy notices are an essential part of complying with the requirement to process personal data fairly and lawfully because they are needed for transparency. The CoP identifies the main elements of fairness as including:
- using information in a way people would reasonably expect;
- thinking about the impact of the processing and whether it would have unjustified adverse effects on individuals; and
- being transparent and ensuring people know how their information will be used, which includes providing or making available privacy notices.
The CoP reminds data controllers that they need to consider data which is collected directly from individuals, but also to remember that data which is observed by tracking people or devices, derived by combining other data sets, or inferred by using algorithms, are also relevant. Privacy Impact Assessments are a good way to work out how data is being collected and what approaches to informing individuals may be required or appropriate.
Control and genuine choice are central to fair and lawful processing and consent is often needed. Consent must be freely given, specific and fully informed as well as revocable. Even where consent is not relevant because there is another lawful justification for the processing, or where giving people control and choice over how data is processed is not appropriate (e.g. in an employer/employee situation), it is still important to be fair and transparent and privacy notices can help satisfy this requirement.
The CoP only applies to personal data but where data is processed in order to anonymise it, it is relevant. It covers what to include in a privacy notice and how to map information flows, gain and record consent and how to deal with data sharing.
When relying on consent, information must be displayed clearly and prominently, individuals should be asked to positively opt in and the range of purposes for which information is used should be clearly set out. If information is being obtained for more than one purpose, individuals should be given an option to consent (or not) for each purpose. Unticked opt-in boxes are recommended as are ‘just-in-time’ notices, particularly in relation to online products and services. Controllers also need to think about obtaining fresh consent if the privacy notice changes, and about how individuals can withdraw consent. Direct marketing consent needs to comply with PECR requirements but should be collected using an un-pre-ticked opt-in box. Even where consent is not necessarily required, the ICO considers gaining consent to direct marketing to be “good practice and the most advisable approach”.
The CoP recommends more pro-active provision of privacy information (rather than the making available of the information) in situations where an individual would not reasonably expect what will be done with their information. The need to actively provide information is strongest where:
- you are collecting sensitive information;
- the intended use of the information is likely to be unexpected or objectionable;
- providing personal information or failing to do so will have a significant effect on the individual; and/or
- the information will be shared with another organisation in ways the individual will not expect.
In these situations, the controller may need to contact the individual directly by letter or email, read out a script during a telephone call, provide interactive information in an online forum, or deliver text-based notifications.
The CoP gives special consideration to Big Data, recommending anonymisation where possible and the use of Privacy Impact Assessments. There is recognition that it is harder to predict how data will be used in a Big Data context but the CoP says individuals should be given some idea (without an exhaustive list of possible uses being provided unnecessarily). Controllers need to decide whether consent is required and purpose limitation must be respected.
Tips are given on how to write privacy notices. These centre mainly around using appropriate language and presentation. Pre-testing of the notices and regular reviews are recommended. Finally, the CoP includes a privacy notice checklist to help organisations review and update their privacy notices, and a list of requirements for privacy notices under the GDPR is provided.