Following a Consultation (see our February E-Bulletin) the Information Commissioner's Office (ICO) recently published a code of good practice in relation to privacy notices (Code). The aim is to help businesses understand how these notices help them comply with their obligations relating to the collection of personal information under the Data Protection Act 1998 (the DPA).

The new Code stresses that privacy notices should be (a) clear and understandable, and (b) ensure fairness of data processing. The concept of fairness is not defined in the DPA, which can make it difficult for organisations to ensure compliance. The new code explains that "fairness" has two elements in the context of privacy notices:

  1. ensuring people know how their personal data will be used; and
  2. respecting the reasonable expectations of the individual.

Whilst honesty and openness are stated to be important components of fair use of information, the Code stresses that they represent only one aspect of fairness. Businesses are also encouraged to step into the shoes of the data subject and consider whether he or she would be likely to object or complain to the proposed collection or use of personal information.

When to Actively Communicate a Privacy Notice

The Code goes on to explain when businesses should take active steps to provide a privacy notice to members of the public, i.e. by sending a letter or email or reading out a script, rather than simply by making the notice available for individuals to access, e.g. on a website. The test is essentially the reasonable expectations of the individual and there is no need for active communication of a privacy notice where the collection and use of information:

  1. is something that a reasonable person would anticipate and agree to; and
  2. is necessary to provide goods or services that the individual has requested; and
  3. will have no unforeseen consequences.

The example used is of a consumer buying a book online. There would be no need for the vendor to explicitly advise the consumer that his or her personal information would be used for processing the transaction, sending out the book and for the book seller's record keeping. The Code advises that whilst it would be good practice to have a privacy policy telling customers about this use of their personal information such use would be fair anyway as it is both required and expected.

However, the need to actively communicate a privacy policy will be necessary where:

  1. sensitive personal data is being collected; or
  2. the intended use of data is unexpected or objectionable (including unexpected sharing of the information with another organisation); or
  3. the provision, or withholding, of personal data will have a significant effect on the individual.

Drafting a Privacy Notice

When drafting appropriate privacy notices, the ICO encourages organisations to:

  1. refrain from offering misleading or counterintuitive choices, e.g. using opt ins and opt outs in a complex manner that confuses the individual;
  2. avoid giving data subjects the impression that they have a choice, when in fact they do not;
  3. use the same medium as used to collect the information to deliver the privacy notice; and
  4. use a "layered approach" where possible (i.e. to provide basic privacy information to all and make more detailed information available elsewhere for those who wish it).

Whilst the Code has no formal legal status, through its use of practical examples it should help organisations better understand how well drafted privacy notices will help them comply with their legal obligations under the DPA.

A copy of the code of practice can be accessed at the ICO's website.