On 10 May, the UK's Data Protection Regulator, the Information Commissioner's Office (ICO), announced that it will be examining 250 companies' online privacy policies to determine if they comply with the Data Protection Act 1998 (DPA). The ICO says it is "looking closely to see how easy the policies are to read, and how clearly they explain how personal information is being handled." If yours is in the firing line, make sure it lives up to requirements!
The ICO's announcement is part of a global initiative (along with 19 other regulators) co-ordinated by the Global Privacy Enforcement Network to improve website privacy policies. Their collective efforts and results will be reported in the autumn. Any organisations whose policies miss the mark or need remedial action will be named and shamed (and there is always the possibility that the ICO could use enforcement powers too).
There has also been an explosion in the use of smartphone apps that access and use a wide range of personal data as well as next generation advertising online that analyses personal data and offers personalised pricing. So, it's not surprising that the ICO is now turning its attention to privacy policies.
What will the ICO be looking for?
The ICO is concerned that privacy notices are being used to protect organisations from liability, rather than to inform individuals about the processing of their personal data.
In the 10 May announcement, the ICO states it will be "looking closely to see how easy the policies are to read, and how clearly they explain how personal information is being handled".
It is essential that privacy policies are sufficiently detailed, clear, transparent and written in easily understood language.
The DPA requires privacy policies to:
- Identify the data controller and any third party representatives (such as service providers) who may be given access to personal data
- Explain to individuals what their personal data will be used for
- Give any further information which is necessary, having regard to the specific circumstances in which the personal data will be processed to make sure that processing is 'fair'
In practice, that 'further information' usually includes information about:
- Transfers of personal data to countries outside of the European Economic Area (this information will become mandatory when the draft Regulations become law)
- Who individuals can contact (and how) with privacy concerns or queries, to update their personal data or to exercise other data subject rights (such as making a data subject access request)
Remember: It may be necessary to get consent if sensitive personal information will be processed and the processing cannot be justified under any of the other special conditions set out in the DPA. Sufficient explanation must be given to ensure that consent is explicit, specific and informed.
Top ten practical tips for drafting privacy policies
- Think about presentation and structure. Would a layered approach be more appropriate, delivering key information succinctly with links to more detail for those who want to read it?
- Tailor privacy policies to fit the format in which they will be viewed e.g. delivery on a smartphone or mobile device will be very different from a paper based policy.
- Use language suitable for the audience. For example, is it aimed at children who may need simpler language and more explanation?
- Check if you need to deal with any cookies used on your website. In May 2011 the Privacy and Electronic Communications (EC Directive) Regulations 2003 changed the law regarding consent requirements for placing cookies and the information that needs to be provided. You can read more about it in our earlier alert.
- Avoid confusing 'opt-in' and 'opt-out' wording (it is less confusing to stick with one or the other).
- Avoid pre-ticking consent boxes (this is unlikely to be considered real consent).
- Check that your privacy policies and your data protection notification with the ICO (if you are required to have one) are consistent.
- Ensure direct marketing consents and requirements are regularly reviewed and legally compliant.
- Review your policy regularly to check it remains legally compliant and reflects the uses to which personal data is put.
Can I future-proof my policy for when the draft Regulations are in force?
The detailed content of privacy policies may change if the proposed draft Data Protection Regulations become law and privacy policies will almost certainly become more important rather than less. So, now is a good time to take a look at yours to check it complies with current requirements and also to consider changes that you may need to make in the future, or whether you want to make those changes now, in preparation. It is likely that the Regulations will come into force in early 2016, although it may be sooner.
The draft Regulations will mean that (in addition to current requirements) privacy policies will need to:
- Identify the actual 'legitimate business interests' that you want to rely on (currently you do not have to set these out).
- State the specific period for which personal data will be retained. This is likely to be complex as data controllers will need to identify statutory requirements as well as publicising how long they deem retention to be necessary for the purposes for which they are processing personal data.
- Identify the source from which personal data originates (where that is not the data subject). This could reveal additional checks that a data controller does such as fraud checks, identity checks, references etc.
- Provide contact details of your data protection officer (appointing a data protection officer is one of the new provisions of the draft Regulations).
- Provide contact details for data protection regulators in the event that data subjects have complaints.
- State whether requested information is mandatory or voluntary and the consequences of not providing information.
- Give details of any transfers of personal data outside of the European Economic Area.
Currently privacy notices commonly flag that a £10 charge may be made for complying with data subject access request. When the draft Regulations become law, charging for compliance with data subject access requests will no longer be permitted and doing so will be a breach of the Regulations.
The European Commission may lay down standard form policies, although this has been criticised in the consultation stages of the Regulation as being unworkable and too prescriptive.