The Information Commissioner’s Office (“ICO”) released a revised code of practice (the “Code”) following a consultation on communicating privacy information to individuals. The purpose of the Code is to ensure transparency and accessibility to information regarding how organisations will use personal data, a key principle in both the Data Protection Act 1998 (“DPA”) and the impending General Data Protection Regulation (“GDPR”). The ICO advocates the use of privacy notices to achieve this aim and has provided important guidance on how to ensure that privacy notices are clear and fit for the modern age.
Purpose of a Privacy Notice
The purpose of a privacy notice is to provide straightforward, concise, intelligible and free information to individuals (or data subjects) on how their personal data is to be used. This goes towards demonstrating compliance with the principles of fairness and transparency in data processing. The privacy notice should provide data subjects with all the prescribed privacy information when organisations collect information about them, and be served in an appropriate format and at the right time.
Transparency in an organisation’s data processing activities can help build trust and confidence with consumers; it is intended that the ICO guidance will provide some of the tools required to improve relationships between organisations and individuals from a data protection perspective.
Consumers are often reluctant to read privacy notices. It is therefore important to create a layout and include content that is more likely to be engaged with by individuals. The ICO has provided a useful checklist to assist organisations in formulating content. In addition to providing simple and digestible information, the privacy notice should be consistent, open and honest about how personal data will be used and comply with the rules and norms of the relevant sector.
Organisations should consider drafting separate privacy notices for different categories of customers. Tailoring is particularly important when communicating with more vulnerable groups, such as children, the elderly and non-native English speakers, who will need to receive information that is pitched at their level of understanding, in order to ensure that they are treated fairly with respect to their personal data.
The Code recommends that the privacy notice include, as a starting point:
the intended use of the information; and
who the data will be shared with.
The Code also suggests informing data subjects of:
consequences of not providing information;
measures to ensure security of information; and
actions that will not be taken with the data.
The introduction of the GDPR on 25 May 2018 will increase the amount of information required to be provided to data subjects. The GDPR will come into effect in the UK prior to Brexit, so there is no avoiding compliance on this basis.
The Code also gives guidance on how privacy notices should be displayed on portable devices. They must be as clear and readable on mobile phones and tablets as they would be on a computer screen, without the need to zoom in order to read the information.
The Code is a good practice document published by the Information Commissioner under her powers set out in section 51 of the DPA, but is not legally binding. However, compliance with the Code and other relevant ICO guidance ensures that organisations are well-placed to comply with the DPA (and, once effective, the GDPR).
The Information Commissioner cannot enforce the Code or take action for lack of compliance. However, the ICO can pursue enforcement actions where an organisation breaches the requirements of the DPA. These actions can include a fine of up to £500,000 or an enforcement notice ordering an organisation to improve its privacy notice or stop processing data if action is not taken.
Under the GDPR, fines are set to increase exponentially, with infringement of the basic principles for processing, including conditions for consent, and the transparency provisions exposing non-compliant organisations to the highest level of fines: the greater of €20,000,000 or 4% of global turnover.
Sector specific Privacy Notices?
Given the extensive practical and commercial differences across sectors, it is likely that privacy notices tailored to a sector and addressing their potential audience will be viewed more favourably by the ICO. More sophisticated clients or customers may have a broader idea of the data protection and privacy framework than ordinary consumers, meaning that the form and content of privacy notices may need to be adapted in order to successfully observe the aims of the Code.
Likewise, if data processing is more complex, the notice requires more detailed information to be provided in order for consumers to be properly informed, whilst at the same time being sufficiently clear and not baffling consumers with overly technical or legalistic language. This is often easier said than done.
What should organisations do?
It is no longer considered acceptable to publish a privacy notice at the bottom of a website and pay it no further attention. The ICO recommends consistently evaluating and updating the privacy notice to reflect any changes or developments.
The ICO’s checklist is a useful resource which sets out the content, format and delivery guidelines for privacy notices. Organisations can use this information to carry out a “fitness test” of how their current privacy notices measure up against the updated best practice recommendations.
It is notable that the explicit emphasis on adapting privacy notices for children goes beyond what is currently required by the DPA. Organisations should use the guidance in the Code to update, create or modify their privacy notices, and (where appropriate) carry out user testing and collate feedback before any official roll-out. This will help to ensure organisations are ready to hit the ground running when the stricter transparency requirements under the GDPR come into effect.
Novel ways of presenting the information to make it more appealing to audiences is likely to increase readership and, consequently, transparency. By making a point of highlighting a privacy notice, rather than including it as an addendum to a website, consumers are likely to feel better informed and more in control of how their information is used.
At a time when misuse and leaks of personal data have received negative press coverage, this is an important step to building trust between consumers and organisations through improving understanding of how personal data is used, and reassuring individual that their privacy rights matter.