For the frustrated website user who has to trawl through a seeming acre of small print to complete a trivial transaction, the Information Commissioner's Office (ICO) consultation to tackle the perceived problem of privacy policies that are not sufficiently clear or user-friendly, may come as a welcome move.
(NB: The ICO has published a draft Code of Practice, which is open to consultation until the 3 April 2009 and together with the response form can be accessed from the following ICO link: http://www.ico.gov.uk/Home/about_us/consultations /our_consultations.aspx)
These notices or statements are largely used by data controller organisations or businesses gathering personal data to achieve compliance with the 'fair and lawful processing' First Principle of the Data Protection Act 1998 (DPA).
In particular, the obligation to obtain personal data 'fairly' means providing certain 'specified information' to individuals usually at the point they submit their details. This should include: (a) identity of the data controller; (b) their nominated representative (if any); (c) what the controller intends to use the personal data for and (d) any further information to an individual that is "necessary" having "regard to the circumstances" to make the data processing "fair". The DPA does not actually specify what to include within this last category, but information about data transfers to third parties or data being sent outside Europe are likely to be relevant. (If cookie files are being sent to a user's computer, the user needs to be provided with certain information about this under e-Privacy regulations.)
The issue is that organisations and their legal advisers, of course often choose to load up privacy notices with other information of less immediate relevance to a data subject's decision to submit their personal details. This may include long-winded legal disclaimers and detailed limitations on liability clauses. The ICO is concerned that the fairness requirement is often being missed and many privacy notices are now almost entirely geared towards protecting the data controller from liability.
While the Code does not perhaps say anything particularly new to those familiar with DPA rules, it does remind data controllers of what a privacy notice should contain to ensure it achieves its legal objective. The emphasis is on being (a) clear and informative - avoiding excessive and unnecessary use of legal jargon and (b) fair - although 'fairness' is not defined in the DPA, what is clear is that misleading a data subject is not fair. Generally this means the controller being clear about what they want to do with personal data and indicate any likely future uses that will be made of it.
The type of privacy notice required depends on the type of information being collected and how it will be collected. The Code makes the distinction between telling people how information will be used, and actually getting consent to such use. Where the use of the information will be "unexpected, objectionable or controversial" or if sensitive information (e.g. health data) is being collected, positive user agreement such as clicking on an "I Accept" button will normally be required.
Conversely, where the information is being collected for an obvious use that a reasonable person would be likely to anticipate and would consent to if asked, there is no need to actively communicate this in a privacy notice. The Code gives the example that a person buying a book from an on-line retailer would not need to be told that his personal details would be used for the dispatch of the goods and the retailer's own transactional records.
The Code is a statement of good practice so (once finalised) the ICO cannot directly initiate action for non-compliance. However if an individual complaint were made against an organisation the ICO could have regard to the Code when determining whether a breach of the DPA had taken place.