On 7 October 2016, the ICO launched a new Code of Practice on "Privacy Notices, Transparency and Control" (the “Code”). It came with a warning that organisations need to do more to ensure that privacy notices are appropriate in light of technological advances. Jo Pedder, ICO Head of Policy Delivery, said:
"Transparency is crucial to trust in big data, Internet of Things and development of the digital economy. Organisations need to do more to explain to consumers what they're doing with their information and why. It's important to remember that reputation can easily be lost when people discover you haven’t been completely honest about how you are using their information".
The Code provides practical advice on how to solve the familiar conundrum of ensuring that data subjects are provided with all information required whilst still keeping notices accessible and easily understandable. This centres around the use of:
- A layered approach to provide data subjects with key information immediately with links to further, more detailed information;
- Just in time notices to provide focussed information just before personal data is collected; and
- Icons and symbols which indicate the use of personal data for a particular processing purpose.
Specific guidance is given in relation to displaying privacy notices on mobile devices and small screens. Data controllers should ensure that privacy notices are just as clear as they would be on a larger computer screen, without requiring users to zoom in. The ICO specifically recommends the use of layered privacy notices as the best method of communicating privacy notices effectively in a small space.
Of particular relevance to the insurance industry, is the guidance on privacy notice requirements in the context of big data projects. The Code recognises that "it may be more difficult to foresee at the outset how you will use the data. Nevertheless, you still need to give people a general indication of what you are doing with their data and add detail to the privacy notice as you go along, if necessary". Privacy teams should maintain close relationships with their data scientists to ensure that they have access to details of the uses of big data throughout the lifecycle of any project.
Although the Code has been promoted as addressing the requirements under the DPA and the GDPR, the section on privacy notices under the GDPR only occupies 3 pages out of 35 (and 2 of the 3 pages are merely a reproduction of the checklist that was published in the ICO's Overview of the GDPR). We had hoped for more from the ICO than the seemingly vague assurances that compliance with the Code will leave data controllers "well placed to comply with the GDPR" and that "following the advice…about planning privacy notices and mapping information flows will give you much of the detail you need". The Code leaves the possibility of further guidance open. Unfortunately, the Code doesn’t provide the assurances that many data controllers will have been waiting for. However, as we move ever closer to 25 May 2018, organisations should not delay reviews of privacy notices much longer.
Organisations will undoubtedly be looking to update their privacy notices to ensure that they are GDPR compliant. Such updates should be made with the contents of the Code in mind.
The Code of Practice can be found here.
The ICO's blog launching the Code of Practice can be found here.
The ICO's Overview of the GDPR can be found here.