The Information Commissioner’s Office (“ICO”) has issued a code of practice on privacy notices containing valuable guidance on how to comply with the fair processing requirements of the Data Protection Act 1998 (“DPA”) when collecting personal data. The code has been issued following an ICO survey, highlighting that only one in four adults trust organisations with their personal data.
Where does the code come from?
The DPA gives the ICO the power to issue codes of practice containing good practice guidance on DPA compliance. The latest code is one of several produced by the ICO on areas as diverse as employment practices, privacy impact assessments, CCTV and data sharing.
The focus of the code is drafting and communicating clear privacy notices, ensuring that individuals are informed as to how their personal data will be used by organisations.
While the code does not have the force of law in the same way as the DPA, in deciding whether an organisation has complied with the DPA, the ICO can look to the code. Non-compliance with the code’s guidance could amount to a DPA breach, resulting in enforcement action being taken against an organisation. This includes a monetary penalty of up to £500,000 or the ICO issuing an enforcement notice requiring an organisation to improve its data protection practices. Enforcement action is publicised, often leading to more damage from a reputational perspective than a monetary penalty.
What does the DPA say?
One of the most fundamental requirements of the DPA is that personal data must be processed fairly. That is, organisations must be fair and transparent on how they use personal data.
While the DPA does not specify how this information is to be provided, standard practice has been to include it within privacy notices incorporated within offline paper-based forms, websites, mobile apps and wearable devices.
What recommendations does the ICO make?
The ICO recommends that organisations issue privacy notices at first point of data collection in written, electronic or oral formats and must do so when: collecting sensitive personal data relating to, for example, health, ethnic origin and race; individuals would not reasonably expect their personal data to be used for a particular purpose or shared with specific third parties; or providing or not providing the personal data would have a significant impact on individuals. The language used must be clear and not overly complex or legalistic, and organisations should consider preparing multiple versions of privacy notices for different individuals, for example, business users, private individuals, vulnerable groups, including children, and individuals whose first language is not English.
The ICO recommends that organisations review their privacy notices to verify compliance with the DPA by considering:
what personal data they collect and how;
whether they need all of it or, conversely, if they have enough for their purposes;
what they do with personal data and if this is communicated clearly to individuals; and
giving individuals a clear and simple means and enough information to be able to exercise choice in relation to the use of their personal data (where possible).
While this covers the DPA basics, the ICO further recommends that organisations include information on what steps they take to ensure data security, how individuals can exercise their rights of access, the consequences of not providing personal data and what organisations will not do with personal data.
The situation is more complex in relation to the “Internet of Things” or IoT devices, such as wearable technology, where privacy notices can be difficult to display due to screen size limitations or the nature of the technology. In that case, the ICO suggests using clear and obvious icons and symbols to highlight personal data collection points.
Similarly, on portable devices, such as mobile phones and tablet devices, the ICO states that privacy notices must be as clear and as readable as they would be on a computer screen and text must fit on the screen without needing to be zoomed in. The privacy notice could be also provided on a layered basis and / or via audio and video.
What should we do now?
Your organisations should take the following steps as soon as possible:
Map data flows within your organisation to see what personal data is collected, what it is used for and whether more is being collected than is necessary.
Review existing privacy notices, if any, and determine whether they are still fit for purpose. If not, revise them in line with the code’s recommendations.
Review consent statements to assess if they are displayed clearly and prominently, consist of a positive opt-in and give individuals enough information to exercise a fully informed choice on each proposed data use – according to the ICO, this may require a separate unticked box for each use.
In the online / mobile app context, consider providing individuals with an online “privacy dashboard”, which gives them access to “at a glance” information on how their personal data is used by your organisation and allows them to exercise choice freely and on a fully informed basis.
Undertake user testing on a draft privacy notice by selecting a sample customer base and seeking their views on how easy it is to understand and to identify errors. Some market research may also be necessary at the preparation stage to gauge what style and format of privacy notice is most acceptable and preferred by users in your organisation’s sector.
Post privacy notice roll-out, continue to review it in line with your organisation’s requirements, user feedback and whenever your organisation introduces a new process or technology (both hardware and software) to ensure that the privacy notice remains accurate and up-to-date.
It goes without saying that good privacy makes good business sense and increases trust between an organisation and the individuals with whom it engages. Giving individuals an element of choice as to how their personal data is used increases the likelihood of an organisation obtaining more high quality personal data from them, which can be used for a broader range of purposes than if the choice had not been provided at all.
Complying with the code also goes some way towards future-proofing privacy notices, given the EU General Data Protection Regulation, coming into force in May 2018. Amongst other things, the Regulation requires privacy notices to be clear and comprehensible and provide:
the organisation’s contact details;
the legal basis for its use of personal data;
who the personal data will be disclosed to;
how long the personal data will be kept;
details of individuals’ rights, including the right to complain to the ICO;
particulars of transfers of personal data to countries outside the EU, including the level of data protection offered by those countries;
whether it is mandatory for individuals to provide personal data and the consequences of not doing so; and
the logic involved in decision making and consequences where decisions are made by automated means.
The warning from the ICO in the code is clear: organisations must take action now to review their current privacy notices in line with the code. Failure to do so not only risks breach of the DPA and possible ICO enforcement action, but it also risks loss of business and reputation in the face of an informed public that is more alive than ever before to its privacy rights.