The Information Commissioner’s Office (“ICO”) has issued a code of practice on privacy notices containing valuable guidance on how to comply with the fair processing requirements of the Data Protection Act 1998 (“DPA”) when collecting personal data. The code has been issued following an ICO survey, highlighting that only one in four adults trust organisations with their personal data.
Where does the code come from?
The DPA gives the ICO the power to issue codes of practice containing good practice guidance on DPA compliance. The latest code is one of several produced by the ICO on areas as diverse as employment practices, privacy impact assessments, CCTV and data sharing.
The focus of the code is drafting and communicating clear privacy notices, ensuring that individuals are informed as to how their personal data will be used by organisations.
While the code does not have the force of law in the same way as the DPA, in deciding whether an organisation has complied with the DPA, the ICO can look to the code. Non-compliance with the code’s guidance could amount to a DPA breach, resulting in enforcement action being taken against an organisation. This includes a monetary penalty of up to £500,000 or the ICO issuing an enforcement notice requiring an organisation to improve its data protection practices. Enforcement action is publicised, often leading to more damage from a reputational perspective than a monetary penalty.
What does the DPA say?
One of the most fundamental requirements of the DPA is that personal data must be processed fairly. That is, organisations must be fair and transparent on how they use personal data.
While the DPA does not specify how this information is to be provided, standard practice has been to include it within privacy notices incorporated within offline paper-based forms, websites, mobile apps and wearable devices.
What recommendations does the ICO make?
The ICO recommends that organisations issue privacy notices at first point of data collection in written, electronic or oral formats and must do so when: collecting sensitive personal data relating to, for example, health, ethnic origin and race; individuals would not reasonably expect their personal data to be used for a particular purpose or shared with specific third parties; or providing or not providing the personal data would have a significant impact on individuals. The language used must be clear and not overly complex or legalistic, and organisations should consider preparing multiple versions of privacy notices for different individuals, for example, business users, private individuals, vulnerable groups, including children, and individuals whose first language is not English.
The ICO recommends that organisations review their privacy notices to verify compliance with the DPA by considering: