Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
UK data protection regulator publishes a new code for businesses on privacy notices
New ICO code of practice provides guidance on fairness, transparency, choice and control.
On 7 October 2016, the Information Commissioner’s Office (ICO), the UK data protection regulator, published its latest code “Privacy notices, transparency and control” (the Code). The Code aims to give organisations which handle Personal Data some certainty as to how they are expected to comply with their obligations under the first principle of the Data Protection Act; to process Personal Data fairly and lawfully.
In anticipation of the European General Data Protection Regulation (GDPR) (see our previous articles on GDPR here), coming into effect in May 2018, the ICO has issued the new Code to provide guidance as to how privacy notices should look and feel under the GDPR and in an increasingly digital world.
The Code’s practical guidance highlights the importance of collecting and processing Personal Data fairly and transparently whilst giving individuals choice and control over how their data is processed. Replacing the previous code, published in 2010, this latest version focuses on providing organisations clarity as to how privacy notices should be effectively communicated to end users, particularly in a digital context where data is collected on a wide range of devices.
Less obvious data collection
The Code draws attention to the need for privacy notices to be communicated to individuals, even when data collection may be “less obvious”. Examples given of “less obvious” data collection include collecting location information through a smart phone and analysing an individual’s online behaviour. Organisations collecting Personal Data through a “less obvious” channel should assess whether the type of processing is likely to be within the reasonable expectations of the individual. If there is doubt as to what might fall within an individual’s reasonable expectations, the ICO recommends that organisations carry out privacy impact assessments and, where necessary, conduct market research in order to understand the impact of data processing on individuals and what their expectations are likely to be.
Whilst the ICO confirms the current position, that giving an individual notice of data processing will not necessarily constitute obtaining their consent, it also acknowledges that the more control an individual is given over how their data is processed, the more an organisation can rely on the consent given being deemed informed. This may incentivise organisations which rely on consent to introduce ways of giving individuals control over how their data is processed.
Giving individuals control and choice
The Code gives various examples of how organisations can give individuals more control over how their data is processed including:
- Privacy dashboards: a menu of choices which individuals can opt in and out of.
- Revocable consent: an individual must always have the option to revoke his consent.
- Collaborative privacy notices: data controllers sharing data can produce one privacy notice that encompasses all the data processing that takes place after collection.
Communicating privacy notices
The recommended ways in which a privacy notice can be communicated remain the same with oral, written, signage (e.g. posters) or electronic messaging all being acceptable. The ICO confirms that it is good practice to use the same medium used to collect the data to deliver the privacy notice and suggests that a blended approach of a variety of methods may be most effective.
Helpfully, the ICO gives specific and practical advice on how to communicate privacy notices in the most transparent and fair way, particularly in a digital context, including:
- Layered privacy notices- providing key information in an initial short notice together with a link or drop down to the full text.
- Just in time notices: a brief notice that pops up when inputting data into a specific field.
- Video: a short and succinct video communicating how the Personal Data is processed.
- Small screens: ensuring text is readable without zooming in.
- Icons and symbols: used as part of a layered approach to indicate the type of processing occurring.
- Different privacy notices for different categories of processing: providing separate notices for each category of customers for example a local authority may have one policy for handling the Personal Data of individuals accessing leisure facilities and another for its tax collection activities.
The ICO, through the Code, is sending clear guidance that generic and inaccessible privacy notices are noncompliant with data protection laws in the UK. With the imminent arrival of the GDPR and the increased penalties that come with it, organisations should prioritise getting their privacy notices into shape now. Especially given the outward facing nature of the notices and the ease with which an individual, or indeed an enforcement agency, can access the notices, it is crucial that organisations avoid the potential reputational and financial consequences of noncompliance.
The updated guidance in the Code presents a need for organisations to revisit their existing privacy notices and ensure that they are complying with their obligation to process Personal Data fairly and transparently. In particular, where an organisation’s activities are “less obvious” or complex, the organisation should consider conducting an internal audit to explore the extent of its processing activities and, where necessary, conduct specific privacy impact assessments to understand the impact upon the individual.
Read the code of practice here.
This blog post was written by Amelia Day, Trainee Solicitor at White & Black.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.