A new code of practice was launched by the Information Commissioner’s Office (ICO) on 7 October 2016 which sets out how organisations should use privacy notices to inform people about how they’re using their personal information.
This is the ICO’s first written guidance explaining how to comply with both the existing Data Protection Act 1998 (DPA) and the forthcoming EU General Data Protection Regulation (GDPR), effective in EU Member States from 25 May 2018.
Who does the code apply to?
The code of practice is aimed at all organisations that collect information about people, whether directly or indirectly. It applies to activities such as:
It also applies to situations where people are observed by smart devices or when information is inferred from online behaviour. Examples include using an individual’s location data on their smartphone to inform them of events going on nearby or analysing an individual’s activity on social media and then marketing related products and services to them.
Data protection principles
An organisation that collects and/or uses personal information must do so fairly and transparently. In order for the processing to be fair, the DPA states that the ‘data controller’ (the organisation in control of processing the data) must make certain information available to the ‘data subjects’ (the individuals to whom the data relates).
The term ‘privacy notice’ describes the privacy information made available to data subjects when a business has collected information about them. Clear privacy notices ensure that individuals know how information about them will be used, and that they understand the impact it will have on them.
A privacy notice should, as a minimum, tell a data subject:
These are the basics on which privacy notices should be built. The code of practice does stress that it may be necessary to go beyond these basics. An organisation should do so if there is a risk that not telling an individual something will make the processing of that information unfair. This might be the case if an individual is unlikely to know that an organisation intends to use their information for a particular purpose or where the personal data has been collected by observation or inference from an individual’s behaviour.
Communicating the privacy notice
Privacy notices can be provided orally, in writing (in printed media, printed adverts or forms), through signage, or electronically (in text messages, websites, emails or apps). The code recommends taking advantage of multiple platforms and states that organisations should not necessarily restrict privacy notices to a single document or page on a website.
A layered approach is suggested to provide the key privacy information immediately, with more detailed information available elsewhere for those that want it. The ICO also suggests using preference management tools which can be embedded within the privacy notice to allow individuals to manage their preferences and to prevent their data being shared where they have a choice.
The ICO’s guidance highlights that it is good practice to use the same medium that is used to collect personal information to deliver privacy notices. So, if the organisation collects information through an online form, it should provide a just-in-time notice as the individual fills out the form.
Control and choice
The code also includes information about obtaining consent. It notes that where consent from an individual is needed in order to process their information, the business is required to explain what it is asking a person to agree to and why. Where people do have a choice, they must be given a genuine opportunity to exercise it. This means that it must be freely given, specific and fully informed. Consent must also be revocable and businesses should have procedures in place to action and record this when it happens.
Status and enforcement
The basic legal requirement is to comply with the DPA itself. The ICO can take enforcement action if an organisation is in breach of the requirements of the DPA, including a failure to provide adequate fair processing information. This could include a civil monetary penalty of up to £500,000 or an enforcement notice ordering an organisation to improve its privacy notice or stop the processing if the notice is not improved.
The Information Commissioner cannot take action over a failure to adopt good practice or to act on the recommendations set out in a code of practice. However, when considering whether or not the DPA has been breached the ICO can have due regard to the advice provided in such a code.
Related items:
Data breach damages: how much?
Cyber data breach: record £400,000 fine
Time is of the essence: reporting data security breaches
