“It is unfair and misleading to have a privacy notice that isn’t accurate or up to date. It is therefore good practice to keep your privacy notice under regular review.” – UK Information Commissioner’s Office Code Of Practice On Privacy Notices – June 2009
The Data Protection Act 1998, which implements the Data Protection Directive 95/46/EU, requires personal information to be processed fairly. To do this the individual whose personal information is to be processed must be provided with a minimum of three pieces of information: the identity of the organisation in control of the processing; the purpose or purposes for which the information will be processed; and any further information necessary, in the specific circumstances, to enable the processing in respect of the individual to be fair. This information is usually provided in a privacy notice.
Many businesses reacted to the Data Protection Act coming into force on 1 March 2000 by creating a privacy notice that covered their then business needs and addressed the legal obligations of the Act. Since then they may not have revised the notice or reviewed its use. Whilst it may be argued that a complex privacy notice incorporated into an organisation’s terms and conditions meets the obligations of the Data Protection Act, the ICO’s position is that if the privacy notice is not easily accessible, simple and understandable then it will not be effective. If a privacy notice is not effective an organisation relying on it is likely to be in breach of its obligations as a data controller under the Data Protection Act. This could lead to prosecution and a fine.
Research by the UK Information Commissioner’s Office (ICO) shows widespread consumer cynicism in relation to privacy notices. Consumers believe that privacy notices are drafted to confuse them and simply serve as licence for companies to sell individuals’ personal information. As a result, almost three quarters of the UK population admits to not reading or understanding privacy notices. The ICO seeks to address these issues by publishing a new Code of Practice on privacy notices, which aims to help organisations comply with their obligations under the Data Protection Act 1998, and to urge individuals to take the time to read and understand privacy notices in order to understand how their personal data will be used.
What is a Privacy Notice?
The primary purpose of a privacy notice is to inform individuals about the uses of their personal information in a clear and transparent manner. As a starting point organisations processing such information must consider the type of personal information that they are collecting and processing, the means of collection and the likely individuals from whom they will be collecting information.
Communicating Privacy Notices Effectively
To be effective a privacy notice should be drafted in plain English and avoid legalistic or technical language. The Code supports the use of large fonts, summary headings and concisely drafted paragraphs which do not cross-refer to each other. The notice should be written in a manner that is understandable to the target recipient i.e., special consideration should be given to simplicity where the notice is aimed at children or the use of local languages where the intended audience is predominately non-English speaking.
It is also important that the privacy notice is communicated effectively. Privacy notices can be communicated in a number of ways, including verbally, in writing, through signage (e.g. information posters in a public area), and electronically (text messages, emails and on websites). It is recommended that the medium through which personal information is collected is also used for communicating the privacy notice.
As many individuals are unlikely to read a detailed privacy notice the Code supports the use of a layered approach of communication. This approach consists of individuals being provided with a short privacy notice containing basic information, such as the identity of the organisation and the way in which the information is to be used, as well as including a link or reference to a more detailed notice that can be accessed if required. This approach is particularly suited to online situations but can also work offline.
Obligations to the Recipient
Where an organisation only processes personal information in an obvious manner there is no requirement to draw individual’s attention actively to the privacy notice. Where, however, an individual is unlikely to expect that their information is processed in a certain manner, or where the data is sensitive, then there is an active duty on the organisation to communicate details of the processing. This is especially true where organisations collect personal information expressly with the intention of selling it on to unspecified third parties, or where data from different sources is combined to create a detailed picture of an individual’s affairs. Where personal information is collected for one purpose and is subsequently used for a different purpose, consent from the individual should be sought. Usually, this will involve contacting the individual concerned.
Benefits for the Organisation
Privacy notices, if used correctly, can provide an evidential record of what individuals were originally told when they initially provided their personal information. This record could be useful for the company in a number of circumstances including a dispute regarding data processing or use, and for due diligence purposes in relation to a change of use of the data, the transfer of data or sale of the business assets.
Status of the Code
Whilst the Code is not legally binding, the Data Commissioner describes it as “guidance on good practice.” It is therefore clearly advisable to comply with its provisions.
Much has changed in the way personal information is processed in business over the last decade. There is now a clear regulatory focus on the importance of data protection compliance. The Criminal Justice and Immigration Act 2008 gives the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act and, from 1 October 2009, the annual notification fee for some data controllers will rise from £35.00 to £500.00. The increase in authority and revenue will enable the ICO to resource more fully its regulatory role. In light of this, and given the requirement for transparency in the new Code, it is time for organisations to review their privacy notices and their data handling regimes and to adopt the Code’s good practice.