The ICO has published a new code of practice on communicating privacy information to individuals (the “Code”) following a consultation earlier this year. The Code aims to help businesses comply not only with the requirements of the Data Protection Act 1998 (“DPA”), but also the General Data Protection Regulation (“GDPR”) which will apply in the EU from 25 May 2018. You may be aware that under the GDPR more detailed and specific information will be required in privacy notices.
Techniques for communicating privacy notices
The Code highlights that many do not wish to read lengthy and legally worded privacy notices. It suggests flexible and user-friendly methods to communicate privacy codes and information to digital users (with a link to some good and bad examples), which include:
- Interesting and engaging videos or audio messages
- Imbedding information in online forms
- Limiting links to other web pages
- Keeping notices clear and to the point without any legal jargon
- “just-in time” notifications
- Icons and symbols with hover function
- An interactive privacy dashboard
As well as the specific methods above, the Code advocates flexibility and multiple layering of methods, seeking to promote more interactive and accessible ways for digital users to understand privacy notices and enhance engagement in the monitoring of their data.
The Code also addresses issues around obtaining consent – particularly where processing information for a range of purposes – and recommends using varying techniques with a focus on digital communication.
When a privacy notice must be given
The Code confirms that the requirement to provide privacy information applies, whether the personal data were obtained directly from the individuals or from other sources. For example, privacy notices will also be relevant in circumstances where personal data have not consciously been provided by individuals, such as where:
- They are tracked online or by smart devices
- Information is derived about individuals from combining data sets
- Information is inferred by using algorithms to analyse a variety of data, such as social media, location data and records of purchases in order to profile people, for example in terms of their credit risk, state of health or suitability for a job
In practice, it may be challenging to provide privacy information in such situations and data controllers may need to consider the right approach as part of their overall privacy impact assessment.
The Code notes that the GDPR rules on privacy notices are more detailed and specific than the DPA and place an emphasis on making privacy notices understandable and accessible. For example, the GDPR requires data controllers to confirm how long they plan to store personal data or the criteria used to determine that period (this will no longer just be good practice).
It would be advisable for data controllers to use the time before the GDPR implementation date to review and, where necessary, update their privacy notices so that they can comply. For more information on the GDPR, please see our briefing note.
If you would like to discuss any of the above, please do not hesitate to get in touch with your usual Stevens & Bolton contact or email Beverley Flynn, Head of Data Protection: email@example.com.