Information Commissioner's Office
Revised code looks at privacy notices
Following Data Protection Day last Thursday, it seems like the perfect opportunity to announce the publication of the ICO’s revised Privacy notices code of practice for consultation.
The consultation will be running from today for 8 weeks and the ICO are very keen to get your feedback.
This code of practice has not been revised for several years and as we all know, this is a long time in the digital world. The way personal data is used rapidly changes and the ICO has undertaken this review with that in mind.
Ensuring that individuals have a clear understanding of what is done with their personal data is a fundamental point of the Data Protection Act (DPA). This code of practice has been written to show organisations how they can achieve this in a clear and engaging way.
The revision of this code of practice still has at its core what data controllers need to do to provide privacy information and what is good practice. However, there is also a further focus on producing privacy notices that individuals are more able to engage with.
So often privacy notices are too long, overly legalistic, uninformative and unhelpful. These are the notices individuals choose to ignore, and therefore they miss out on important information.
Individuals see a lengthy privacy notice and are instantly put off. That is why the ICO is recommending a more blended approach. We think that using a variety of techniques to provide privacy information is a more effective way of engaging individuals. For example, a just in time message that appears to tell you why your email address is needed when you are filling out an online form will be more effective than having to click onto a separate privacy notice or search for this information. Or perhaps providing a short video that explains what an organisation does with individuals’ personal data will reach a wider audience. These are just some of the recommendations we think will help to improve the effectiveness of a privacy notice.
We all spend an increasing amount of time using our phones or tablets to access the internet. This quite often means that privacy notices we come across are small and we have to scroll and zoom in order to read the content. To address this we are providing advice on how to make privacy notices on smartphones and tablets as easy to view as they should be on a personal computer or laptop. This code of practice also looks at the issues that organisations need to consider when providing privacy notices via other smart devices (often called the internet of things) or when using big data analytics involving personal data.
We are all far more technology literate these days, and as a consequence we know much more about how our data may be used. We therefore want to have more control and choice over what can and can’t be done with our data. Because of this, the code of practice provides advice to organisations about how to integrate choice for individuals into their privacy notices.
The code also looks at consent, in particular in relation to third party marketing (where an organisation has shared your personal data with another organisation and they have marketed you). We have produced best practice standard wording for organisations to use when seeking consent for marketing, which we’ve tested with members of the public. We believe our recommended standard approach will ensure that individuals can indicate clear choice over who they would like to hear from and what products or services they are interested in.
We have also developed this code with the General Data Protection Regulation in mind, alongside the current DPA. However, we intend to make precise and technical changes to the final text after we have received all of the feedback from the consultation.
Latest News from
Information Commissioner's Office
Blog: Changes to Binding Corporate Rules applications to the ICO21/11/2017 09:25:00
The Information Commissioner’s Office is widely recognised as a leader in Binding Corporate Rules (BCR) authorisations. Around 25 per cent of the BCRs approved across Europe so far have been authorised by the ICO.
Personal data must be safe from prying eyes17/11/2017 15:20:00
Blog posted by Mike Shaw, Enforcement Group Manager, November 16, 2017.
Nursing auxiliary fined for unlawfully accessing patient records17/11/2017 12:20:00
A nursing auxiliary has been fined for accessing a patient’s medical records without a valid legal reason.
Warning for workers after charity employee is prosecuted for data protection offences09/11/2017 12:15:00
People working with personal information have been warned they have to obey strict privacy laws after a charity worker was prosecuted for making his own copies of sensitive data.
ICO survey shows most UK citizens don’t trust organisations with their data06/11/2017 15:05:00
The ICO’s Deputy Commissioner will be reminding organisations to be transparent with people’s personal data after a survey revealed a significant deficit of trust that organisations must address if they want to innovate with personal information.