Information Commissioner's Office
What you need to know about ICO Privacy Seals
As we all await the outcome of the lengthy negotiations taking place in Europe over the reforms to our existing data protection laws, there is one section of the draft proposals that have been unanimously supported by member states. The reason for this pan-European consensus? Privacy seals.
On Data Protection Day, it seems timely to discuss one of the key changes we’re set to see in the world of data protection, and the benefits privacy seals are set to bring to organisations and members of the public alike.
Many of you will already be familiar with the British Standard Institute’s Kitemark symbol. The symbol is displayed on numerous products and services within the UK to demonstrate quality and provide assurances that the highest standards are being delivered. An ICO privacy seal would operate in a similar manner by being awarded to organisations that demonstrate that they are not only meeting, but also surpassing, the requirements of the Data Protection Act when it comes to looking after people’s information.
With a recent survey by our office showing that four out of every five people approve of the introduction of such a symbol, it is an area of work that many organisations processing personal information will want to start thinking about.
At the ICO, we have been working on the development of a framework to enable consumer-facing privacy seal schemes for almost two years now. Such schemes will bring a number of benefits. Firstly, the awarding of a seal will help to promote organisations that are going above and beyond the call of duty when it comes to looking after people’s information, giving them an opportunity to gain an advantage over their competitors. Secondly, the seal will help to build consumer trust and choice, as it will demonstrate that an organisation is looking after their information to a notably high standard. More widely, the seal will raise the bar for privacy standards across the UK by incentivising good practice.
So how will an ICO privacy seal work?
We will endorse third party operators to deliver ICO privacy seal schemes. Once approved, the scheme operators will be responsible for the day-to-day running of the scheme.
It is anticipated that the different scheme operators will focus on different sectors, processes, products or areas of compliance. For example, one operator may focus their privacy seal scheme on the collection of personal information by mobile apps, while another operator may run a scheme for organisations providing data protection training services for health service providers. This approach allows our office to draw upon specialist skills from parties already recognised in the field of accreditation and certification. It also gives organisations the opportunity to apply for an ICO privacy seal from an operator whose scheme is specifically tailored to their products or sector.
In order to be considered for endorsement, potential scheme operators must be accredited by the UK Accreditation Service (UKAS) and will need to meet a strict set of criteria developed by our office. The criteria will ensure that any ICO privacy seal scheme is viable, promotes the high standards we are looking to achieve and complements the existing priorities of our office. Our office retains the right to remove our endorsement if the operator is no longer able to run the scheme to the required standard.
Organisations wishing to apply for an ICO privacy seal will then be able to make an application to a relevant scheme operator. Organisations will only be awarded an ICO privacy seal if they can show that they meet the operator’s assessment criteria and in doing so demonstrate that they meet the highest data protection standards.
Once an organisation has been awarded a privacy seal, they can use the seal externally to show that they are demonstrating best practice when it comes to looking after people’s information. The seal can be used by the organisation for a certain period, likely to be four years, after which time, revalidation is required. The seal can also be removed if the organisation who has been awarded the seal fails to maintain these standards – for example if they suffer a serious data breach.
Where are you up to with this work?
We are currently working with the UK Accreditation Service (UKAS) and various stakeholders to develop the framework criteria privacy seal scheme operators will need to meet in order to operate an ICO endorsed privacy seal scheme.
Those of you signed up to receive our e-newsletter will already know that we held a consultation on the draft criteria last autumn. We are currently considering the feedback from this exercise. You can find a summary of the responses received to this consultation on our website.
Interested in operating a scheme? In the coming months, we will publish the final criteria and invite applications from potential scheme operators who’d like to run an ICO endorsed privacy seal scheme.
Interested in applying for a seal? Later in the year, we will announce the details of the selected operators. The aim is to have the first ICO endorsed privacy seal scheme up and running in 2016. Once an ICO privacy seal has been established, organisations will be able to apply to the scheme operator for certification.
While the deadlines may be tight, there is wide support from legislators and the public for the creation of an ICO privacy seal. If you think your organisation is up to the data protection challenge, then you should start thinking about whether you would be interested in applying for an ICO privacy seal in the future. One thing’s for sure… your customers will soon be looking out for them.
|Gemma Farmer is a Senior Policy Officer in the ICO’s Policy Delivery department. Her team leads on the Privacy Seals project, research on the impact of the ICO’s civil monetary penalties and formal responses to any consultations on the Data Protection Act.|
Latest News from
Information Commissioner's Office
Blog: Providing practical data protection guidance to the media sector13/10/2021 14:25:00
A blog by Elizabeth Denham, Information Commissioner
ICO response to DCMS consultation “Data: a new direction”07/10/2021 12:20:00
Foreword from Elizabeth Denham CBE, UK Information Commissioner.
Statement on mandatory vaccination and COVID status check schemes ahead of their introduction in Scotland and Wales29/09/2021 14:10:00
The UK Information Commissioner, Elizabeth Denham, commented ahead of the introduction of mandatory vaccination and COVID status checks in Scotland and Wales
Statement in response to use of ICO corporate charge card28/09/2021 15:20:00
An ICO spokesperson released a statement in response to use of ICO corporate charge card
Statement in response to use of ICO corporate charge card27/09/2021 16:43:00
Statement given in response to use of ICO corporate charge card.
International progress for domestic benefit: why the ICO convened a G7 meeting on data flows20/09/2021 16:15:00
A blog by Elizabeth Denham, UK Information Commissioner
We Buy Any Car, Sports Direct and Saga fined £495,000 after sending millions of ‘frustrating and intrusive’ nuisance messages.15/09/2021 13:20:00
The ICO has today announced fines totalling £495,000 to well-known companies that between them sent more than 354 million nuisance messages.
Blog: Sharing personal data in an emergency – a guide for universities and colleges15/09/2021 09:15:00
A blog by Viv Adams, Principal Policy Adviser in the ICO Parliament and Government Affairs team
G7 data protection and privacy authorities’ meeting: communiqué13/09/2021 09:10:00
The UK Information Commissioner’s Office (ICO) brought together data protection and privacy authorities from G7 countries, as well as guests from the Organisation for Economic Cooperation and Development (OECD) and the World Economic Forum (WEF), for a discussion this week on shared emerging challenges that need closer international collaboration.