ICO Updates Guidance on Privacy Notices

The EU Data Protection Directive requires that data be processed fairly, which includes providing individuals with certain information about how a business uses their data, for example, by way of a privacy notice.  These information requirements will be enhanced under the new EU Data Protection Regulation (“GDPR“), which will require many companies to review and amend their employee and customer notices, consents and policies (including privacy notices).

In readiness for the GDPR, which comes into effect in 2018 and introduces fines of up to 4% of annual worldwide turnover, the UK’s Information Commissioner’s Office (“ICO”) released The Privacy Notices Code of Practice (“the Code“). Following the UK’s vote to leave the EU, commonly referred to as “Brexit,” the ICO has sought to provide reassurance, issuing a statement reinforcing continuity of data protection principles and a commitment to the digital economy. This update reinforces these assurances as the ICO looks to implement the GDPR.

The Code replaces the ICO’s existing guidance on privacy notices and recommends a number of techniques to improve how organisations communicate privacy information to individuals. Whilst businesses are not expected to follow all recommendations, a blended approach which uses many techniques should be adopted in order to create the best system to effectively convey privacy information to users/customers. In taking this blended approach the business will be, according to the ICO, “acting more openly and, in a data protection sense, more fairly, but you are also able to use data more effectively.”

Effective ways to ensure the delivery of information might include the use of:

  • Preference management tools such a privacy dashboards which allows for transparency and easy access to information in a single place. Links to tools like dashboards can be embedded within a privacy notice to allow individuals to manage their preferences and to prevent their data being shared where they have a choice.
  • Just-in-time notices whereby a notice appears on the user’s screen at the point where they input personal data, explaining how the information is to be used. Video notices may also be effective when using mobile devices.
  • A layered approach that allows the provision of key privacy information immediately and have more detailed information available elsewhere for those that want it.
  • Icons and symbols as part of a layered approach. This can indicate that a particular type of data processing is occurring.
  • Breaking customers down into different categories and providing separate notices for each.
  • Lists of the different purposes with separate un-ticked opt-in boxes for each or Yes/No buttons of equal size and prominence when obtaining consent.

To implement this new guidance into businesses, the ICO has recommended looking at its Code together with its checklist, which covers key points including how and when information should be delivered to individuals, as well as tips on how to write a notice.

The aim of the ICO is to have “organisations embrace transparency as a means of building trust and confidence with their consumers and use it as a means of distinguishing themselves from their competitors.”