Oct 312016

ICO Updates Guidance on Privacy Notices

William RM Long and Thomas Fearon
, , , , ,

The EU Data Protection Directive requires that data be processed fairly, which includes providing individuals with certain information about how a business uses their data, for example, by way of a privacy notice.  These information requirements will be enhanced under the new EU Data Protection Regulation (“GDPR“), which will require many companies to review and amend their employee and customer notices, consents and policies (including privacy notices).

In readiness for the GDPR, which comes into effect in 2018 and introduces fines of up to 4% of annual worldwide turnover, the UK’s Information Commissioner’s Office (“ICO”) released The Privacy Notices Code of Practice (“the Code“). Following the UK’s vote to leave the EU, commonly referred to as “Brexit,” the ICO has sought to provide reassurance, issuing a statement reinforcing continuity of data protection principles and a commitment to the digital economy. This update reinforces these assurances as the ICO looks to implement the GDPR.

The Code replaces the ICO’s existing guidance on privacy notices and recommends a number of techniques to improve how organisations communicate privacy information to individuals. Whilst businesses are not expected to follow all recommendations, a blended approach which uses many techniques should be adopted in order to create the best system to effectively convey privacy information to users/customers. In taking this blended approach the business will be, according to the ICO, “acting more openly and, in a data protection sense, more fairly, but you are also able to use data more effectively.”

Effective ways to ensure the delivery of information might include the use of:

  • Preference management tools such a privacy dashboards which allows for transparency and easy access to information in a single place. Links to tools like dashboards can be embedded within a privacy notice to allow individuals to manage their preferences and to prevent their data being shared where they have a choice.
  • Just-in-time notices whereby a notice appears on the user’s screen at the point where they input personal data, explaining how the information is to be used. Video notices may also be effective when using mobile devices.
  • A layered approach that allows the provision of key privacy information immediately and have more detailed information available elsewhere for those that want it.
  • Icons and symbols as part of a layered approach. This can indicate that a particular type of data processing is occurring.
  • Breaking customers down into different categories and providing separate notices for each.
  • Lists of the different purposes with separate un-ticked opt-in boxes for each or Yes/No buttons of equal size and prominence when obtaining consent.

To implement this new guidance into businesses, the ICO has recommended looking at its Code together with its checklist, which covers key points including how and when information should be delivered to individuals, as well as tips on how to write a notice.

The aim of the ICO is to have “organisations embrace transparency as a means of building trust and confidence with their consumers and use it as a means of distinguishing themselves from their competitors.”

William RM Long

London

wlong@sidley.com

Thomas Fearon

tfearon@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.