Oct 312016

ICO Updates Guidance on Privacy Notices

William RM Long and Thomas Fearon
, , , , ,

The EU Data Protection Directive requires that data be processed fairly, which includes providing individuals with certain information about how a business uses their data, for example, by way of a privacy notice.  These information requirements will be enhanced under the new EU Data Protection Regulation (“GDPR“), which will require many companies to review and amend their employee and customer notices, consents and policies (including privacy notices).

In readiness for the GDPR, which comes into effect in 2018 and introduces fines of up to 4% of annual worldwide turnover, the UK’s Information Commissioner’s Office (“ICO”) released The Privacy Notices Code of Practice (“the Code“). Following the UK’s vote to leave the EU, commonly referred to as “Brexit,” the ICO has sought to provide reassurance, issuing a statement reinforcing continuity of data protection principles and a commitment to the digital economy. This update reinforces these assurances as the ICO looks to implement the GDPR.

The Code replaces the ICO’s existing guidance on privacy notices and recommends a number of techniques to improve how organisations communicate privacy information to individuals. Whilst businesses are not expected to follow all recommendations, a blended approach which uses many techniques should be adopted in order to create the best system to effectively convey privacy information to users/customers. In taking this blended approach the business will be, according to the ICO, “acting more openly and, in a data protection sense, more fairly, but you are also able to use data more effectively.”

Effective ways to ensure the delivery of information might include the use of:

  • Preference management tools such a privacy dashboards which allows for transparency and easy access to information in a single place. Links to tools like dashboards can be embedded within a privacy notice to allow individuals to manage their preferences and to prevent their data being shared where they have a choice.
  • Just-in-time notices whereby a notice appears on the user’s screen at the point where they input personal data, explaining how the information is to be used. Video notices may also be effective when using mobile devices.
  • A layered approach that allows the provision of key privacy information immediately and have more detailed information available elsewhere for those that want it.
  • Icons and symbols as part of a layered approach. This can indicate that a particular type of data processing is occurring.
  • Breaking customers down into different categories and providing separate notices for each.
  • Lists of the different purposes with separate un-ticked opt-in boxes for each or Yes/No buttons of equal size and prominence when obtaining consent.

To implement this new guidance into businesses, the ICO has recommended looking at its Code together with its checklist, which covers key points including how and when information should be delivered to individuals, as well as tips on how to write a notice.

The aim of the ICO is to have “organisations embrace transparency as a means of building trust and confidence with their consumers and use it as a means of distinguishing themselves from their competitors.”

William RM Long

London

wlong@sidley.com

Thomas Fearon

tfearon@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.