Who: Information Commissioners Office (the “ICO”)
Where: UK
When: 3rd September 2014
Law stated as at: 9th September 2014
What happened:
The ICO has published draft framework criteria for a scheme whereby third party privacy seal schemes can obtain ICO’s official endorsement. It has issued a consultation document for comments by 3rd October 2014.
The ICO is planning to endorse at least one scheme operated by an independent third party in the UK for a minimum of three years. The consultation invites comments on the framework criteria that proposals for schemes will be assessed against. The ICO will then invite proposals later this year, with a view to selection in early 2015 and launch in 2016. In order to be selected the scheme operator will need to be accredited by the UK Accreditation Service (UKAS).
Background
The world has changed and both consumers and regulators are wanting to be able to quickly identify where there are good privacy standards, and accountability and transparency are key. Although accreditation schemes, particularly for web site privacy policies, have been very popular in the US their adoption and use in Europe has been slow.
This may be changing and the ICO is a strong proponent of the adoption of “privacy seals” schemes to indicate that a business operates and maintains “good privacy standards.” The consultation document is in three sections looking firstly at how the ICO will endorse the scheme and work with the operator. The remaining sections look at how a seal scheme will fulfil the underpinning principles and finally looks at some of the scheme requirements using the guidelines.
The ICO Endorsement
Key points to note:
- UKAS accreditation is a condition for ICO endorsement and the ICO will offer UKAS technical support and advice;
- ICO will monitor progress of the scheme and this will be separate from UKAS review;
- ICO will recover costs from the scheme operator;
- the scheme operator will be responsible for day to day operation including liabilities and indemnities and dealing with complaints and queries which must be notified to the ICO; and
- ICO will work with the operator on branding of the seal, launch, promotion and working with industry and consumer groups.
Underpinning principles and scheme requirements
To be seriously considered for ICO endorsement, a seal scheme must:
- be new with privacy as its focus;
- be consumer facing and it may focus on a specific sector, product or service or have cross sector scope;
- require members to “self-report serious or recurring data breaches” to the ICO;
- monitor technology and privacy developments and update requirements;
- provide clear incentives for scheme members, although no guidance is provided as to what sort of incentives are envisaged;
- be able to complement applicants’ existing data protection policies or procedures and not require significant changes to organisations’ other existing policies;
- have monitoring, audit or review processes in place on a regular basis; and
- provide clear guidelines on when a certification may be revoked.
Consultation
The ICO has asked for feedback on their proposals and has asked for comments on the ICO role in relation to endorsement and revocation of seal schemes. It has also asked for comments on the advantages and disadvantages of an ICO endorsement scheme and the underpinning principles.
Why this matters:
As the need to be able to demonstrate compliance becomes more important, privacy seals are likely to be seen as a way or providing evidence of compliance to both consumers and regulators. For such schemes to work it is imperative that there is clarity on exactly what the seal signifies and effective review of ongoing compliance.
Although in principle the use of seals seems sensible, the challenge will be to work out the detail and also ensure there is also clarify with consumers as to the level of endorsement and support from the ICO. Schemes will need to have triggers for ad hoc audits and have an “appropriate level” of regular audit and review as part of this practice. Determining what that “appropriate level” will be is the challenge and it is important that industry and consumers participate in this debate with the ICO and provide feedback to ensure any ICO Endorsement of a Seal Scheme really does have value.