The data protection law watchdog has published for consultation a draft code of practice for drawing up privacy notices including privacy policies on websites. The idea is that failure to follow the code may make enforcement action more likely, so Phil Lee sits up and takes notice.
Topic: Privacy
Who: Information Commissioner's Office
When: 12 January 2009
Where: United Kingdom
Law stated as at: 27 January 2009
What happened:
In mid January 2009, UK date protection watchdog the Information Commissioner's Office ("ICO") launched a consultation on its draft Code of Practice for Privacy Notices (the "Code"). Those of you fooled into thinking that the draft Code applies only to privacy policies buried away in the depths of a website had better think again – by using the term "Privacy Notice", ICO is keen to underline that the fair processing requirements of the Data Protection Act 1998 ("DPA") have a wider application. ICO cites as examples the need to tell people how their information will be processed when recording customer calls made to a call centre, when collecting information about shoppers from their loyalty card transactions, and when using online behavioural targeting techniques.
The aim of a privacy notice
ICO's forward to the Code will undoubtedly alarm some lawyers: "A privacy notice should be genuinely informative," it notes, before continuing: "A privacy notice that is legalistic or drafted with the primary objective of indemnifying an organisation is unlikely to achieve this objective." In-house counsel, you have been warned.
The Code makes clear that the aim of a privacy notice is to ensure that collection and use of individuals' personal data is "fair", as required by the DPA. However, ICO points out that "Telling people what you intend to do with their information does not mean that the processing will be fair". This runs contrary to the oft-held assumption that simply stating in a privacy notice all possible acts of processing that a data controller intends to do will legitimise those acts. As the Code notes: "When you collect information, you should try to predict whether you will be likely to do other things with it in future. Your privacy notice may reflect this, but you should avoid drawing up a long list of possible future uses if in reality it's unlikely that you will ever use the information for such a range of purposes."
ICO advises that, when preparing a privacy notice, data controllers should put themselves in the shoes of the data subject, asking:
- Would they know who is collecting the information?
- Would they understand why you're collecting it?
- Would they understand the implications of this?
- Would they be likely to object or complain?
Don't state the obvious
However, the Code notes that there is no need to tell people the obvious – for example, where a person purchases goods from you it is not necessary to tell them that their personal details will have to be processed in order to take payment and dispatch the goods to them (if this is the only use that will be made of their details). However, the Code also notes that there will be cases where uses of an individuals' personal details may be unusual or unexpected, and it recommends considering whether it is necessary to "actively communicate" the privacy notice in those circumstances (by, for example, sending a letter or reading a script).
An end to "selected third parties"?
In late 2008, the Ministry of Justice made it clear that it generally supported ICO's call to end references in privacy policies and elsewhere to sharing personal data with "selected third parties" and this, too, appears to have made its way into the Code. ICO notes that: "In marketing contexts, organisations often ask for permission to share customer information with third parties, for example companies in the same group. General descriptions like this should be backed up with more detailed information, for example naming the specific companies involved." Whether this is really feasible in large group organisations is a matter of some debate, however.
Layered notices
Despite remaining quite rare in practice, ICO has once again trumpeted the use of layered privacy notices (i.e. a short notice setting our a few privacy basics, with a link to a more detailed notice for those who want to find out more). The Code suggests that, if this approach is adopted by a data controller, the short notice need only contain "basic information, such as the identity of the organisation and the way in which the personal information will be used", while the longer notice can explain "relatively specialist issues such as the circumstances in which information will be disclosed to the police".
Marketing consents
Interestingly, the Code contains curiously little guidance on good practice approaches to obtaining marketing consent (other than by way of a few examples at the back of the Code). In terms of actual guidance, it notes only that "It is important to make sure that where people do have a choice, they are given a genuine opportunity to exercise it. A good example of this is the opportunity to subscribe to, or unsubscribe from, direct marketing." It also advises against seeking to taking advantage of customers by providing "a confusing mixture of opt-ins and opt-outs" as a means of collecting consent.
Example notices
The Code sets out various examples of well- and poorly-drafted privacy notices and fair collection notices. These examples highlight the need to use plain English and to collect clear, upfront consents to receiving marketing communications. The Code also encourages the use of headings like "How information about you will be used" and discourages legalistic headings like "Legal declaration", "DPA Statement" and "Declaration".
Why this matters:
Although the Code itself is not legally enforceable, the Information Commission states that he "will take its standards into account when, for example, I receive a complaint that information has been used in an unreasonable way". Consequently, the Code will factor into any decision taken by the Information Commissioner whether or not to take enforcement action against a non-compliant data controller. Whilst lacking some express guidance on the use of marketing consents, the Code undoubtedly provides a helpful checklist for data controllers to use when preparing a privacy policy (or when reviewing their existing policies).
The consultation closes on 3 April 2009.