Who: Information Commissioner’s Office (“ICO“)
Where: UK
When: 2 February 2016
Law stated as at: 11 February 2016
What happened:
In a blog post on 2 February 2016, the ICO announced the publication of its revised Privacy notices code of practice for consultation. The consultation will last for 8 weeks, after which, precise and technical changes will be made based on feedback received.
The ICO explained that the code had been developed with the (now agreed) General Data Protection Regulation (“GDPR“) in mind, alongside the current Data Protection Act 1998. The themes of strengthening consumer rights and controls, and transparency, run right through the GDPR, and so this revised code of practice really is very timely.
How does the revised code of practice differ from the existing code?
It is perhaps better to start with what stays the same… both versions of the code are concerned with ensuring that personal data is processed fairly and both emphasise two key elements of fairness:
- using information in a way that people would reasonably expect and in a way that is fair; and
- ensuring people know how their information will be used.
The clue to one of the most notable changes to the code of practice lies in the examples given for the second of those two elements of fairness.
The existing code says:
“… ensuring people know how their information will be used, for example by providing a privacy notice or publishing it on your website”.
and the revised code:
“… ensuring people know how their information will be used, for example by providing or making available privacy notices using the most appropriate mechanism and, in a digital context, on all the online platforms used to deliver services” [emphasis added].
The ICO recognises that the code of practice has not been revised for several years (since 2010), and that the way personal data is used in the digital world has changed a lot in that time. The revised code of practice focusses on how to communicate privacy information to individuals in a “clear and engaging way”.
Detailed explanations are discouraging and unlikely to be read, the ICO says, leading to individuals feeling uninformed and unfairly treated. In turn, this may increase complaints, result in a lack of trust and/or detract from a user experience.
So, how should it be done?
The “blended approach”
We are all now familiar with the layered approach to communicating privacy information: a short-form notice containing basic privacy information and early warning of any use of information which is likely to be unexpected or objectionable, linking through to a second, longer notice providing much more detailed information.
The revised code of practice continues to advocate the layered approach. However, it supplements that approach with a number of other suggestions. At the core of those suggestions is that businesses should be taking advantage of all of the privacy-enhancing technologies that are available. The ICO specifically encourages use of the following:
- Just-in-time notices, so that relevant and focussed information is provided at the point at which the data is collected. For example, as a user populates their e-mail address into an online form, a message may pop up explaining that the address may be used to provide information of offers on selected products.
- Icons and symbols to indicate that a particular type of data processing is occurring. The code gives the example of a symbol designating that personal data will be used for marketing, and emphasises that businesses may use symbols with their brand in mind so that they fit in with the overall look of a business’ website.
- Video, as a useful tool for clarifying how personal data is going to be used, particularly on smaller devices such as mobiles and tablets, where the size and length of text in a privacy notice can be an issue.
- Privacy dashboards, as a means of giving individuals control over how their personal data is used and shared. A privacy dashboard gives people one place from which to manage what is happening to their information; it can also be used as a means to allow individuals to give or revoke consent over time.
These tools will be useful for all businesses processing personal data and battling with ensuring that they are doing so fairly.
The tools will be particularly useful in the world of marketing and advertising. The GDPR (in Recital 46 of the leaked text dated 15 December) explicitly states that the principle of transparency is particularly relevant “where in situations, such as online advertising, the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand if personal data relating to him or her are being collected, by whom and for what purpose”.
Data protection by design
Another key theme of the revised code of practice, and perhaps where it is most clear that the code has been drafted with the GDPR in mind, is the focus on data protection by design.
In a new section entitled “Plan privacy notices”, the ICO encourages businesses to take a privacy by design approach when developing products and services. The ICO suggests mapping the business’s interaction with customers to identify when and how it is most appropriate to provide them with details about how their personal data is being processed.
Why this matters:
Increasingly, the onus is on businesses to decide what measures to put in place, rather than following specific legal requirements. While the ICO’s suggestions in this code of practice are likely to involve additional burden and cost, they should also be seen as an opportunity.
Businesses are being actively encouraged to be flexible and innovative, and to do so with their brand in mind. We are increasingly seeing forward-thinking businesses using data protection compliance as a selling point; in this revised code of practice, the ICO is providing ample opportunity to do so!