The ICO’s new Code of Practice on Communicating Privacy Information to Individuals goes beyond the form of privacy notice that we are accustomed to seeing when we hand over our personal information. It advocates a blended approach of selecting a number of different techniques to communicate privacy details to individuals when they hand over their personal data.
According to the ICO, the benefits of the blended approach include:
- greater control for individuals over how their personal data is used;
- greater choice for individuals over how their personal data is used;
- can be used to demonstrate that personal data is being used fairly and transparently;
- preference management tools will mean that you are more likely to get better and more specific information from individuals; and
- more likely to demonstrate that informed consent has been provided.
Drafting privacy notices in accordance with the Code
The Code is full of detailed and helpful guidance on preparing privacy notices, including the following:
Have a plan – consider whether your intended uses of the information would be reasonably expected by the individual? If not, your privacy notice should explain the uses in greater detail. Make predictions of likely future uses, especially as part of big data, and include this information in the notice. Put yourself in the shoes of the individual: carry out a privacy impact assessment.
Blended approach – make use of the privacy-enhancing technologies available such as just-in-time solutions, voice or video, privacy dashboards, icons and symbols.
Avoid catch-all privacy notices – instead, have separate notices tailored to groups.
Control – it is good practice to link the notice to a preference management tool such as a privacy dashboard; be clear about the information that is required and that which is optional
Adapt to your business model – the privacy notice should cover all platforms through which the individual can access your services.
Consent – consider whether the individual needs to consent to the processing described in the privacy notice and, if so, include a mechanism for giving and obtaining consent at the appropriate time.
Active communication – when appropriate privacy information should be actively communicated to individuals (as opposed to the individual having to seek it out through, e.g., a web link), for example if the uses are likely to be unexpected, or if information could be shared with other sources to build a more detailed picture about an individual.
Collaborative resource – where several data controllers are involved, the ICO suggests that in addition to individual privacy notices, a collaborative resource which brings together all privacy information could be the way forward. Such a resource could allow the individual to make and apply privacy preferences across all data controllers.
Encourage individuals to take notice – word privacy notices in an engaging way and embed them into the user journey.
When dealing with complex transactions or platforms which involve personal data collection, compliance with the principles may require a range of privacy communication techniques to be used. The key is to employ these techniques with a focus on how they can enhance the user experience, rather than over-complicate it.
What do you think about the proposed new Code? The Code is open for consultation until 24 March 2016.