New Code of Practice on Privacy Policies

Sian Barr
Sian Barr

The ICO’s new Code of Practice on Communicating Privacy Information to Individuals goes beyond the form of privacy notice that we are accustomed to seeing when we hand over our personal information. It advocates a blended approach of selecting a number of different techniques to communicate privacy details to individuals when they hand over their personal data.

According to the ICO, the benefits of the blended approach include:

  • greater control for individuals over how their personal data is used;
  • greater choice for individuals over how their personal data is used;
  • can be used to demonstrate that personal data is being used fairly and transparently;
  • preference management tools will mean that you are more likely to get better and more specific information from individuals; and
  • more likely to demonstrate that informed consent has been provided.

Drafting privacy notices in accordance with the Code

The Code is full of detailed and helpful guidance on preparing privacy notices, including the following:

Have a plan – consider whether your intended uses of the information would be reasonably expected by the individual?  If not, your privacy notice should explain the uses in greater detail. Make predictions of likely future uses, especially as part of big data, and include this information in the notice.  Put yourself in the shoes of the individual: carry out a privacy impact assessment.

Blended approach – make use of the privacy-enhancing technologies available such as just-in-time solutions, voice or video, privacy dashboards, icons and symbols.

Avoid catch-all privacy notices – instead, have separate notices tailored to groups.

Control – it is good practice to link the notice to a preference management tool such as a privacy dashboard; be clear about the information that is required and that which is optional

Adapt to your business model – the privacy notice should cover all platforms through which the individual can access your services.

Consent – consider whether the individual needs to consent to the processing described in the privacy notice and, if so, include a mechanism for giving and obtaining consent at the appropriate time.

Active communication – when appropriate privacy information should be actively communicated to individuals (as opposed to the individual having to seek it out through, e.g., a web link), for example if the uses are likely to be unexpected, or if information could be shared with other sources to build a more detailed picture about an individual.

Collaborative resource – where several data controllers are involved, the ICO suggests that in addition to individual privacy notices, a collaborative resource which brings together all privacy information could be the way forward.  Such a resource could allow the individual to make and apply privacy preferences across all data controllers.

Encourage individuals to take notice – word privacy notices in an engaging way and embed them into the user journey.


When dealing with complex transactions or platforms which involve personal data collection, compliance with the principles may require a range of privacy communication techniques to be used.  The key is to employ these techniques with a focus on how they can enhance the user experience, rather than over-complicate it.

What do you think about the proposed new Code? The Code is open for consultation until 24 March 2016.

Data Privacy for Peer to Peer and Alternative Finance Platforms

Sian Barr
Sian Barr

Setting up a new platform for a peer to peer or alternative finance business is challenging at the best of times, as entrepreneurs plot a route through the diverse areas of law and regulation which must be respected for the platform to be launched and run in a sustainable manner. One such area is data protection and privacy. This article distils some of the experience and learning we at Fox Williams have gained from advising on data protection and privacy issues into what we consider to be the five most important data protection considerations relevant to P2P and alternative finance platforms.

1. Design with privacy in mind. Each platform will use and process personal data in different ways. If your platform innovates by providing a new service, or changes and improves the user experience of an existing service, then it may be using personal data in an entirely novel way. There is no ‘one size fits all’ solution to complying with privacy laws. The challenge is to ensure that the platform is still commercially viable even when operated within the framework of privacy laws. To help ensure this is the case, the platform or business model should be designed with privacy in mind so that any issues are identified early, which should minimise the costs of sorting them out. “Privacy by design” such as this is best practice and the interaction of data protection and privacy laws with your business model should be kept under review as the relevant legal framework changes.

2. Factor in new developments. Privacy laws are constantly evolving. Platform owners should establish a system, in conjunction with trusted advisers, so that the business is kept up to date with developments to privacy law both during the development phase and post-launch. The existing European data protection legislation is in the process of being reviewed and new laws are likely to enter into force at some point in 2017, although they could become law earlier or later than 2017. The new legislation is only in draft form at present but contains a number of material changes which will affect platform owners. For example, existing methods for getting your customers’ consent to his/her data being used may no longer be adequate as the requirements for valid consent are set to become more stringent and the potential fines for breaching data protection laws look likely to increase (the draft legislation provides for fines of up to 1 million euros or up to 2% of annual worldwide turnover).

3. Does your platform rely on the US Safe Harbor? Your platform could be affected by the recent decision of the Court of Justice of the EU, in which it ruled that the US Safe Harbor scheme is invalid. If, for example, your parent company is a US company and your HR or customer data is held by the parent company on servers in the US, or if your platform uses Software-as-a-Service (SaaS) solutions which are hosted in the US where the service provider is under Safe Harbor – such as Amazon Cloud or Salesforce. The eighth data protection principle of the UK Data Protection Act says that personal data shall not be transferred to a country outside the European Economic Area unless that country ensures an “adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”. Formerly under the Safe Harbor, transfers could be made to the US, if the US recipient of the data had signed up to the US Department of Commerce Safe Harbor Scheme, as this had been recognised as providing “adequate protection”. Businesses that previously relied on Safe Harbor (or new platforms intending to rely on it) will need to review and where appropriate make changes to their business so that they can send data to the US lawfully. For further information on the Safe Harbor decision, please see our earlier item “Safe harbor update – and what to do” which can be found here.

4. Change management. Parallel with being informed of any new developments, you need to be able to implement changes to the way your platform operates fast to keep on the right side of new privacy laws. This means being able to adapt business processes which are usually governed by a complex network of contracts between you, as platform owners on the one hand, and customers or other users of the platform, and suppliers to the platform, on the other. All contracts and terms should give you the right to amend existing contracts and standard terms in order to bring them into compliance with applicable data protection law and regulation and set out a clear and transparent way of notifying all interested parties of the changes that have been made and the reasons for making them.

5. Transparency is one of the guiding principles of privacy law. This principle should also resonate with P2P and alternative finance platforms as often the point of distinction between them and the more traditional finance businesses is that platforms are easier to navigate and understand. The principle of transparency should track through to the legal terms governing the platform. The privacy statement and privacy policy should be clear, easy to follow and easy to find. The platform should be up front at all times about how personal data is to be used. Doing so can only improve the user experience offered by the platform.