By Jo Pedder, Group Manager, Policy Delivery.
Following Data Protection Day last Thursday, it seems like the perfect opportunity to announce the publication of the ICO’s revised Privacy notices code of practice for consultation. The consultation will be running from today for 8 weeks and we are very keen to get your feedback.
This code of practice has not been revised for several years and as we all know, this is a long time in the digital world. The way personal data is used rapidly changes and the ICO has undertaken this review with that in mind.
Ensuring that individuals have a clear understanding of what is done with their personal data is a fundamental point of the Data Protection Act (DPA). This code of practice has been written to show organisations how they can achieve this in a clear and engaging way.
The revision of this code of practice still has at its core what data controllers need to do to provide privacy information and what is good practice. However, there is also a further focus on producing privacy notices that individuals are more able to engage with.
So often privacy notices are too long, overly legalistic, uninformative and unhelpful. These are the notices individuals choose to ignore, and therefore they miss out on important information.
Individuals see a lengthy privacy notice and are instantly put off. That is why the ICO is recommending a more blended approach. We think that using a variety of techniques to provide privacy information is a more effective way of engaging individuals. For example, a just in time message that appears to tell you why your email address is needed when you are filling out an online form will be more effective than having to click onto a separate privacy notice or search for this information. Or perhaps providing a short video that explains what an organisation does with individuals’ personal data will reach a wider audience. These are just some of the recommendations we think will help to improve the effectiveness of a privacy notice.
We all spend an increasing amount of time using our phones or tablets to access the internet. This quite often means that privacy notices we come across are small and we have to scroll and zoom in order to read the content. To address this we are providing advice on how to make privacy notices on smartphones and tablets as easy to view as they should be on a personal computer or laptop. This code of practice also looks at the issues that organisations need to consider when providing privacy notices via other smart devices (often called the internet of things) or when using big data analytics involving personal data.
We are all far more technology literate these days, and as a consequence we know much more about how our data may be used. We therefore want to have more control and choice over what can and can’t be done with our data. Because of this, the code of practice provides advice to organisations about how to integrate choice for individuals into their privacy notices.
The code also looks at consent, in particular in relation to third party marketing (where an organisation has shared your personal data with another organisation and they have marketed you). We have produced best practice standard wording for organisations to use when seeking consent for marketing, which we’ve tested with members of the public. We believe our recommended standard approach will ensure that individuals can indicate clear choice over who they would like to hear from and what products or services they are interested in.
We have also developed this code with the General Data Protection Regulation in mind, alongside the current DPA. However, we intend to make precise and technical changes to the final text after we have received all of the feedback from the consultation.
|Jo Pedder is a Group Manager in the Policy Delivery department. She has lead responsibility for the ICO’s guidance on the Data Protection Act and the Freedom of Information Act.|
Last updated 2/2/2016 11:30