The Data Protection Act 1998 (DPA) obliges organisations to process personal data fairly and lawfully. In order to comply with this principle, organisations that process personal data must inform individuals:
This information must be provided to individuals regardless of whether the personal data was obtained directly by an organisation or passed to it by a third party.
To encourage organisations to be transparent about how they process personal data, the Information Commissioner’s Office (ICO) has published a revised code of practice on communicating privacy information to individuals (Code). The Code is aimed at all organisations that process personal data and provides guidance on what information should be contained in a privacy notice, the manner in which the information should be presented and ways in which organisations can communicate privacy notice to individuals.
The General Data Protection Regulation (GDPR), which organisations must comply with from the 25 May 2018, imposes more stringent obligations than those currently set out in the DPA and therefore organisations will need to consider if their current privacy notices will comply with these new requirements. It is envisaged that following the guidance set out in the ICO's Code will help organisations to meet their obligations under the GDPR.
The Code provides specific guidance in respect of the content of privacy notices and how these should be written, how to communicate privacy notices to individuals, when to communicate privacy notices to individuals and the need to gain consent from individuals when processing their personal data.
1. The content of privacy notices and how these should be written
A privacy notice should set out as a minimum the name of the organisation that will be processing the personal data, what the personal data will be used for and any third parties that the organisation may share the personal data with. However the Code confirms that there will be instances where this basic information is not sufficient to make the processing fair. In these circumstances, organisations will need to provide further information to the individual, for example where the personal data will be provided to a third party for marketing purposes.
The Code acknowledges that "one of the biggest challenges is to encourage people to read privacy information" therefore, organisations should tailor their privacy notices to ensure that these are easy to understand by the individuals whose information is being collected. Where an organisation is processing information about children or vulnerable individuals organisations must make sure that the privacy notices are drafted fairly.
2. How to communicate privacy notices to individuals
The ways in which personal data is collected are evolving, therefore, new ways of communicating privacy information may be required in order to adapt to these new technologies. The Code advocates adopting a blended approach of various techniques to present privacy information, such as videos, just-in-time notices and privacy dashboards. A privacy notice must be equally visible on a handheld portable device as on a desktop computer.
3. When to communicate privacy notices to individuals
It is important that individuals are made aware of how their data is being processed prior to the personal data being processed or as soon as possible thereafter. In the event that an organisation is relying on consent to process the personal data the consent of an individual must be obtained prior to the data being processed. Adopting different formats means that information can be provided to individuals at the appropriate stage of an organisation's interaction with that individual. For example, a just-in-time notice could be displayed on screen on the page that an individual inputs personal data into.
4. The need to gain consent from individuals when processing their personal data
Where organisations are relying on consent to process personal data they should consider how this is obtained and recorded. If personal data is being processed for a range of purposes the Code recommends that this is explained clearly to individuals and that individuals have a "clear and simple way for them to indicate they agree to different types of processing". It suggests that the use of separate un-ticked opt-in boxes or ‘yes/no’ buttons of equal size and prominence are used. Where organisations are asking individuals to consent to marketing, the provisions of the DPA and the Privacy and Electronic Communications Regulations 2003 must be considered.
1. Data mapping
Organisations should look at the data they are processing and how this flows through the organisation. They should then ensure that any privacy polices they have in place which cover the processing of the personal data accurately reflect in enough detail what the organisation is doing with that information and that the privacy notice is written in plain English and is easy to understand.
2. Gain and record consent
Organisations should review where they are relying on consent to process personal data and should consider how this is obtained and recorded to ensure that this is done in accordance with the DPA and PECR. Consideration should also be given to the stricter provisions of the GDPR to ensure that privacy notices do not need to be re-written when the GDPR applies from 25 May 2018.
3. Format of privacy notices
Organisations should consider the individuals for whom they are processing personal data and ensure that privacy notices are tailored for these individuals so that they are easy to understand and have been drafted fairly. The way a privacy notice is drafted will need to be appropriate for the intended audience, and how that audience's data is being processed. The intended audience for example may include children/vulnerable individuals and individuals whose first language is not English. Language should be simple and avoid complex terminology, and the style of the notice should be easy to navigate. Organisations should consider using icons or layered privacy notices to help individuals understand how their personal data is being processed.
4. Timing of privacy notices
Organisations should consider adopting different formats in which to provide information to individuals at the appropriate stage of their interaction with that individual for example, displaying a just-in-time notice on screen on the page that an individual inputs personal data into.
Whilst it is not a legal requirement to comply with the Code it is a legal requirement to comply with the obligations set out in the DPA. In evaluating a potential breach of the DPA, the ICO will consult the guidance set out in the Code.
In cases of non-compliance with the DPA, which may include a failure to provide fair processing information to individuals, the ICO can issue an enforcement notice requiring remedial action to be taken by the organisation in question, or impose a civil monetary fine of up to £500,000. The ICO's powers will be even greater under the GDPR.
It is therefore essential for organisations that process personal data to comply with the obligations in the DPA and to consider and follow guidance set out in the Code, particularly in light of the GDPR's more stringent requirements for privacy notices that will come into force in on 25 May 2018.