The ICO has published a paper stating its findings in relation to the public's concerns in respect of data protection and what they want from data protection authorities (DPAs). The paper is based on pan European research (including within the UK), the ICO's own experience and ICO-commissioned focus groups made up of members of the public within the UK.
The findings in respect of what the public want in relation to their personal data can be summarised as follows:
- Control over personal data Consent and choices should be clearer, with default options always allowing the public to protect use of their data. Query whether DPAs can do more to share and explain good practice in relation to control.
- Transparency over what organisations will do with personal data The public in general let their immediate interests (accessing services etc) override general concerns about how their data is used. Query whether DPAs should be scrutinising privacy notices for unfair terms.
- To understand the purposes of data sharing The public only approve of data sharing if there is a personal or public benefit. Query whether DPAs can assess the public interest in data sharing.
- Security of their personal data The public assume that the public sector is more security conscious than private organisations. Only 63% of the organisations surveyed by the ICO within the UK in 2013 were aware of the obligation to keep personal data secure. Query how to enforce security and ensure that individuals are notified if data is lost or stolen.
- To understand their rights of access, deletion and portability of data DPAs need to ensure the public and organisations are educated about access rights, the right to have information deleted and portability of information. Query whether DPAs encourage more powerful, faster and cheaper rights of access without having to make multiple requests when their information is shared amongst several organisations.
The findings in respect of what the public want in relation to DPAs can be summarised as follows:
- Independence There are concerns for example that political bodies governing DPAs may influence them and that they may not take as stringent action against other public bodies.
- Consistency The new EU Regulation on Data Protection (to harmonise and improve data protection across the EU and likely to come into force in the UK by the end of 2017/beginning of 2018) should assist with consistency cross the EU but there will likely remain areas of variation.
- Visibility DPAs should work hard to be visible to the public so that they know where to go with queries about their access rights.
- Privacy certification, seals and trust marks There is support for the use of a data protection trust mark as provided by the new Regulation. In the UK, the ICO is developing plans to introduce a consumer facing privacy seal, demonstrating good privacy practice and high data protection compliance standards. Query whether this should be EU wide.
- Responsive to new technologies DPAs may not have the resources to keep up with technological developments; query greater co-operation and knowledge sharing between DPAs.
- Enforcement There is no clear consensus as to specific sanctions but it is important that appropriate remedies are used effectively.
The data protection reform launched by the Commission in 2012 and supported by both the European Parliament and Council, seeks to enable the public to better control their personal data, a key theme flowing out of the ICO’s paper.
Although the paper ostensibly seeks to present considerations for DPAs only, organisations should also note the unsurprising emphasis on fair and transparent data protection from the individual’s point of view. This goes beyond mere compliance with the letter of the law and is reflected, for example, in the ICO’s plans to introduce a privacy seal to those organisations who demonstrate particularly good privacy practice and high compliance standards.
The Commission, Parliament and Council are hoping to agree a new Data Protection Regulation by the end of this year. The fact that the research informing the ICO’s paper is drawn from Europe as a whole means that views such as this will be likely to be in the minds of the legislators drawing up the Regulation, which, once issued will take direct effect in the UK without amendment two years later. Organisations may therefore consider the ICO’s paper as an indicator of the types of concerns which could be addressed in future legislation.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2015. Specific advice should be sought for specific cases. For more information see our terms & conditions.