ICO code of practice on privacy notices – are you confident you are complying?

Earlier this month, the Information Commissioner’s Office (the “ICO”) published a code of practice on communicating privacy information to individuals (the “Code”).

What does the Code say?

The Code appreciates that when obtaining personal data as part of a simple transaction, developing a clear and effective “single document” privacy notice would be sufficient to comply with the Data Protection Act 1998 (the “DPA”). However, the Code firmly buries the notion that a privacy policy is simply a tick-box exercise. Just because you have one, does not necessarily mean you comply and nor does it mean that you have developed a meaningful and effective privacy notice that accurately reflects your data processing activities.

The UK regulator for data protection emphasises the need to “develop a blended approach, using a number of techniques to present privacy information to individuals”. In fact, the Code makes it clear that the term “privacy notice” is used to describe all the privacy information an organisation makes available to individuals when collecting information about them. Some of the techniques suggested include:

  • “Just-in-time” notices – where relevant privacy information appears at the point in time where personal data are collected (e.g. a smart phone’s map application asking permission to process information on your location).
  • Privacy dashboards – which can be included within your privacy notice to allow individuals to manage their privacy preferences (e.g. social media sites often have this feature where you can pick and choose who to share information with).
  • Layered approach – where only key privacy information is provided immediately but which contains links that expand each section to its full version or redirects to another page with further detail. 
  • Icons and symbols – these can be used (as part of a layered approach) to indicate that a particular type of data processing is taking place (e.g. a “shopping bag” symbol appearing when entering your email address to represent that your information could be used for marketing purposes).

In short, the message is clear – organisations should take advantage of all the technologies available when providing privacy notices.

Why should organisations take this Code seriously?

Although the Code highlights the “competitive advantage” that organisations would gain by embracing transparency through privacy notices, there is a more serious and perhaps subtle undertone to the Code with respect to ICO enforcement action.

The Code makes it clear that the basic requirement is for organisations to comply with the DPA itself and that the Information Commissioner cannot take action over a failure to adopt good practice or to act on the recommendations set out in this code. She can however pursue enforcement action where an organisation breaches the requirements of the DPA and when considering whether or not the DPA has been breached, the Information Commissioner can have due regard to the advice provided in the Code.

As such, by publishing the Code, the ICO has effectively put organisations on notice of the above; especially those organisations with limited insight into their data processing activities and who are unable to clearly and effectively communicate their privacy notices by using a blend of appropriate techniques.    

What challenges are clients facing?

One of the common challenges we are seeing clients face is the limited visibility they have over their information lifecycle management. This is particularly the case with multinational organisations that have interconnected systems which process personal data for various purposes.

Without knowing what personal data you process, where it comes from and where it goes (especially in the context of a complex organisation) inevitably means that the privacy notice you provide to your data subjects will not reflect the reality of your data processing activities. This in turn increases the risk of data subject complaints, regulator investigation and associated penalties.

Are you ready for the GDPR?

The General Data Protection Regulation (“GDPR”) together with recent case-law have equipped citizens with increased data protection rights. In the context of this regulatory landscape and this newly issued Code, getting your privacy notices right is more important than ever.

At PwC, we are working with many clients who are getting ready for the GDPR using our market leading privacy transformation methodology. One of the work streams that has flowed from our methodology is data mapping i.e. helping clients know how information flows through their organisation and how it is processed. These activities can better inform organisations and feed into the development of meaningful and effective privacy notices.

Please contact me or a member of my team for more information.

Tughan Thuraisingam  | Solicitor – Cyber Security and Data Protection | PwC - UK
[email protected] | +44 (0)20 7804 3770

More articles by Tughan Thuraisingam