The Information Commissioners Office (ICO) have issued new document on privacy notices following their consultation on the subject. The full document can be found here.
Following data principles on privacy
Rather than being a full blown copy of the GDPR, these privacy regulations are relating to a small part of the Regulation and will, no doubt, be followed by further information relating to other sections of the Regulation.
Going further than the current Data Protection act they point out that the all embracing feature of a privacy notice is the Data Owner being transparent in what they do, The document points out that just issuing a data privacy notice in itself does not mean that you would be processing data fairly. It is what you do with that data that is important. It goes on to show that your customer could reasonably expect the following information off you and your company:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
They also point out that the way data is being captured is also different than a few years ago, when data was primarily collected directly from individuals by way of a form – either web or paper based. But now data cane be collected by observation (tracking people online or by smart devices); derived( by combining with other data sets) or inferred ( using algorithms to analyse other data such as social media, location etc). This was at the heart of what a large insurance company was proposing to do through Facebook recently.
Privacy Impact Assessments and Account Dashboards
The document goes on to discuss Privacy Impact Assessments – an issue first brought up by the previous data commissioner in February 2014 and includes a suggested Account Dashboard for companies with complicated requirements in privacy notices. The concept being that data subjects will be able to see at a glance who can see their data, identify what is being done to it and restrict what processing can take place.
Communicating privacy information
The commissioner points out that privacy notices can be provided through a variety of media:
- Orally – face to face or when you speak to someone on the telephone (it’s a good idea to document
- In writing – printed media; printed adverts; forms, such as financial applications or job application
- Through signage – for example an information poster in a public area.
- Electronically – in text messages; on websites; in emails; in mobile apps.
It is good practice to use the same medium you use to collect personal information to deliver privacy
notices. So, if you are collecting information through an online form you should provide a just-in-time
notice as the individual fills out the form. It would not be good practice to collect information through the
form and then email the individual with a separate link to a privacy notice.