New ICO Code on Privacy Notices Transparency and Control
The Information Commissioner’s Office (ICO) has recently issued a new Code of Practice on Privacy Notices, Transparency and Control (the Code).
The Code sets out how organisations should use privacy notices to explain how individuals’ personal information will be used. The ICO has developed the Code with both the Data Protection Act 1998 (DPA) and the General Data Protection Regulation 2016/679 (GDPR) in mind.
The Code recommends a more blended and innovative approach to privacy notices and suggests a variety of techniques such as embedding appropriate explanations at each stage of data collection, pop-up notifications and the use of symbols and explanatory videos. Such techniques are intended to provide individuals with greater choice and control over how their personal data is used which, in turn, helps to achieve the principles of fairness and transparency set out in the DPA and the GDPR. The ICO cannot take enforcement action for non-compliance with the Code and organisations may use alternative methods to meet the legislative requirements. The ICO can, however, consider the Code’s guidance when considering enforcement action for breaches of the DPA.
Privacy notices and layered approach in communication
The Code places emphasis on providing privacy notices in a clear, transparent and meaningful way. The first step when creating a privacy notice is to consider the following:
• who is the organisation collecting the information?
• what is the organisation going to do with the information?
• who will the information be shared with?
• preference management tools
• icons and symbols
• privacy notices on mobile device and smaller screen, and
• just-in-time/video notices.
The Code suggests that linking privacy notices to tools like dashboards enables individuals to manage their preferences and to have some control over how their information is used. These tools are particularly helpful if the data is processed across a number of applications or services. The Code helpfully provides screenshot examples of such dashboards. Ultimately, the aim is to build trust and confidence with the user in promoting control and awareness about how their information will be handled, and should make it easier for individuals to access copies of their personal information.
Icons and symbols
Icons and symbols can be used to indicate that a particular type of data processing is taking place. They are good reminders that data processing is taking place generally, especially if the process is intermittent. This can be particularly useful for IoT devices where data is being captured by observation, rather than being provided directly. The ICO will not be prescriptive about the design of these symbols and recognises that they need to be able to reflect the look and feel of a brand/industry sector.
Just-in-time and video notices
Any practical tips?