Abstract of machinery with blue tint.

New ICO Code on Privacy Notices Transparency and Control

Published on 13 December 2016

The Information Commissioner’s Office (ICO) has recently issued a new Code of Practice on Privacy Notices, Transparency and Control (the Code).

The Code sets out how organisations should use privacy notices to explain how individuals’ personal information will be used. The ICO has developed the Code with both the Data Protection Act 1998 (DPA) and the General Data Protection Regulation 2016/679 (GDPR) in mind.

The Code recommends a more blended and innovative approach to privacy notices and suggests a variety of techniques such as embedding appropriate explanations at each stage of data collection, pop-up notifications and the use of symbols and explanatory videos. Such techniques are intended to provide individuals with greater choice and control over how their personal data is used which, in turn, helps to achieve the principles of fairness and transparency set out in the DPA and the GDPR. The ICO cannot take enforcement action for non-compliance with the Code and organisations may use alternative methods to meet the legislative requirements. The ICO can, however, consider the Code’s guidance when considering enforcement action for breaches of the DPA.

Privacy notices and layered approach in communication

The Code places emphasis on providing privacy notices in a clear, transparent and meaningful way. The first step when creating a privacy notice is to consider the following:

• who is the organisation collecting the information?
• what is the organisation going to do with the information?
• who will the information be shared with?

This key information should be immediately visible. Furthermore, a link should be provided to a more detailed notice, as well as a full privacy policy. Some examples of this layered approach to presenting information involve utilising:

• preference management tools
• icons and symbols
• privacy notices on mobile device and smaller screen, and
• just-in-time/video notices.

There is a no single way to display privacy notices. According to the ICO, the techniques that an organisation should use depend on the channel, context, product and/or target audience. The key is ensuring that individuals do not miss information when browsing. 
Preference management tools

The Code suggests that linking privacy notices to tools like dashboards enables individuals to manage their preferences and to have some control over how their information is used. These tools are particularly helpful if the data is processed across a number of applications or services. The Code helpfully provides screenshot examples of such dashboards. Ultimately, the aim is to build trust and confidence with the user in promoting control and awareness about how their information will be handled, and should make it easier for individuals to access copies of their personal information.

Icons and symbols

Icons and symbols can be used to indicate that a particular type of data processing is taking place. They are good reminders that data processing is taking place generally, especially if the process is intermittent. This can be particularly useful for IoT devices where data is being captured by observation, rather than being provided directly. The ICO will not be prescriptive about the design of these symbols and recognises that they need to be able to reflect the look and feel of a brand/industry sector.

Privacy notices on mobile devices/smaller screens

The text on these devices should be as clear and readable as the information individuals would see on a computer screen. Due to display space constraints, a layered approach is again encouraged. A useful tool is responsive web design, which allows for the creation of a website that can change the information on the screen to the optimal setting for viewing that information (depending on the type of device it is being viewed on).

Just-in-time and video notices

This approach is particularly suitable for smaller devices so that individuals do not have to “zoom in” to read the information. Voice alerts on a smart phone or on-screen notifications are useful functions to provide information, essentially like a “just-in-time” notice. However, these should be short and to the point, so that there are no issues with data usage if wi-fi is not available.

Consent requirements

The Code looks at ways to obtain individuals’ consent to the use their personal information. Good practice includes prominently placing opt-in boxes in privacy notices and, for online products and services, using “just-in-time” notices to provide relevant and focused privacy information at the right time. It also considers third party marketing, suggesting that best practice is for individuals to be able to choose whether or not their personal data is disclosed to another organisation. The Code includes helpful scenarios to illustrate complex situations when individuals may not have a clear understanding of all the parties involved, and how and for what purpose their information is shared.
Privacy notices for vulnerable individuals

The Code draws attention to vulnerable individuals, such as children, in making sure that those individuals are treated fairly. In particular, organisations should try to work out whether the individuals they are collecting the information from would understand the consequences of providing it. If in doubt, organisations should ask the individual’s parent, guardian or carer to provide the information.

Any practical tips?

Consent is key, both to earning the trust of your customers and to ensure compliance with the landing of the new GDPR in May 2018. The Code takes a fresh, practical look at how best to obtain consent in an increasingly digital and mobile word, noting that an avalanche of IoT devices is just around the corner. Consider using the Code to start a dialogue with your tech and marketing teams, in particular running through the simple checklist which the ICO has helpfully included.