Information Commissioner’s Office issues new code of practice for privacy notices
Organisations with an online presence should be aware of the new code of practice issued by the ICO, which is the UK’s data protection watchdog. Organisations should embrace the new code as an opportunity to review the way they are engaging with their digital visitors, in particular taking account of the shift towards online visitors using mobile devices.
The code of practice is intended to provide an overview of the key principles that organisations should consider when developing privacy notices. It’s been updated in part to reflect the changes and advancements in the digital world. Before now, the code of practice had not been updated for several years.
Privacy notices are often overlooked as they can appear too long and overly legalistic. The ICO has recommended a ‘blended approach’ to the way that organisations engage with individuals. This could include ‘just in time’ or ‘pop-up’ messages, using videos to explain privacy notices to a wider audience, or adapting privacy notices to be more accessible and readable on smartphones and tablets.
What do organisations need to do?
Organisations will have to ensure greater transparency when dealing with individuals in terms of how they process their data. Privacy notices should provide more detail about the rights of individuals in relation to the processing of their data and, in particular, information on any data transfers to third parties. Whilst there is a need to ensure that individuals are given sufficient information, privacy notices must also be developed to ensure that they are concise, in plain English, and in an easily accessible form.
Organisations will also be a need to obtain “unambiguous consent” to process personal data for certain purposes, for example to contact individuals or for marketing purposes. For example, individuals may consent to their information being used for one purpose but not another. Privacy notices should not force an individual to agree to several types of processing simply because it only includes an option to agree or disagree to all of them.
The new code is out for consultation until March 2016 and further changes may be made before the final version is published.
What if an organisation does not comply?
The ICO currently has the power to impose a penalty of up to £500,000. It’s issued a total of around £1m in penalties since April 2015. Under the proposed new code, it’s been suggested that the maximum fine for non-compliance could be increased to 4% of an organisation’s annual worldwide turnover, making it very important to ensure that data controllers comply with all relevant data protection legislation.
If you need any more information please contact Martin Noble.