As reported on Datonomy this morning, the ICO has now issued the final version of its Code of Practice on Privacy Notices following its public consultation earlier in the year (first reported on Datonomy by Elle). The purpose of the Code is stated to be “to see an end to the confusing privacy notices that are written to protect organisations rather than to inform the public”, and to “end the reputation of privacy notices being impenetrable”. Businesses are encouraged to use the Code to produce new privacy notices or amend existing ones (or, alternatively, to use as a checklist to reflect happily on a job well done).
Overall, it is a sensible and useful document, which makes helpful suggestions rather than being too prescriptive. What is interesting is how the final Code differs from the draft version published as part of the public consultation. Although most of the original draft remains intact, the changes raise some intriguing questions.
One such question is whether the ICO has softened its view on the use of a combination of opt-ins and opt-outs in data collection notices. It has replaced its initial statement of “don’t provide a confusing mixture of opt-ins and opt-outs” with “it’s acceptable to use both opt-ins and opt-outs“, as long as they aren’t “used in a way that will confuse people“. This difference might be dismissed as semantics, but it does appear to give a little more leeway to businesses collecting data for marketing purposes.
Another question is what the ICO thinks of the use of automatic number plate recognition technology (which is used by the police to collect and store details of millions of car journeys a day). In the draft Code which was the subject of the consultation, the Information Commissioner sent out a strong message by including “reading a car’s number plate automatically and recording that its driver is in charge of an untaxed vehicle” as an example of where some kind of privacy notice would be appropriate. Mysteriously, this example has disappeared from the final version. The Information Commissioner seems to have been persuaded to take a different view on the issue. Look out for a future Datonomy post on this.
The ICO has also withdrawn its attempts to clarify its interpretation of the law in a couple of areas. For example, in the consultation version of the Code, the ICO stated that “‘Processing‘ has a very wide meaning that covers virtually anything you do with personal information“. In the final version, however, this statement is deleted and we are left with s1(1) of the DPA. Similarly, the draft Code stated that one of the two elements of “fairness” is using information in a way that people would reasonably expect and “that doesn’t have unjustified adverse effects on them“. In the final version, this wording is changed to “in a way that is fair“. So the ICO is saying that it is fair to use information in a way that is fair. Impeccable logic, but not especially useful.
Last but not least is the addition of a new paragraph in the final Code stating that “Combining information from different sources can create a very detailed picture of an individual’s affairs. The individual may not expect this and may find it overly intrusive. Organisations that intend to combine information should explain this, and its likely consequences, in their privacy notices“. Data matching should be a topic high on the new Commissioner’s agenda.