What is the new code and what does it recommend?
The code rightly states that current privacy notices tend to be “too long, overly legalistic, uninformative and unhelpful” and recommends a blended approach. It encourages the use of different techniques, such as a just-in-time message informing the data subject why their email is needed or a short video explaining how the organisation will use the personal data it collects. The code also explores how best to provide privacy notices on small screens such as smartphones, tablets and other smart devices.
Does it mention consent requirements?
In an area of concern for many organisations, the code briefly looks at consent in relation to third party marketing and proposes best practice standard wording to use when seeking consent for marketing but not otherwise. Last year, the ICO fined an online pharmacy for failing to provide clear and prominent information to individuals informing them how their data would be used and who it should be shared with. You can check the decision here. However, there is not a great deal of information about best practice trends in consent mechanisms and innovations which is a shame.
What about GDPR?
The ICO states that it has developed this code with the European Union General Data Protection Regulation (the “GDPR”) in mind whilst at the same time not offering definitive guidance on how to ensure future proof compliance with GDPR. The recommendations around icons will be useful for example but GDPR also references the development of standard clauses and standard icons and so many data controllers will still want to hold off updating their privacy policies for GDPR until we have more information about what these will be. That may not happen until well into next year.
Status of the code
The code and checklist have been issued by the ICO under section 51 of the Data Protection Act 1998 (the “DPA”). This requirement is for the promotion of best practices, including compliance with the DPA’s requirements, while empowering it, after consultation, to prepare codes of practice giving guidance on good practice. The ICO cannot take action over a failure to adopt good practice or to act on the recommendations set out in this code. However, it can pursue enforcement action where an organisation breaches the requirements of data protection legislation. Furthermore, when considering whether or not the DPA has been breached, the ICO can have due regard to the advice provided in the code and checklist. Finally, the code and checklist should be read in conjunction with other ICO guidance and codes of practice.