A blended approach with GDPR in mind: ICO’s Privacy Policy Code of Practice and Checklist

Diego Gonzalez-Crespo

What is the new code and what does it recommend?

The Information Commissioner’s Office (ICO) on 7 October 2016 has published a new code of practice on privacy notices, following its consultation back in February of this year. It provides guidance to organisations on how to make privacy notices more engaging and effective for individuals while emphasising the importance of greater choice and control over what is done with their data. The ICO has also published a useful checklist of the information that needs to be included in the privacy policy. You can check the ICO’s privacy notice checklist here.

The code rightly states that current privacy notices tend to be “too long, overly legalistic, uninformative and unhelpful” and recommends a blended approach. It encourages the use of different techniques, such as a just-in-time message informing the data subject why their email is needed or a short video explaining how the organisation will use the personal data it collects. The code also explores how best to provide privacy notices on small screens such as smartphones, tablets and other smart devices.

The code proposes a layered pictographic model with a set of icons that need to be included in the privacy policy. The concept of a layered approach is not a new one to the ICO who has recommended this in the past. A “layered notice” usually consists of a short notice containing the key information, such as the identity of the organisation and the way in which the personal information will be used. The short notice may contain links that expand each section to its full version, or a single link to a second, longer notice. This notice provides more detailed information. It can, in turn, contain links to further material that explains specific issues, such as the circumstances in which information may be disclosed to the enforcement authorities.

The Code also recommends “Just-in-time notices” as a tool that an organisation can use to provide relevant and focused privacy information. Just-in-time notices work by appearing on the individual’s screen at the point where they input personal data, providing a brief message explaining how the information they are about to provide will be used. The ICO checklist suggests companies should test and review their privacy policy with users before rolling it out, and afterwards keep the policy in constant review, taking account of complaints and produce updates as necessary.

Does it mention consent requirements?

In an area of concern for many organisations, the code briefly looks at consent in relation to third party marketing and proposes best practice standard wording to use when seeking consent for marketing but not otherwise. Last year, the ICO fined an online pharmacy for failing to provide clear and prominent information to individuals informing them how their data would be used and who it should be shared with. You can check the decision here. However, there is not a great deal of information about best practice trends in consent mechanisms and innovations which is a shame.

What about GDPR?

The ICO states that it has developed this code with the European Union General Data Protection Regulation (the “GDPR”) in mind whilst at the same time not offering definitive guidance on how to ensure future proof compliance with GDPR. The recommendations around icons will be useful for example but GDPR also references the development of standard clauses and standard icons and so many data controllers will still want to hold off updating their privacy policies for GDPR until we have more information about what these will be. That may not happen until well into next year.

Status of the code

The code and checklist have been issued by the ICO under section 51 of the Data Protection Act 1998 (the “DPA”). This requirement is for the promotion of best practices, including compliance with the DPA’s requirements, while empowering it, after consultation, to prepare codes of practice giving guidance on good practice. The ICO cannot take action over a failure to adopt good practice or to act on the recommendations set out in this code. However, it can pursue enforcement action where an organisation breaches the requirements of data protection legislation. Furthermore, when considering whether or not the DPA has been breached, the ICO can have due regard to the advice provided in the code and checklist. Finally, the code and checklist should be read in conjunction with other ICO guidance and codes of practice.

Leave a Reply

Your email address will not be published. Required fields are marked *