ICO launch new privacy noticesâ code of practice

The Information Commissioner’s Office has published a new code of practice for privacy notices.

The announcement followed an ICO survey that found that only 1 in 4 people trusted businesses with their personal data. It also found that 75% of people surveyed wanted data protection taught as a subject in school.

These findings echo the DMA’s own ‘consumer attitudes to privacy research’ which revealed societal trends towards people becoming more concerned with how their data is used and feeling that it is primarily businesses benefitting from the data revolution and not people.

The new code of practice reflects the priorities of the new Information Commissioner, Elizabeth Denham, who has placed an emphasis on transparency and accountability during her career and in her first public speech as Information Commissioner.

Talking about the code, Jo Pedder, ICO Head of Policy Delivery, said:

“Transparency is crucial to trust in big data, Internet of Things and development of the digital economy.

“Organisations need to do more to explain to consumers what they’re doing with their information and why. It’s important to remember that reputation can be easily lost when people discover you haven’t been completely honest about how you are using their information.”

A privacy notice in the code is an all-encompassing term used to describe all privacy related information that organisations need to make people aware of when they collect their personal data.

There is a no single way that this information should be displayed according to the ICO. What techniques an organisation uses will depend on the channel, context, product/service or target audience. Therefore, the ICO recommend a blended approach, which means tailoring your privacy notice.

This is commonly known as a layered approach to privacy. To ensure individuals are informed of what their data is being collected for, organisations should use a variety of different means and be creative. This means lengthy terms and conditions, which the lay person does not read are not enough. Organisations could use videos, illustrations, a privacy dashboard or many other methods.

The full privacy policy should still be available for those individuals who want the greater detail but it should not be the first port of call. Instead, the most important pieces of information should be immediately displayed and then there could be a link to a more detailed privacy notice, and down another level the full privacy policy.

Regarding consent for marketing the code makes it clear that for post and telephone marketing consent may not be necessary. The DMA asked for this clarification in its consultation response to the ICO.

The new code of conduct states:

“Consent may not be needed to undertake direct marketing by post or phone call (unless the individual is registered with the Telephone Preference Service) if another processing condition can be relied on, but the ICO considers gaining consent to do this to be good practice and the most advisable approach.”

The code directly addresses the General Data Protection Regulation (GDPR) and includes a useful chart (page 33-34) showing what information the GDPR mandates an organisation inform an individual of when their personal data is collected.

The DMA is on hand to help with your legal queries regarding the code so you do get in touch, if you have any questions. Email legaladvice@dma.org.uk

The DMA is monitoring how organisations prepare for the GDPR. Since the last survey the UK voted to leave the EU, and our regulatory future is less certain.

Take the survey.