Earlier this month the Information Commissioner’s Office (ICO) published its revised Privacy Notices Code of Practice.
Under the Data Protection Act 1998 (DPA), a Data Controller should issue a privacy notice to Data Subjects whenever personal data is gathered from them. This should be done at the point of collection or as soon as reasonably practicable after that. The notice should (at the very least) include:
The identity of the Data Controller
The purpose, or purposes, for which the information will be processed
Any further information necessary, in the specific circumstances, to enable the processing in respect of the individual to be ‘fair’ (in accordance with the 1st DP Principle).
The ICO says that organisations need to do more to explain to service users what they are doing with personal personal data and why. The code includes examples of compliant notices as well as suggested formats for online notices, in apps and even a sample video privacy notice.
As we know the General Data Protection Regulation (GDPR) will be in force in May 2018 (and still relevant despite the Brexit vote). The GDPR specifies further detail to be included in privacy notices. It also requires notices to be issued even where personal data is received from a third party. The code briefly explains these new requirements including a useful table. The ICO says that by following the good practice recommendations in the code, organisations will be well placed to comply with the GDPR regime. Read Scott’s blog post on the new requirements here.
This code has been issued under section 51 of the DPA. The basic legal requirement is to comply with the DPA itself. Organisations may use alternative methods to meet the DPA’s requirements, but if they do nothing then they risk breaking the law. When considering whether or not the DPA has been breached the Information Commissioner can have due regard to the code.
The code includes a helpful checklist, covering key points and tips on how to write a notice.
Privacy Notices need to be regularly reviewed and updated to reflect any changes. The ICO is considering other practical ways of supporting organisations in achieving greater transparency such as the feasibility of a privacy notice generator!
Want to know more about privacy notices under GDPR? Attend our full day GDPR workshop.
GDPR Practitioner Certificate (GDPR.Cert) – A 4 day certificated course aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.