ICO Launches New Code of Practice on Privacy Notices

Following a three month public consultation, the Information Commissioner’s Office (ICO) is today launching a new Code of Practice on privacy notices, aimed at helping organisations that collect and use individuals’ personal information to produce more user-friendly privacy notices. The launch of the new Code follows an ICO statement in February 2009 that 71% of people it had surveyed did not properly read or understand privacy policies and 62% of respondents would prefer a more straightforward explanation of how their personal data would be used by organisations.

Fair processing

The Data Protection Act 1998 (DPA) states that personal data (information from which a living individual may be identified) must be processed fairly by organisations (processing includes obtaining, using and sharing personal data). To process personal data fairly, organisations are required to make certain information available to individuals when their personal data is collected. Often referred to as ‘fair processing information’, this information is contained in an organisation’s privacy policy, an oral or written statement setting out the identity of the organisation collecting individuals’ personal data, the purpose for collection and how this data will be used.

Commenting in February 2009, the Information Commissioner concluded that ‘too many privacy notices are written to protect organisations rather than to inform consumers’, criticising organisations for making their privacy policies too legalistic and for not being more transparent about how individuals’ personal data is collected and used.

Privacy notice best practice

The new Code of Practice sets out best practice guidance on what a privacy notice should contain, providing illustrative examples using extracts of real privacy notices seen by the ICO. It advocates the use of straightforward, truthful language presented in a simple and readable format, explaining the less obvious elements of how individuals’ personal data will be used, providing clear opportunities for individuals to opt in or out of marketing and setting out individual’s rights in relation to their data.

In response to public consultation feedback that the draft Code of Practice was too focused on larger organisations and lacked examples relating to collecting personal data by telephone, text and in person, the ICO has provided further good practice guidance on its website. This includes two short films, one based on a call centre scenario and the other where personal data is collected in a face to face scenario, both films presenting examples of good and bad practice when providing individuals with privacy notice information. The ICO website also features examples of good and bad practice relating to text-based communications. To provide advice more tailored to small businesses, the ICO has also published a small business checklist leaflet aimed at helping small businesses decide if they need to provide a privacy notice with tips on how to structure such a policy.

Is this the end of the small print?

The launch of the new Code of Practice has been praised by consumer rights campaigners as a positive step towards encouraging organisations to simplify privacy notices and better inform consumers about how their personal data will be used, enabling consumers to make more informed choices about how their personal data is used. It remains to be seen what impact the Code and its related guidance will have and whether it will achieve its aims. What is clear, however, is that by issuing a Code of Practice instead of general guidance, the ICO is sending a strong message to organisations to review and where necessary revise their existing privacy notices accordingly. For whilst the new Code of Practice is not legally enforceable, it will be taken into account by the ICO when it deals with complaints relating to an organisation’s breach of the DPA.

To view the ICO’s guidance on privacy notices, including the Code of Practice, click here.