Being transparent and providing accessible information to individuals about how you will use their personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR). The most common way to provide this information is in a privacy notice.
In many situations where organisations obtain personal data as part of a simple transaction it should be straightforward to use the key recommendations in this code of practice to develop a clear and effective privacy notice.
However, in other situations it will not be effective to use a single document to inform individuals about what you do with personal data. The code uses the term ‘privacy notice’ to describe all the privacy information that you make available or provide to individuals when you collect information about them. This can encompass all the information you provide using the channels referred to in this code. This is why the ICO believes that it is good practice to develop a blended approach, using a number of techniques to present privacy information to individuals. Not all of these techniques will be useful for your specific requirements but they are all ways of presenting privacy information that we consider to be good practice. You can use the techniques that are recommended in whatever combination is most effective for you in order to present the required privacy information.
These techniques can also allow you to give individuals greater choice and control over how their personal data is used. This is a further element of best practice and demonstrates that you are using personal data fairly and transparently.
It is often argued that people’s expectations about personal data are changing. People are increasingly willing to share information on social media and to allow their data to be collected by mobile apps, and they are also unwilling to read lengthy privacy notices. These factors are sometimes used to support the view that they are relatively unconcerned that their data is being collected and processed. However, there is also evidence that people do have concerns about how organisations handle their data and want to retain some control over its further use. Therefore, it is still of paramount importance for organisations to be transparent about their processing and comply with the legal requirements to provide privacy information.
Moreover, many organisations embrace transparency as a means of building trust and confidence with their consumers and use it as a means of distinguishing themselves from their competitors.
Collect and use personal information fairly and transparently
The first principle of data protection is that personal data must be processed fairly and lawfully. The DPA says that in order for the processing to be fair, the data controller (the organisation in control of processing the data) has to make certain information available to the data subjects (the individuals whom the data relates to), so far as practicable:
- who the data controller is;
- the purpose or purposes for which the information will be processed; and
- any further information which is necessary in the specific circumstances to enable the processing to be fair.
This applies whether the personal data was obtained directly from the data subjects or from other sources.
The GDPR has further requirements about what information should be available to data subjects; they are set out in our section Privacy notices under the EU General Data Protection Regulation.
Being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect. However, this is only one element of fairness. Providing a privacy notice does not by itself mean that your processing is necessarily fair. You also need to consider the effect of your processing on the individuals concerned.
Therefore the main elements of fairness include:
- using information in a way that people would reasonably expect. This may involve undertaking research to understand people’s expectations about how their data will be used;
- thinking about the impact of your processing. Will it have unjustified adverse effects on them? and;
- being transparent and ensuring that people know how their information will be used. This means providing privacy notices or making them available, using the most appropriate mechanisms. In a digital context this can include all the online platforms used to deliver services.
To cover all these elements you will need to consider the following issues when planning a privacy notice:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
It is also important to recognise that the ways in which data is collected are changing. Traditionally, data was collected directly from individuals, for example when they filled in a form. Increasingly, organisations use data that has not been consciously provided by individuals in this way. It may be:
- observed, by tracking people online or by smart devices;
- derived from combining other data sets; or
- inferred by using algorithms to analyse a variety of data, such as social media, location data and records of purchases in order to profile people for example in terms of their credit risk, state of health or suitability for a job.
In these cases you are acquiring and processing personal data about individuals, and the requirement to be fair and transparent still arises. These new situations can make it more challenging to provide privacy information, and new approaches may be required. A good way to approach these issues is to carry out a privacy impact assessment (PIA). This is a methodology for assessing and mitigating the privacy risks in a project involving personal data.