Being transparent and providing accessible information to individuals about how you will use their personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR). The most common way to provide this information is in a privacy notice.  

In many situations where organisations obtain personal data as part of a simple transaction it should be straightforward to use the key recommendations in this code of practice to develop a clear and effective privacy notice.  

However, in other situations it will not be effective to use a single document to inform individuals about what you do with personal data. The code uses the term ‘privacy notice’ to describe all the privacy information that you make available or provide to individuals when you collect information about them. This can encompass all the information you provide using the channels referred to in this code. This is why the ICO believes that it is good practice to develop a blended approach, using a number of techniques to present privacy information to individuals. Not all of these techniques will be useful for your specific requirements but they are all ways of presenting privacy information that we consider to be good practice. You can use the techniques that are recommended in whatever combination is most effective for you in order to present the required privacy information.

These techniques can also allow you to give individuals greater choice and control over how their personal data is used. This is a further element of best practice and demonstrates that you are using personal data fairly and transparently.

It is often argued that people’s expectations about personal data are changing. People are increasingly willing to share information on social media and to allow their data to be collected by mobile apps, and they are also unwilling to read lengthy privacy notices. These factors are sometimes used to support the view that they are relatively unconcerned that their data is being collected and processed. However, there is also evidence that people do have concerns about how organisations handle their data and want to retain some control over its further use. Therefore, it is still of paramount importance for organisations to be transparent about their processing and comply with the legal requirements to provide privacy information. 

Moreover, many organisations embrace transparency as a means of building trust and confidence with their consumers and use it as a means of distinguishing themselves from their competitors.

Collect and use personal information fairly and transparently

The first principle of data protection is that personal data must be processed fairly and lawfully. The DPA says that in order for the processing to be fair, the data controller (the organisation in control of processing the data) has to make certain information available to the data subjects (the individuals whom the data relates to), so far as practicable:

  • who the data controller is;
  • the purpose or purposes for which the information will be processed; and
  • any further information which is necessary in the specific circumstances to enable the processing to be fair.

This applies whether the personal data was obtained directly from the data subjects or from other sources. 

The GDPR has further requirements about what information should be available to data subjects; they are set out in our section Privacy notices under the EU General Data Protection Regulation.

Being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect. However, this is only one element of fairness. Providing a privacy notice does not by itself mean that your processing is necessarily fair. You also need to consider the effect of your processing on the individuals concerned.

Therefore the main elements of fairness include:

  • using information in a way that people would reasonably expect. This may involve undertaking research to understand people’s expectations about how their data will be used;
  • thinking about the impact of your processing. Will it have unjustified adverse effects on them? and;
  • being transparent and ensuring that people know how their information will be used. This means providing privacy notices or making them available, using the most appropriate mechanisms. In a digital context this can include all the online platforms used to deliver services.

To cover all these elements you will need to consider the following issues when planning a privacy notice:

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?

It is also important to recognise that the ways in which data is collected are changing. Traditionally, data was collected directly from individuals, for example when they filled in a form. Increasingly, organisations use data that has not been consciously provided by individuals in this way. It may be:

  • observed, by tracking people online or by smart devices;
  • derived from combining other data sets; or
  • inferred by using algorithms to analyse a variety of data, such as social media, location data and records of purchases in order to profile people for example in terms of their credit risk, state of health or suitability for a job.

In these cases you are acquiring and processing personal data about individuals, and the requirement to be fair and transparent still arises. These new situations can make it more challenging to provide privacy information, and new approaches may be required. A good way to approach these issues is to carry out a privacy impact assessment (PIA). This is a methodology for assessing and mitigating the privacy risks in a project involving personal data.

Give individuals appropriate control and choice

Where you need consent from an individual in order to process their information you need to explain what you are asking them to agree to and why. This will often go hand in hand with providing privacy notices. Therefore the code also includes information about obtaining consent.

It is important to make sure that where people do have a choice, they are given a genuine opportunity to exercise it. This means that it must be freely given, specific and fully informed. Consent must also be revocable (ie people must be able to withdraw their consent) and you should have procedures in place to action and record it when this happens.

You should always be honest with the public and not lead them to believe that they can exercise choice over the collection and use of their personal information when in reality they cannot.

There are some cases in which consent is not relevant, for example if individuals are required by law to provide their personal details. Giving people control and choice over how their personal data will be processed will not always be applicable in other situations, for example in an employer/employee relationship.

In all of these cases it is still important to be fair and transparent. Ensuring you have effective privacy notices can help you to achieve this.

The Code's status

This code has been issued by the Information Commissioner under section 51 of the Data Protection Act 1998. This requires her to promote good practice, including compliance with the DPA's requirements, and empowers her, after consultation, to prepare codes of practice giving guidance on good practice.

The basic legal requirement is to comply with the DPA itself. Organisations may use alternative methods to meet the DPA's requirements, but if they do nothing then they risk breaking the law. The Information Commissioner cannot take action over a failure to adopt good practice or to act on the recommendations set out in this code. However, she can pursue enforcement action where an organisation breaches the requirements of the DPA. Furthermore, when considering whether or not the DPA has been breached the Information Commissioner can have due regard to the advice provided in this document.

This code should be read in conjunction with other ICO guidance and codes of practice.

The Information Commissioner can take enforcement action if she finds an organisation in breach of the requirements in the DPA, including a failure to provide adequate fair processing information. This could include a civil monetary penalty of up to £500,000 or an enforcement notice ordering an organisation to improve its privacy notice or stop the processing if the notice is not improved. Details of recent ICO enforcement action are available in the Action we’ve taken section of our website.