In practice, you may need to do more to engage individuals and build confidence in what you are doing with their personal information in the following scenarios about sharing, selling and Big data.
We have also included examples of good and bad practice to help you produce effective privacy information.
If you are sharing personal data with other organisations you should consider whether you need to actively inform the data subjects about this. Data can be shared in many different scenarios, including businesses selling data on a commercial basis or public authorities sharing data to improve the delivery of services.
In order to treat people fairly prior to sharing information, you must carefully consider what any recipient organisation is going to do with it and what the effect on people is likely to be. It is good practice to obtain an assurance about this, for example in the form of a contract or a written data sharing agreement.
Combining information from different sources can create a very detailed picture of an individual’s affairs, for example by combining information from several different social media sites, including images, video and location history. Organisations that intend to combine information acquired from third party sources should explain this, and its likely consequences. This is a clear example of where it is appropriate to actively communicate a privacy notice using a combination of techniques as an individual may not expect this to happen and may find it overly intrusive.
It is good practice to embed links to tools like dashboards within your privacy notice to allow individuals to manage their preferences and to prevent their data being shared where they have a choice. Data sharing is one area in which the use of an icon or symbol within a privacy notice may be helpful. Read more information in the section on icons and symbols and our Data Sharing code of practice.
Some organisations set out to collect personal information with the intention of selling or renting it to third parties. If you intend to do this, you should give people a clear idea of the types of organisations you are supplying their information to, what purposes it will be supplied for and if these are marketing purposes, gain their consent where necessary. You should tell them this when you ask them to provide their details and give them a simple opportunity to revoke this consent in the future. See the section on Gain and record consent above for more information about a standard approach to seeking and recording consent. There is more guidance on sharing information for marketing in our Direct Marketing guidance.
Privacy notices are very useful when information is being bought, sold or rented. They can help the recipient organisation to check what people were told when they originally provided their information. Depending on what they were told, the recipient organisation may then need to communicate its own privacy notice to the individuals concerned. If there is a difference between what people were told originally and what the recipient organisation intends to do with the information, then individuals must be advised of this within a reasonable period of time. If there is a difference, individuals should be asked whether they agree to their information being used for the new purpose (this is true in all situations, not just when selling information) unless a data controller intends to rely on a different condition for processing the information. Failing to check what ‘permissions’ apply to the data could lead to a breach.
Normally, personal information can only be sold if the individuals concerned have already been told that their information may be passed on to other organisations.
When a business is insolvent, bankrupt, being closed down or sold, its database can be sold on (or, if rented, it should be returned to its owner). However, the seller must make sure that the information will only be used for the same or a similar purpose. If the buyer wants to use the personal information for a new purpose, it will have to get consent for this from the individuals concerned.
Large scale analytics, also known as big data, can raise particular issues in relation to data protection and transparency, where it uses personal data. It typically involves processing large volumes of information, taken from a range of sources, and using algorithms to detect trends and correlations. It can be used to make decisions about an individual. In some cases this type of processing can have a relatively limited impact on individuals but in others it can result in extremely intrusive profiling.
People often have limited awareness that information about them is being gathered and processed in this way. Often they don’t understand how the information is used to make decisions that affect them. In the absence of clear, well-structured and easily accessible privacy notices, it is unlikely that this type of processing would be within their reasonable expectations.
When undertaking large scale analytics you should consider whether you need to use data that identifies individuals, or whether you can work with anonymised data. Anonymisation can be an important tool in big data analytics. See our Anonymisation code of practice for further information.
You should assess the impact of your processing on individuals, and ways to mitigate this, by carrying out a privacy impact assessment. You need to decide how you will comply with the first data protection principle to process personal data fairly and lawfully. This will involve balancing the benefits you expect from the processing against the impact on individuals.
There may be particular issues with privacy notices in a big data context, in that it may be more difficult to foresee at the outset how you will use the data. Nevertheless, you still need to give people a general indication of what you are doing with their data and add detail to the privacy notice as you go on, if necessary.
You must decide whether you need to obtain consent from individuals to this type of processing or if you can rely on one of the other conditions in the law, such as legitimate interests. This will frequently depend on the likely effect on the individual; the greater the impact, the more likely you are to need consent. If you are relying on the legitimate interests condition, you should to be able to demonstrate how you have taken account of the impact on individuals’ privacy rights.
Where consent is required you need to contact individuals to obtain it, either using contact information you already hold or using alternative techniques such as just-in-time notices when they log on to use your services. Where consent is not required you still need to make sufficient information available so that people understand how their information is being used.
This type of analytics often involves finding new uses for data. If you obtained information for one purpose but you now intend to use it for another you should make this clear and explain the impact of the new processing. Where you have identified a number of potential uses for the information you should include an explanation of them in the information you provide.
Big data analytics can deliver a wide range of benefits, but it is often opaque to the individuals whose data is being processed, and may produce unexpected consequences for them. If you are using data in this way it is important to build a relationship of trust with people. Being transparent about the processing, and finding effective ways to deliver privacy information are both key to that relationship.
Good and bad examples of privacy notices
The practical examples linked here are based on real privacy notices that we have seen. They illustrate good practices to adopt, such as giving people appropriate choices that are easy to exercise, and bad practice to avoid, such as using confusing language. They are illustrative extracts only and are not intended to be used as templates. They cannot cover every type of information you collect but they should help you to produce your privacy notice, whether printed or online. Please note that the formats shown may not meet accessibility requirements.