The starting point of a privacy notice should be to tell people:
- who you are;
- what you are going to do with their information; and
- who it will be shared with.
These are the basics upon which all privacy notices should be built. However, they can also tell people more than this and should do so where you think that not telling people will make your processing of that information unfair. This could be the case if an individual is unlikely to know that you use their information for a particular purpose or where the personal data has been collected by observation or inference from an individual’s behaviour.
Map your information processing
To help you decide what you need to include you should map out how your information flows through your organisation and how you process it, recognising that you might be doing several types of processing. You should work out:
- what information you hold that constitutes personal data;
- what you do with the personal data you process;
- what you actually need to carry out these processes - a privacy impact assessment can help you to answer this question;
- whether you are collecting the information you need;
- whether you are creating derived or inferred data about people, for example by profiling them; and
- whether you will be likely to do other things with it in the future – this can be particularly important if you are undertaking large scale analysis of data, as in big data analytics.
When explained in sufficiently broad terms a privacy notice can allow for development in the way you use personal data, whilst still providing individuals with enough detail for them to understand what you will do with their information. However, you should not draw up a long list of possible future uses if, in reality, you do not intend to process personal data for those purposes.
Gain and record consent
You need to consider how you will gain and record individuals’ consent, if required. There is a fundamental difference between telling a person how you’re going to use their personal information and getting their consent. Although in many cases it is enough to be transparent, and rely on a lawful basis other than consent, in others a positive indication of an individual’s agreement will be needed.
When relying on consent, your method of obtaining it should:
- be displayed clearly and prominently;
- ask individuals to positively opt-in, in line with good practice; and
- give them sufficient information to make a choice. If your consent mechanism consists solely of an “I agree” box with no supporting information then users are unlikely to be fully informed and the consent cannot be considered valid.
In addition if you are processing information for a range of purposes you should:
- explain the different ways you will use their information; and
- provide a clear and simple way for them to indicate they agree to different types of processing. In other words, people should not be forced to agree to several types of processing simply because your privacy notice only includes an option to agree or disagree to all. People may wish to consent to their information being used for one purpose but not another.
Good practice would be to list the different purposes with separate unticked opt-in boxes for each or Yes/No buttons of equal size and prominence. Opt-in boxes can be prominently placed in your privacy notice. Alternatively, with online products and services you may wish to use ‘just-in-time’ notices so that relevant information appears at an appropriate time; see the section on just-in-time notices for more detail.
You should also consider how you can obtain consent following any changes to your privacy notice, and how individuals can revoke this consent if they do not agree with these changes.
If you are asking people to consent to receive direct marketing, then, in addition to the DPA requirements, specific rules apply to this under the Privacy and Electronic Communications Regulations (PECR).
If you want individuals to consent to direct marketing, you should have a separate unticked opt-in box for this, prominently displayed. Consent may not be needed to undertake direct marketing by post or phone call (unless the individual is registered with the Telephone Preference Service) if another processing condition can be relied on, but the ICO considers gaining consent to do this to be good practice and the most advisable approach.
The box below contains standard wording that we’ve tested with members of the public and, which in our view constitutes good practice when seeking consent for direct marketing.
Here at [organisation name] we take your privacy seriously and will only use your personal information to administer your account and to provide the products and services you have requested from us.
However, from time to time we would like to contact you with details of other [specify products]/ [offers]/[services]/[competitions] we provide. If you consent to us contacting you for this purpose please tick to say how you would like us to contact you:
Post ☐ Email ☐ Telephone ☐
Text message ☐ Automated call ☐
We would also like to pass your details onto other [name of company/companies who you will pass information to]/[well defined category of companies], so that they can contact you by post with details of [specify products]/ [offers]/[services]/[competitions] that they provide. If you consent to us passing on your details for that purpose please tick to confirm:
I agree ☐
If you share data with other data controllers
If you are sharing personal data with other data controllers then you need to consider the challenges of communicating this in a privacy notice. Even if you have a lawful basis other than consent for sharing data, you still need to tell people what you are doing with their data in order for your processing to be fair, unless there is an exemption from this in data protection legislation.
In some cases, several data controllers will be involved in processing the personal data and you will each have obligations to provide privacy notices to the user. This can happen, for example, with data collected by smart devices in the internet of things (IoT) that can be connected with one another and can collect and exchange personal data.
An individual uses a wearable device to monitor their exercise. The manufacturer of the device is the data controller of the information which the device collects about the individual.
A third party application developer has created an app to use with the device that does specific things with the data, such as monitoring the individual’s fitness levels and providing a reward when they reach a certain point. The app developer would be a data controller of the data used for that purpose, unless the data was properly anonymised.
A social networking site allows information to be posted from the device onto its site and then uses this data to make inferences about what the individual does, for example that they like to run. If, on the basis of this data, the network then shows adverts about running shoes to that individual, it will also be a data controller.
A health insurance company provided the device to the individual so that they could reduce their premium by completing a fitness challenge. Although the insurance company did not design the device they would still be a data controller because they determined that the data would be used to incentivise its customers.
In this scenario here are potentially four data controllers. There could be fewer if, for example, the health insurance company also developed the app.
In a complex data sharing scenario such as this, individuals may not have a clear understanding of all of the parties involved, how their information is being shared or for what purpose. Sometimes data controllers may not be immediately aware of all the other parties involved but you need to identify who you are working with to ensure that you all provide privacy notices to meet your obligations under data protection legislation.
In most of these cases each party is a separate data controller and a data sharing agreement is needed between you, which should include how you communicate privacy notices and what they include. Each data controller must ensure that they discharge their own obligations to provide information about their use of personal data. It may also be possible to supplement these individual privacy notices with a collaborative end to end resource that brings all of the privacy information together for individuals.
Go beyond legal requirements
Depending on the circumstances, you may decide it is beneficial to go beyond the basic requirements of the law, for example by telling people:
- the links between different types of data you collect and the purposes that you use each type of data for;
- the consequences of not providing information - for example, non-receipt of a benefit;
- what you are doing to ensure the security of personal information;
- information about their rights of access to their data; and
- what you will not do with their data.
If you have no intention of sharing data with third-parties for marketing purposes you can state this explicitly in your privacy information but you must be absolutely certain before making the statement and amend it if the position changes.
Use preference management tools
It is good practice to embed links to tools like dashboards within your privacy notice to allow individuals to manage their preferences and to prevent their data being shared where they have a choice.
A privacy dashboard can help to achieve this. This offers people one place from which to manage what is happening to their information. This is helpful if you process personal data across a number of applications or services.
For individuals it allows them to alter settings, so that (where consent is relevant) they are able to clearly indicate that they agree to the particular processing or data sharing. It also allows for consent to be provided and revoked over time, as processing develops or individuals change their minds. It should be as easy to revoke consent as it was to provide it.
You can then use this platform to relay details of any changes to your data processing and feel reassured that customers will take the time to understand and action them. Ultimately this should help to build trust and confidence with the customer.
Building individuals’ awareness and confidence in tools like dashboards is likely to make them more informed and better placed to engage with messages about what is happening to their information and how to manage it. Well designed and readily accessible dashboards also provide an opportunity for individuals to access copies of their personal data, ideally in a re-usable and machine readable format. Providing information in this manner will not remove the right to make a subject access request (SAR) but in some cases individuals will be able to access the information they require via this route rather than by submitting a SAR.