The starting point of a privacy notice should be to tell people:
- who you are;
- what you are going to do with their information; and
- who it will be shared with.
These are the basics upon which all privacy notices should be built. However, they can also tell people more than this and should do so where you think that not telling people will make your processing of that information unfair. This could be the case if an individual is unlikely to know that you use their information for a particular purpose or where the personal data has been collected by observation or inference from an individual’s behaviour.
Map your information processing
To help you decide what you need to include you should map out how your information flows through your organisation and how you process it, recognising that you might be doing several types of processing. You should work out:
- what information you hold that constitutes personal data;
- what you do with the personal data you process;
- what you actually need to carry out these processes - a privacy impact assessment can help you to answer this question;
- whether you are collecting the information you need;
- whether you are creating derived or inferred data about people, for example by profiling them; and
- whether you will be likely to do other things with it in the future – this can be particularly important if you are undertaking large scale analysis of data, as in big data analytics.
When explained in sufficiently broad terms a privacy notice can allow for development in the way you use personal data, whilst still providing individuals with enough detail for them to understand what you will do with their information. However, you should not draw up a long list of possible future uses if, in reality, you do not intend to process personal data for those purposes.
Gain and record consent
You need to consider how you will gain and record individuals’ consent, if required. There is a fundamental difference between telling a person how you’re going to use their personal information and getting their consent. Although in many cases it is enough to be transparent, and rely on a legal basis other than consent, in others a positive indication of an individual’s agreement will be needed. For example, if you wish to use personal data for the purposes of medical research it is likely that you will require an individual’s consent.
When relying on consent, your method of obtaining it should:
- be displayed clearly and prominently;
- ask individuals to positively opt-in, in line with good practice; and
- give them sufficient information to make a choice. If your consent mechanism consists solely of an “I agree” box with no supporting information then users are unlikely to be fully informed and the consent cannot be considered valid.
In addition if you are processing information for a range of purposes you should:
- explain the different ways you will use their information; and
- provide a clear and simple way for them to indicate they agree to different types of processing. In other words, people should not be forced to agree to several types of processing simply because your privacy notice only includes an option to agree or disagree to all. People may wish to consent to their information being used for one purpose but not another.
Good practice would be to list the different purposes with separate unticked opt-in boxes for each or Yes/No buttons of equal size and prominence. Opt-in boxes can be prominently placed in your privacy notice. Alternatively, with online products and services you may wish to use ‘just-in-time’ notices so that relevant information appears at an appropriate time; see the section on just-in-time notices for more detail.
You should also consider how you can obtain consent following any changes to your privacy notice, and how individuals can revoke this consent if they do not agree with these changes.
If you are asking people to consent to receive direct marketing, then, in addition to the DPA requirements, specific rules apply to this under the Privacy and Electronic Communications Regulations (PECR).
If you want individuals to consent to direct marketing, you should have a separate unticked opt-in box for this, prominently displayed. Consent may not be needed to undertake direct marketing by post or phone call (unless the individual is registered with the Telephone Preference Service) if another processing condition can be relied on, but the ICO considers gaining consent to do this to be good practice and the most advisable approach.
The box below contains standard wording that we’ve tested with members of the public and, which in our view constitutes good practice when seeking consent for direct marketing.
Here at [organisation name] we take your privacy seriously and will only use your personal information to administer your account and to provide the products and services you have requested from us.
However, from time to time we would like to contact you with details of other [specify products]/ [offers]/[services]/[competitions] we provide. If you consent to us contacting you for this purpose please tick to say how you would like us to contact you:
Post ☐ Email ☐ Telephone ☐
Text message ☐ Automated call ☐
We would also like to pass your details onto other [name of company/companies who you will pass information to]/[well defined category of companies], so that they can contact you by post with details of [specify products]/ [offers]/[services]/[competitions] that they provide. If you consent to us passing on your details for that purpose please tick to confirm:
I agree ☐