It is good practice to try to put yourself in the position of the people you’re collecting information about. You need to understand the level of knowledge your intended audience has about how their data is collected and what is done with it. This will help you decide when to give them privacy information. If an individual would not reasonably expect what you will do with their information you need to actively provide privacy information, rather than simply making it available for them to look for themselves, for example on your website.
If it is reasonable for someone to expect that you will use their information for an intended purpose, you are less likely to need to actively explain it to them and can instead make privacy information available if they look for it.
A person might purchase a book from an online store. Their personal information is only used to despatch the goods, to take payment and for the company's own record keeping. In this case, the collection and use of the information would not be unfair even if the individual has not been explicitly told about it. This is because any reasonable person requesting the service would understand that they cannot receive the goods they want unless some processing of their personal information takes place.
However, there are situations when someone would not reasonably expect you to use their information in the way that you intend to. The need to actively provide privacy information is strongest where:
- you are collecting sensitive information;
- the intended use of the information is likely to be unexpected or objectionable;
- providing personal information, or failing to do so, will have a significant effect on the individual; or
- the information will be shared with another organisation in a way that individuals would not expect.
If you have explicitly assured individuals that you will not share their information with third parties but now wish to do so, you should inform them and actively seek their consent. You should also update your privacy notice accordingly.
If you are unsure whether someone would reasonably expect what you will do with their information, there are a number of other things you can do to get a more informed picture about your customers:
- Undertake some research with customers and the wider public, explaining what you would like to do and from that gauge whether or not they would reasonably expect you to do what you’re planning. Focus groups or online questionnaires could be used.
- If you are planning on doing something similar to what you have done in the past, review whether you had any issues when implementing new processing or if you received a lot of complaints about it.
- Look at the experience of others in your sector or industry to see if there has been an approach that has been welcomed by customers or worked particularly well.
- Consider using a privacy impact assessment. Further guidance can be found in our Conducting privacy impact assessments code of practice. This explains how to consult and understand the perspective of individuals in chapter 3.
If you decide that you will need to actively communicate privacy information, you can do this by:
- contacting them directly by letter or email;
- reading out a script during a phone call;
- providing interactive information in an online form, to explain why you need particular information; or
- delivering text-based notifications that appear briefly when an individual hovers over a particular field.