You should not necessarily restrict your privacy notice to a single document or page on your website. The term ‘privacy notice’ is often used as a shorthand term, but rather than seeing the task as delivering a single notice it is better to think of it as providing privacy information in a range of ways. All of the information you are giving people about how you are processing their data, taken together, constitutes the privacy information.
Communicating privacy information
You can provide privacy notices through a variety of media:
- Orally - face to face or when you speak to someone on the telephone (it’s a good idea to document this).
- In writing - printed media; printed adverts; forms, such as financial applications or job application forms.
- Through signage - for example an information poster in a public area.
- Electronically - in text messages; on websites; in emails; in mobile apps.
It is good practice to use the same medium you use to collect personal information to deliver privacy notices. So, if you are collecting information through an online form you should provide a just-in-time notice as the individual fills out the form. It would not be good practice to collect information through the form and then email the individual with a separate link to a privacy notice.
A message at the point you enter your email address explaining that it will be used for customer service purposes will be more effective and accessible than just a link to a separate notice elsewhere.
In some contexts it can be very difficult to communicate a privacy notice. For example, in an emergency situation obtaining personal details quickly can be critical to protecting an individual. In cases like these, you should explain how you use the information at an appropriate point later on, or if you can’t provide privacy information, it is particularly important to make sure you only use the information you collect in a way that members of the public are likely to anticipate and agree to.
Take advantage of all of the technologies available when providing privacy notices. It may be valuable to consider these solutions after you have completed a privacy impact assessment. Examples of technological solutions include just-in-time, video, the functionality of devices and privacy dashboards. These can be seen as privacy-enhancing technologies, because they help to protect privacy and safeguard personal data. A blended approach, incorporating a variety of these techniques is likely to be most effective. Keep the individual as the focus when making decisions about the way to deliver privacy notices.
A layered approach can be useful as it allows you to provide the key privacy information immediately and have more detailed information available elsewhere for those that want it. This is used where there is not enough space to provide more detail or if you need to explain a particularly complicated information system to people.
It usually consists of a short notice containing the key information, such as the identity of the organisation and the way you will use the personal information. It may contain links that expand each section to its full version, or a single link to a second, longer notice which provides more detailed information. This can, in turn, contain links to further material that explains specific issues, such as the circumstances in which information may be disclosed to the police.
There will always be pieces of information that are likely to need to go into the top layer of a notice, such as who you are, what information you are collecting and why you need it What else goes into which layer will depend on the type of processing that you undertake. The ICO considers that data controllers have a degree of discretion as to what information they consider needs to go within which layer, based on the data controller’s own knowledge of their processing. A combination of your own knowledge of how you process personal data and an understanding (that will be informed by this code) of what you need to do to make processing fair or fairer, will allow you to decide on what information should go into which layer of a notice. However, all layers should be accessible.
It works very well in an online context, where it is easy to provide a front page link. The front page should also give people prominent, early warning of any use of their information that is likely to be unexpected or objectionable. As demonstrated by the example in the Test, roll out and review section, when using this approach you need to ensure that people don’t miss information if they arrive at a particular area of your website by a search. You also need to ensure that searches including ‘privacy notice’ or associated terms return links to full privacy notices.
This technique is also useful if you are a data controller who has further sectoral requirements that mean you need to present other information in addition to the privacy information. For example, information regarding fraud in the financial sector. As this increases the amount of information you have to provide, it is even more important that you present it in an engaging manner and the tools and techniques recommended in this code will help you.
Just-in-time notices are a tool you can use to provide relevant and focused privacy information in such situations. This is another type of layered approach to provide information at certain points of data collection.
Often, and particularly when on an organisation’s website, people will provide personal data at different points of a purchase or interaction. When filling out a form people may not think about the impact that providing the information will have at a later date.
Just-in-time notices work by appearing on the individual’s screen at the point where they input personal data, providing a brief message explaining how the information they are about to provide will be used.
The individual can either choose to carry on with the basic information or click on the link to find out more information. This can direct them to a more specific page explaining in detail what will be done with the personal information they have provided.
You can achieve a similar result using the hover over feature when completing fields in an online form.
You can use icons and symbols as part of a layered approach. This can indicate that a particular type of data processing is occurring.
- For example, a symbol that designates that information will be used for marketing could appear when you input your email address.
- For those who would like to know more, they can click on the symbol and be directed to a more detailed explanation of what will be done with this piece of their personal data.
- Alternatively, you can use the ‘hover over’ function so that when you place the cursor over the symbol it states ‘marketing’ and if the user wishes to know more they can click through for more detail.
Icons and symbols can also act as useful reminders that data processing is taking place, especially if that processing is intermittent, in the same way as a red light which comes on when audio or video is being recorded.
Icons and symbols can be useful in relation to IoT devices, where it is difficult to provide detailed privacy information on the device itself and in other situations where data is being captured by observation rather than being provided by individuals.
The design of any symbols is important as you need to make the messages they convey as clear as possible. It is also important to limit the number of symbols used, as people are unlikely to take the time to learn what a large number of different symbols mean. Use symbols consistently and make sufficient information available so that people understand what they mean; you should produce a key to the symbols that can be accessed easily by users.
If you are a large organisation then a set of symbols that can be used across your operations would be an effective and consistent means of providing privacy information.
- The use of symbols can be done with your brand in mind so that they fit with the look of your websites.
- The same approach could work within sectors, where an agreed set of symbols could be used to ensure consistency across organisations.
If you are going to use symbols to present privacy information then it is important that you undertake user testing to ensure that what you produce is effective.
If the icons are made available electronically you should also consider making them available in a machine readable form. This would allow a device to ‘read’ the information the icon conveys.
Privacy notices on mobile devices and smaller screens
You must also consider how people will view privacy notices on portable devices (smart phones, tablets).
You must ensure that privacy notices are as clear and readable on these devices as the information you would see on a computer screen. The text should be large enough to read and people should not have to zoom in to see it. Information should fit on the screen as normal. A useful tool is responsive web design, which allows you to create a website that can change the information on the screen to the optimal setting for viewing that information, depending on the type of device you are viewing it on.
As the devices are likely to have less space to display your privacy information, a layered approach is likely to be the best method to communicate privacy notices effectively.
The use of video or just-in-time notices to convey privacy information is particularly suitable for smaller devices as the size and length of text will not be an issue. You are unlikely to be able to convey all the necessary detail in a video but following a layered approach, individuals can be directed to more detailed information as appropriate. Keeping the video short and to the point will also avoid any issues individuals may have with data usage if Wi-Fi isn’t available.
View this video on the GoAnimate website at ico.org.uk/PNvideo
You can use the functionality of a device, for example using voice alerts on a smart phone (or on-screen notifications once the phone is set to silent), to provide information essentially like a just-in-time notice. However, you must consider how you can prevent the phone or mobile app giving someone constant alerts regarding their information. This is where a link to a dashboard or information management tool may be helpful, or a prompt to review your settings on your smartphone.