The Act requires that whenever personal data is obtained certain information is given to the data subject to meet the requirement of Fair and Lawful Processing. This is called a Privacy Notice and generally starts off “How we use your personal data…”
There is a Privacy Notices Code of Practice on the ICO website which has been updated to reflect the content requirements for Privacy Notices under UK data protection legislation. Given the extent and technical content now required, it is not always possible to use a single document to inform individuals what you intend to do with their personal data. The privacy notice should be interpreted as all the information you make available rather than one single document.
This is particularly the case when sharing personal data online via apps when consumers are generally averse to reading long privacy statements. However, it is still of paramount importance for organisations to be transparent about processing. Transparency helps to build trust which is the number one goal of data protection regulation.
The required content and the need for transparency can appear to be in conflict but the ICO promotes the idea of a layered privacy notice and considers that controllers have a degree of discretion as to what information they consider should go within each layer, based on the controller’s own knowledge of their processing. What should be included can be determined by a combination of the knowledge of how the organisation processes personal data and an understanding (informed by the Code of Practice) of what needs to be explained to make processing fair. However, all layers of the privacy notice should be accessible.
The layered approach
The layered approach can be useful as it allows you to provide the key privacy information immediately and have more detailed information available elsewhere for those who want it. This approach is particularly useful where there is not enough space to provide more detail or if particularly complicated information systems need to be explained.
A layered notice would consist of a short notice containing the key information, such as the identity of the organisation and the way it will use the personal information. It may contain links that expand each section to its full version, or a single link to a second, longer notice which provides more detailed information. This could, in turn, contain links to further material that explains specific issues, for example the circumstances in which information may be disclosed to the police.
This approach is fine for an online privacy notice, where there are no constraints about space. Possibly a lower tech version of the online privacy notice will be a detailed privacy notice which is cross referenced in shorter versions with hard copies available at all points of contact.
Legal requirements for privacy notices
As well as the technical requirements for information to be included in the privacy notice, data protection legislation emphasises that privacy notices should be understandable and accessible (Article 12 of the UK GDPR). Fair processing information is to be:
concise, transparent, intelligible and easily accessible
written in clear and plain language and
free of charge.
Note that making privacy notices accessible might mean using language that children can understand or presenting material in cartoon strip or video form as appropriate to your audience.
Under UK GDPR, transparency is key. Active delivery of the privacy notice is required in specific circumstances, so the sub-text might be that it is not required in all circumstances. The activities likely to generate the need for active delivery of a privacy notice are:
Use of special category data
Unexpected or objectionable use of personal data
Where the processing could have a significant effect on the data subject or be used to inform decisions about them that will have a significant effect
Where there will be unexpected sharing of personal data.
The ICO is looking for innovative technical means of delivering the Privacy Notice, such as layered and “just in time” notices. Each set of circumstances will vary and organisations should review where the Privacy Notices sit currently in the customer lifecycle and identify those that will require a non-technical solution.
In some circumstances, for example with suppliers, the Privacy Notice might easily be presented in table form and the templates below include a tabular layout taken from the Privacy Notice guidance on the ICO website which could be used.
Actions - Privacy Notices
Each set of data subjects should be given a privacy notice. Where personal data is obtained direct from the data subject the privacy notice with information about the intended processing should be provided before any personal information is collected. Where personal data is obtained from a third party, the privacy notice must be provided as soon as reasonably practicable.
It can be helpful to make a flowchart of data entry points to support your work on Privacy Notices. A table of required information is included in Templates below to create an outline of required content as a basis for your organisation’s privacy notices.
Different Privacy Notices are required for each set of data subjects you have identified, for example: marketing, clients, CCTV, suppliers, employees.
Privacy Notices need to inform your data subjects of the specific and unique circumstances of your company’s processing; for this reason it is not possible to include suggested wordings.
Examples of where a Privacy Notice can be included: job application forms, quotation request forms, enquiry forms, complaint forms and in marketing literature.
Make sure that you use lettering of equal font size and position the Privacy Notice so that it can be seen at least as easily as any other information or question on the page.
Also position a Privacy Notice in your standard terms of business, on the reverse of invoices for example. Again, make sure that the Privacy Notice is given equal prominence with other terms and conditions.
Privacy Notices for employees should be included in staff handbooks, statement of terms of employment, intranet if available or by written memo. As HR is a reasonably standard processing activity a suggested set of HR privacy notices is included in the HR section of the manual.
Add customer/client and prospect Privacy Notices to your website.
Templates - Privacy Notices
Tailor the following templates as appropriate to the circumstances. The templates are provided as illustrations of the required content. The consent form in particular, offers guidance on how to present a form of consent consistent with UK GDPR requirements. It must be informed and specific, it must allow free choice and remind data subjects that consent can be withdrawn and how to do that. It must include relevant information that could influence the data subject’s decision particularly around how long the personal data will be used and whether or not it will be transferred to countries outside the UK.
Note that Privacy Notices must reflect the data processing specific to the organisation so it is not possible to provide a complete template except in the case of HR where processing tends to be reasonably standard. A suggested HR Privacy Notice is included in the HR section of the Toolkit.
Sample Consent Form
From time to time we (name of company) may take photographs of directors, employees and customers to help publicise our business and to illustrate company brochures and annual reports and financial statements.
We may also use images on our website, and on social media such as our Facebook page and Twitter account.
To comply with data protection legislation, we need your written permission before we take portrait photographs of you or make close up recordings of you. We have described below the possible ways in which photographs or videos could be used and you can indicate your agreement to each use. In practice we will always show you the graphics and intended layout of publications where we are using your image but this form gives us an overall indication of your preferences as to how we use it.
Please answer the questions below, then sign and date the form where shown.
Below is an outline Privacy Notice template taken from ICO Privacy Notices Code of Practice. It distinguishes between situations where the organisation is collecting the personal data direct from the data subject and those situations when it must follow up data provided by a third party by telling the data subject how their data will be used. In practice there is little difference in the content of the two notices and we find it easier to have one standard notice to meet the requirements in either case.
If the data subject has already had some of the information in an earlier Privacy Notice there is no obligation to repeat that information, for example a job applicant would be given a Privacy Notice to explain how their data is used for recruitment and selection purposes. The successful candidate will be given a further Privacy Notice to explain the use of their data for HR administration but it does not need to repeat the messages that were relevant in the recruitment and selection Privacy Notice.
At the time the data are obtained
Within a reasonable period of having obtained the data (within one month) If the data are used to communicate with the individual, at the latest, when the first communication takes place; or If disclosure to another recipient is envisaged, at the latest, before the data are disclosed. We will consider producing further guidance
as appropriate on the specific categories of information listed here.