The In-House Lawyer

On 12 June 2009 the Information Commissioner’s Office (ICO) launched the Privacy Notices Code of Practice (the Code), following consultation with organisations and members of the public. The Code is intended to help organisations collect information properly by drafting clear and informative notices.

Aims of The Code

The Code is aimed at all organisations that directly or indirectly collect information about people. It is intended to assist such organisations to ensure that they collect information in a transparent and fair manner, thereby meeting the legal requirement to process personal information fairly under the Data Protection Act (DPA) 1998. Other benefits of drafting a good privacy notice, as identified by the ICO, include:

• higher levels of trust and a better relationship with the people whose data is collected;
• encouraging customers to indicate their marketing preferences, which may mean that they respond more positively to organisations;
• creating a competitive advantage by reassuring customers that their privacy is taken seriously; and
• reducing the risk of queries, complaints and disputes about an organisation’s use of personal information.

The Code applies to various forms of processing personal information, such as asking people to complete forms with their personal information (eg names and e-mail/postal addresses), and recording and keeping telephone conversations with customers. It does not, however, apply to collecting information that does not identify people, for example, statistical information or anonymised data.

Fair processing of personal information

The first data protection principle under the DPA 1998 requires all personal data to be processed fairly and lawfully. ‘Processing’ includes obtaining, using or disclosing personal information. Under the first principle, personal information is not to be treated as processed fairly unless the organisation in control of the processing ensures, as far as is practicable, that it has provided the individuals concerned with, or has made readily available to them, information referred to as the ‘fair processing information’. This information includes a) the identity of the organisation; b) the purposes for which the personal information is intended to be used; and c) any further information that is necessary to enable the processing to be fair. Drafting a privacy notice is an obvious way to satisfy these legal requirements.

The Code recommends that organisations put themselves in the position of the people whose information they are collecting and ask the following questions:

• Would they know who is collecting the information?
• Would they understand why their personal information is being collected?
• Would they understand the implications of providing their information? and
• Would they be likely to object or complain?

Essentially, organisations should always be straight with the public, and be honest and transparent when dealing with personal information.

Do not state the obvious

The Code explains that there is little value in informing people of obvious uses of their information. There is no need to actively communicate (that is, take a positive action to provide) a privacy notice provided that an organisation’s collection and use of personal information is:

‘Something that a reasonable person is likely to anticipate and would agree to if asked; and is necessary to carry out the transaction or deliver the service the individual has requested; and will have no unforeseen consequences for the individual concerned.’

Actively communicating privacy notices is different from having a privacy notice available for members of the public to view, for example, by clicking on a web link or requesting more information.

The Code explains further that the need to actively communicate a privacy notice is strongest where: the information being collected is sensitive or confidential; the intended use is likely to be unexpected or objectionable; providing personal information, or failing to do so, will have a significant effect on the individual; or the information will be shared with another organisation in a way that would not be expected by the individual concerned.

Organisations that intend to share, rent or sell personal information should make their intentions clear in their privacy notices.

Drafting privacy notices

The ICO recommends that organisations draft their privacy notices in a manner that is intelligible and easy to read (eg by avoiding confusing or legalistic terminology). If an organisation decides to use opt-ins and opt-outs in its privacy notice, it must do so in a way that is not confusing. Organisations must not assume that everybody has the same level of understanding and vulnerable individuals, such as children, must be treated fairly. The Code does specify rules about collecting personal information from such vulnerable individuals. It recommends that organisations draft their privacy notices from the individual’s point of view and in a manner that is appropriate to the level of understanding of the individual it has in mind. In some cases, this will require the organisation to put stronger safeguards in place.

The ICO also recommends a ‘layered’ approach to drafting privacy notices. A layered notice is one that is drafted in a way that allows an organisation to provide the basic privacy information (such as the identity of the organisation and the way in which the personal information will be used) in a short notice, but to make more detailed information available elsewhere for those that want it.

The final part of the Code consists of a set of examples based on real privacy notices seen by the ICO. The examples demonstrate what constitutes good and bad practice.

Providing privacy notices

Organisations can provide privacy notices through a variety of media such as electronically (eg on websites and in e-mails), through signage (eg in a public information poster), in writing (eg applications forms, information cards and printed adverts) and orally (eg during telephone conversations or in face-to-face communications). The ICO recommends that organisations use the same medium to collect the personal information as they do to deliver the privacy notice.

Status of the Code

The Code (issued under s51 DPA 1998) forms part of the ICO’s guidance on good practice and is not law. The basic legal requirement is to comply with DPA 1998 itself and so organisations may employ other methods to meet DPA 1998’s requirements. The ICO cannot take action over a failure to adopt good practice or a failure to act on the recommendations set out in the Code. That said, the ICO has stated that it will take the standards of the Code into account when, for example, it receives a complaint that information has been collected in an unreasonable way. Organisations, therefore, would do well to incorporate the recommendations set out in the Code into their privacy notices.

Comment

The Code provides easy-to-understand recommendations about how to draft user-friendly and informative privacy notices. It will help organisations to comply with one of the most important but often misunderstood parts of DPA 1998. The ICO has also published further guidance for small businesses in the form of a checklist (including a simple case study example) that is intended to help small businesses collect and use personal information properly. It is the ICO’s view that:

‘It is unfair and misleading to have a privacy notice that isn’t accurate or up-to-date. It is therefore good practice to keep your privacy notice under regular review.’

Organisations should take heed of this advice.

By Andrew Shindler, partner and Annabel Bannerman, associate, SJ Berwin LLP.E-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it ; This e-mail address is being protected from spambots. You need JavaScript enabled to view it .