TL;DR – too long; didn’t read – this internet slang too often applies to privacy notices presented to users when they are asked to provide their personal data online. While we have seen some significant improvements to privacy policies in the last four years, particularly as large organisations have started to invest more in their privacy programs, it is clear there is still a long way to go.
The most common way individuals now interact with privacy policies is online. A 2008 study in the US by Carnegie Mellon University, has suggested that if an individual were to read the privacy notices of each website they visit in a year, it would take an average of 40 minutes per day to do so. If that is compared to the average time per day that people spend on the internet – that same study suggests 72 minutes – we can see the challenge of making privacy notices work in practice.
However, privacy notices are a vital means of informing people about how their personal data is being processed and letting them know about their rights under the Data Protection Act 1998 (DPA). Providing a privacy notice is also the most obvious way for organisations to meet their obligations under the Act to provide fair processing information.
Organisations are looking to analyse and use more and more personal data – transparency of that processing remains a vital tool in making sure that people continue to trust an organisation with their information. A clear and simple, but informative, privacy notice can be an effective way to demonstrate this transparency. This is important because providing genuine transparency lies at the heart of many emerging data protection issues – from the use of medical data for research to innovative uses of personal data in integrated internet services.
The ICO’s current privacy notices code of practice – gives good practice advice and explains how organisations can make sure their privacy notice is as informative and readable as possible, as well as highlighting the benefits that an effective privacy notice can provide. Nevertheless, we believe the time is now right to undertake a review of our existing code.
The current code was published in 2009 and we’ve had good feedback about the simple, plain English approach and good practice examples provided. The code was highly commended at the Nominet Internet Awards 2010 and while much of its content is still relevant, we’re aware that technology has changed considerably since 2009. For example the use of smartphones, which was still in its infancy back then, is now widespread. There have also been changes to existing good practice relating to privacy notices, such as the concept of ‘privacy experience’ and designing in privacy information, drawing on usability concepts.
We would welcome any feedback you or your organisations have on the current code. This can be based on the content as it currently stands, opinions on what you think should be added or removed, or examples of good or bad practice that you have come across in your personal or professional life that you think would be informative. We’re keen to get the balance right between clear, general guidance and making sure the guidance works for new technologies – we’d therefore welcome your views on this aspect of the code. We would also welcome any comments you have on the checklist for small businesses that runs alongside and supports the code.
You can email your feedback to firstname.lastname@example.org. All comments must be submitted by 30 November 2013. We will then consider the feedback received with a view to publishing an updated code next year.
|Steve Wood‘s department develops the outputs that explain the ICO’s policy position on the proper application of information rights law and good practice, through lines to take, guidance, internal training, advice and specific projects.|