As we all await the outcome of the lengthy negotiations taking place in Europe over the reforms to our existing data protection laws, there is one section of the draft proposals that have been unanimously supported by member states. The reason for this pan-European consensus? Privacy seals.
On Data Protection Day, it seems timely to discuss one of the key changes we’re set to see in the world of data protection, and the benefits privacy seals are set to bring to organisations and members of the public alike.
Many of you will already be familiar with the British Standard Institute’s Kitemark symbol. The symbol is displayed on numerous products and services within the UK to demonstrate quality and provide assurances that the highest standards are being delivered. An ICO privacy seal would operate in a similar manner by being awarded to organisations that demonstrate that they are not only meeting, but also surpassing, the requirements of the Data Protection Act when it comes to looking after people’s information.
With a recent survey by our office showing that four out of every five people approve of the introduction of such a symbol, it is an area of work that many organisations processing personal information will want to start thinking about.
At the ICO, we have been working on the development of a framework to enable consumer-facing privacy seal schemes for almost two years now. Such schemes will bring a number of benefits. Firstly, the awarding of a seal will help to promote organisations that are going above and beyond the call of duty when it comes to looking after people’s information, giving them an opportunity to gain an advantage over their competitors. Secondly, the seal will help to build consumer trust and choice, as it will demonstrate that an organisation is looking after their information to a notably high standard. More widely, the seal will raise the bar for privacy standards across the UK by incentivising good practice.
So how will an ICO privacy seal work?
We will endorse third party operators to deliver ICO privacy seal schemes. Once approved, the scheme operators will be responsible for the day-to-day running of the scheme.
It is anticipated that the different scheme operators will focus on different sectors, processes, products or areas of compliance. For example, one operator may focus their privacy seal scheme on the collection of personal information by mobile apps, while another operator may run a scheme for organisations providing data protection training services for health service providers. This approach allows our office to draw upon specialist skills from parties already recognised in the field of accreditation and certification. It also gives organisations the opportunity to apply for an ICO privacy seal from an operator whose scheme is specifically tailored to their products or sector.
In order to be considered for endorsement, potential scheme operators must be accredited by the UK Accreditation Service (UKAS) and will need to meet a strict set of criteria developed by our office. The criteria will ensure that any ICO privacy seal scheme is viable, promotes the high standards we are looking to achieve and complements the existing priorities of our office. Our office retains the right to remove our endorsement if the operator is no longer able to run the scheme to the required standard.
Organisations wishing to apply for an ICO privacy seal will then be able to make an application to a relevant scheme operator. Organisations will only be awarded an ICO privacy seal if they can show that they meet the operator’s assessment criteria and in doing so demonstrate that they meet the highest data protection standards.
Once an organisation has been awarded a privacy seal, they can use the seal externally to show that they are demonstrating best practice when it comes to looking after people’s information. The seal can be used by the organisation for a certain period, likely to be four years, after which time, revalidation is required. The seal can also be removed if the organisation who has been awarded the seal fails to maintain these standards – for example if they suffer a serious data breach.
Where are you up to with this work?
We are currently working with the UK Accreditation Service (UKAS) and various stakeholders to develop the framework criteria privacy seal scheme operators will need to meet in order to operate an ICO endorsed privacy seal scheme.
Those of you signed up to receive our e-newsletter will already know that we held a consultation on the draft criteria last autumn. We are currently considering the feedback from this exercise. You can find a summary of the responses received to this consultation on our website.
Interested in operating a scheme? In the coming months, we will publish the final criteria and invite applications from potential scheme operators who’d like to run an ICO endorsed privacy seal scheme.
Interested in applying for a seal? Later in the year, we will announce the details of the selected operators. The aim is to have the first ICO endorsed privacy seal scheme up and running in 2016. Once an ICO privacy seal has been established, organisations will be able to apply to the scheme operator for certification.
While the deadlines may be tight, there is wide support from legislators and the public for the creation of an ICO privacy seal. If you think your organisation is up to the data protection challenge, then you should start thinking about whether you would be interested in applying for an ICO privacy seal in the future. One thing’s for sure… your customers will soon be looking out for them.
|Gemma Farmer is a Senior Policy Officer in the ICO’s Policy Delivery department. Her team leads on the Privacy Seals project, research on the impact of the ICO’s civil monetary penalties and formal responses to any consultations on the Data Protection Act.|