By Jo Pedder, Interim Head of Policy Delivery.
It is often argued that if people are increasingly willing to share information on social media and to allow their data to be collected by mobile apps, they’re presumably less concerned about how their data is being collected and processed. It won’t surprise you to learn that we don’t buy it.
Earlier this year, the ICO asked 1,200 people to list the social issues they were most concerned about. Personal data appeared among 15% of people’s top three concerns and our survey found that only one in four adults trust businesses with their personal information. For anyone dealing with personal data trust is key. An organisation that uses transparent methods when it comes to personal information naturally strengthens its reputation and builds the trust of its customers. Transparency is a vital component in data protection and is crucial as big data, the Internet of Things and the digital economy develop.
Organisations need to do more to explain to consumers what they’re doing with their information and why. It’s important to remember that reputation can be easily lost when people discover you haven’t been completely honest about how you are using their information.
A clear and effective privacy notice is one way to do it. That doesn’t necessarily mean a single document to inform individuals about what you do with personal data. We’re talking here about all the privacy information that you make available or provide to individuals when information about them is collected. In most cases, a blended approach, using a number of techniques to present privacy information to individuals will be the most effective at engaging them.
Whatever approaches you select, it’s your job to embed transparency and invest in innovative ways of telling people what you’re doing with their data. This best practice demonstrates that you are using personal data fairly and transparently. Where individuals have a choice about how their personal data is used, you need to make it easy for them to express their preferences and retain control of their information.
So how do you go about doing all of this when creating a privacy notice? We’d suggest a two-step approach:
Step 1: Take a look at our checklist. It covers key points including the what, where, when and how of privacy notices with details on how and when information should be delivered to individuals, as well as tips on how to write a notice. This isn’t an onerous job, and will definitely set you on the right course.
Step 2: Look at our new code of practice. It’s a detailed document, with practical advice around what should be included in a privacy notice. There are plenty of examples of how to put together a privacy notice. If you’ve looked at the checklist first, you should have a good idea which sections will be most relevant to you.
It’s not enough to stick a privacy notice on your website and forget all about it. The privacy information you provide needs to be regularly reviewed and updated to reflect any changes – so don’t forget to build in a further look at what you are telling people about how their information is being used as you develop your processes and services. We are still considering other practical ways of supporting organisations in achieving greater transparency such as the feasibility of a privacy notice generator, so watch this space…
|Jo Pedder is Interim Head of Policy Delivery. She has lead responsibility for the ICO’s guidance on the Data Protection Act and the Freedom of Information Act.|