The ICO is consulting on a revised Privacy Notices Code of Practice, which sets out guidance on what organisations should be telling people about how their personal data is used. Organisations have until 24 March 2016 to submit a response to the consultation, after which the ICO will finalise and publish the new Code.
As the revised Code explains (in some detail) the current Data Protection Act 1998 (DPA) requires organisations to process personal data fairly and lawfully, and in particular to ensure individuals know who is using their personal data and why, and any further information which may be needed to make that use "fair". The Code is the ICO's gloss on these requirements.
Interestingly, the ICO also says it has revised the Code with the new General Data Protection Regulation (GDPR) in mind (which, as regular readers will know, is set to replace the current DPA when it comes into force in early 2018). Certainly, GDPR concepts like "privacy by design" and "privacy icons" (a controversial short-hand for fuller privacy notices) get a good airing in the updated Code. However, the revised Code by no means incorporates all the requirements of the GDPR on privacy notices, and the ICO's consultation document notes that further guidance on these requirements will be published during 2016 and 2017. Some organisations might reasonably feel it is more efficient to wait until this fuller guidance is published, before spending time and money on updating their privacy notices in line with the new Code.
Perhaps the most striking feature of the revised Code is the emphasis on new technology, from guidance on how to manage privacy notices in the context of "the internet of things" and on mobile devices, to recommendations about using "privacy dashboards" and "just-in-time" pop-ups to inform people about how personal information will be used. It will be interesting to see how these are received by organisations, especially those who use those technologies the most.
Finally, the ICO is also offering some brand-new tools to help with compliance, in particular a "privacy notice generator" and various live examples of ways to convey privacy information in an online context. These could be of real value to smaller organisations with simple compliance needs. Even for more complex organisations they may function as useful "templates" or starting points. The ICO is inviting comments on these new tools as part of its consultation.
The current consultation could represent a positive step towards a sleeker, more intuitive, and less wordy future for online privacy compliance. However, there is no "on-size-fits-all" approach to how organisations use personal data, and for the time being the old-fashioned approach of drafting bespoke privacy notices remains advisable – as well as being an opportunity for organisations to fully express their own values when it comes to individuals' rights.
Click here to read more posts from Information Matters.
If you require further information on anything covered in this briefing please contact Helen Mulligan or your usual contact at the firm on 020 3375 7000. Further information can also be found on our Intellectual Property & Technology page on our website.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP,