The Information Commissioner has launched a two-pronged attack to encourage individuals to take more interest in the use of their personal information. On the one hand, he has launched a campaign to encourage consumers to actually read privacy notices. On the other, he has issued a draft code of practice to try to make them more intelligible.
The draft code has been issued under s 51 of the Data Protection Act 1998, which gives the Information Commissioner the power to promote good practice. While the code will not be binding, it will inform his enforcement approach and can be cited in enforcement action.
The draft code is very helpful and stresses the importance of good privacy notices. They not only help to satisfy legal obligations under the Act, but they can also build trust and confidence with customers. In contrast, a badly-worded notice can damage a relationship with customers and unduly restrict any subsequent use of the information which is collected.
With this in mind, here are five key points to consider when drafting a privacy notice (some in the draft code and some not!).
1. Say what you will do, not what you won’t
This is one of the most important rules when drafting privacy notices (though it does not feature in the guidance). Phrases such as ‘we will never give your data to third parties’ sound nice but can present real difficulties in practice. What about disclosures to affiliates? What if you want to sell your business? What if there is a legal or regulatory request to disclose the data? Given the current economic climate, can anyone really predict how their business will change over the next 12 months?
This type of undertaking may be appropriate in some circumstances. For example, there may be a competitive advantage in providing such a blanket undertaking as individuals may be more comfortable when providing information based on it. However, caution is advised.
2. Think about your audience
The privacy notice should be suitable for its intended audience. In most cases, this is not a lawyer or other professional. Therefore, the privacy notice should be written in plain and intelligible language.
This means that jargon and legalese should be avoided. Does the man in the street understand terms such as ‘personal data’, ‘data controller’ and ‘data processor’? It would be surprising if they did, as their exact meaning continues to elude most privacy lawyers. Another example is references to legislation. The draft code specifically states that headings such as ‘Data Protection Act 1998’ should be avoided and replaced with more accessible terms such as ‘Your Information’. Referring to the Act or other legislation is unhelpful. Most individuals will not be familiar with its provisions and can hardly be expected to give up their leisure time to read it.
The notices should also be in a clear font and use appropriately large characters. Small print is definitely frowned upon.
3. Layer, layer, layer
The draft code also strongly recommends using a layered approach – ie providing a summary of the key privacy points in a prominent position together with a link to a more detailed privacy notice with supporting information.
What are the key privacy points likely to be? They include any unusual, unexpected or objectionable uses of the information, such as disclosure to third parties. In contrast, the draft code actually recommends not including details of obvious uses of information. It is also important that a summary highlights any marketing that takes place (see below) and includes suitable wording if credit checks or fraud checks are carried out.[i]
4. Other requirements for a privacy notice
The Act itself contains relatively few requirements for privacy notices. It must:
· provide the identity of the data controller or any representative of the data controller – ie tell them who you are; and
· specify the purposes for which the data will be processed and provide any further information necessary to enable any processing of that data to be fair – ie tell them what you are going to do with their information.
The draft code expands on the second point by providing a list of issues to cover in a privacy notice. Clearly the ability to provide this information will depend on the nature of the interaction with the individual. For example, it is normally easier to provide information online[ii] rather than over the phone. The Information Commissioner’s list of points to cover includes:
· if the information will be used for marketing purposes;
· if the information will be passed to third parties;
· whether responses are mandatory or voluntary (and the consequences of not responding);
· if the information will be transferred overseas;
· the rights of individuals to access their data or object to direct marketing; and
· contact details if the individual wants further information or to complain.
These are all good practice and you would probably include most of them in your privacy notice in any event. One of the most important points is providing individuals with clear information about marketing – especially marketing by third parties. Moreover, if marketing by e-mail, telephone or fax is envisaged then the additional rules in the Privacy and Electronic Communications (EC Directive) Regulations 2003 need to be considered.[iii]
However, the draft code goes on to make some more controversial suggestions. It suggests that the notice set out how long the information will be stored for and what security measures will be taken in respect of that data. Save in some limited respects, there seems little point in including this information.
Take security as an example. There may be some value in a Web site referring to its use of SSL to protect information in transit but there seems little point in a detailed list of security measures it has deployed – which could make the system more prone to hacking and would be incomprehensible to the average person in any event. At the other extreme, there seems little value in making bland statements about using appropriate measures to protect information. It provides no benefit to the individual and just makes the notice longer.
The draft code also suggests individuals are reminded of their right to complain to the Information Commissioner. The rationale for including this information is clear. Whether you would actually choose to do so is another matter.
5. Think about the rest of Europe (and the rest of the world)
Will the privacy notice be used in other jurisdictions?[iv] If so, then the position is more complicated.
First, language is an issue. Most privacy laws do not expressly require a translation of a privacy notice. However, it may be very hard to persuade a regulator that the individual has been fairly informed about the use of their information if the notice is not in their native tongue.
Secondly, there are variances in national privacy laws, even within Europe. For example, in most European states it is mandatory to also inform individuals:
· whether replies to questions are obligatory or voluntary, as well as the possible consequences of failure to reply;
· the identity of the recipients or the category of recipients to which the recipients belong; and
· the existence of the right of access to and the right to rectify personal information and the right to oppose the processing.
The interpretation of these provisions also varies. An extreme example is the Taibesa case in Spain, which indicated it is not acceptable to use a broad description of the purposes for which the data is processed (such as use for ‘commercial purposes’) and that it may be necessary to list each recipient of the data individually (for example, references to the data being supplied to ‘members of the [X] group’ may not be sufficient).
Conclusions
There are clearly a number of issues to consider when drafting a privacy notice and an example of good and bad practice is set out in the diagram you can access from the right panel.
However, the key question to ask is whether it provides a simple, clear and genuinely informative description of how that individual’s data will be used. The draft code is very useful in conducting this exercise and has helpful examples of where things go wrong.
The draft code is available here and the consultation on it ends on 3 April 2009.
Marly Didizian is a partner, and Peter Church is an associate, in the Technology, Media and Telecomunications practice at Linklaters LLP
[i] The credit reference agencies specify particular wording that must be included in a privacy notice if credit checking is to be carried out. This includes ‘signposting’ wording that is intended to point the consumer to a more detailed explanation of the credit checking process.
[ii] If you are providing information online then you should also think about the information requirements in The Companies (Trading Disclosures) Regulations 2008, The Electronic Commerce (EC Directive) Regulations 2002 etc. However, this is a topic for another article…
[iii] Again, a topic for another article but the Information Commissioner has helpful guidance on his Web site. See Guidance for marketers on the Privacy and Electronic Communications (EC Directive) Regulations 2003 Part 1: Marketing by electronic means.
[iv] Strictly speaking, the Data Protection Directive operates on a ‘country of origin’ basis so the question is where you are established rather than where your customers reside. However, if you are considering targeted approaches to consumers in another jurisdiction it would seem wise to comply with local data protection law as the local regulator may take a different ‘view’ on this point, you may fall foul of other local consumer protection laws and it is unclear if the Privacy and Electronic Communications Directive also operates on a ‘country of origin’ basis.
