A blended approach to privacy notices

x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.

Privacy notices, often criticised for their excessive length and use of technical language and legalese, are a mandatory tool to ensure that personal data is processed fairly and lawfully. Their value lies not only in ensuring legal compliance with the data protection framework, but also in communicating a privacy-centric culture that embeds a respectful approach to individual rights and a commitment to data privacy. 

In its new publication, Privacy notices, transparency and control: A code of practice on communicating privacy information to individuals, the Information Commissioner’s Office (ICO) offers a revised, workable approach to privacy notices. It covers compliance with the current legal framework in the Data Protection Act 1998 (DPA) and the forthcoming General Data Protection Regulation (GDPR), which will be implemented in the UK in May 2018, despite Brexit.

The code includes advice on: what should be included in a privacy notice; where to deliver privacy information to individuals; when to actively communicate privacy information; and how to write a privacy notice. Practical examples of good and bad practice are provided, as well as a Privacy Notices Checklist.

Drafting a privacy notice

Notices need to be open and honest about how personal data will be used. The ICO highlights the key points to consider when planning a privacy notice, which include: 

• What information is being collected?
• Who is collecting it?
• How is it collected?
• Why is it being collected?
• How will it be used?
• Who will it be shared with?
• What will be the effect of this on the individuals concerned?
• Is the intended use likely to cause individuals to object or complain?
  
  

Fundamental to the revised code is the encouragement of blended and innovative approaches. It sets out ‘pick and mix’ approaches to encourage transparent and effective communication with individuals, and ensures that notices are tailored to different groups. For instance, communications targeted at children need to be written in a way that is likely to meet their level of understanding. 

Information requirements under the GDPR are higher than under the DPA. Under the regulation, more extensive information must be given to individuals in simple, accessible language, making adoption of a creative approach much more important. Some suggestions in the code for achieving this include:

• Layered approach: supplying key information – such as your identity and the way that you will use information – immediately, with more detailed information available elsewhere for those who want it. This could be via a link to a longer notice or to sub-sections of the notice
• Just-in-time notices: displaying information at certain points of the data-collection journey so that it appears on the screen at the point when the user is inputting their data 
• Icons and symbols: determining whether symbols will help to convey the message more clearly. User testing is important to make sure they convey the message appropriately
• Why is it being collected?
• How will it be used?
• Who will it be shared with?
  
  

Clear and straightforward language is the foundation of all good notices, but the best way to present your privacy notice will also depend on several other factors, such as: who the target audience is; the complexity of the data processing; and the type of medium you are using (you need to use the same medium to deliver privacy notices as you use to collect personal information). 

It is useful to communicate this information pro-actively and transparently by embracing technological solutions such as: 

• Short videos explaining how you will use the personal data collected
• Notices that build on the functionality of devices to deliver privacy notices on small screens, such as smartphones, tablets and other smart devices
• Privacy dashboards/preference-management tools to give individuals one place where they can manage what is happening to information.

Status of the ICO Code

The code and the checklist have been issued by the ICO under section 51 of the DPA, which empowers the ICO, after consultation, to prepare codes of practice giving guidance on good practice. Although the ICO cannot take action over a failure to adopt good practice or to act on the recommendations set out in the code, it can pursue enforcement action if an organisation breaches the requirements of data-protection legislation. In considering whether or not the DPA has been breached, the ICO can have due regard to the advice included in the code and the checklist.

Communicate privacy information to research participants

Research organisations should use the techniques in the code to craft effective privacy documents, including external privacy notices, internal privacy policies and research-participant consent forms. Collection of personal data is fundamental to the work of researchers and all methods will require that research participants are given information on how their data will be collected and used. Notice requirements apply to both active data collection and to data not consciously provided by individuals, such as observation, derived data sets and inferred data. 

Users of personal data must implement robust data-protection measures to build trust and meet the higher regulatory and legal requirements under the GDPR. Adopting and adapting the guidance in the ICO code to create engaging – yet effective – privacy notices that grant individuals greater control will help researchers to meet these demands. 

Dr Michelle Goddard is director of policy and standards at MRS