UK: New "Code of Practice on Privacy Notices, transparency and control" published by the ICO

06 October 2016

Isabella Campion

Following the publication of a revised code of practice for consultation earlier this year, the Information Commissioner's Office ("ICO") has published its new Code of Practice on Privacy Notices, transparency and control (the "Code"). The ICO has said that businesses that follow its good practice guidelines in the new Code will be well placed to comply with the EU's General Data Protection Regulation ("GDPR") which will come into effect on 25 May 2018, and introduces enhanced privacy notice requirements. The Code has particularly useful guidance relating to obtaining consent that is compliant with the new GDPR requirements and using the new GDPR concept of privacy impact assessments during the process of design, roll out and review of privacy notices. There is a section at the end of the Code dedicated to new requirements introduced by the GDPR that is useful for identifying any potential compliance gaps.

A new theme throughout the Code is ensuring that privacy notices cover data processing through newer technologies and methodologies such as big data analytics, profiling of individuals, and the analysis of social media behaviour to generate targeted marketing.

Key new good practice requirements in the revised Code:

  1. How to obtain consent(s): this includes more detail on recommended methods of obtaining consent; a section of guidance on obtaining separate consents when processing information for a range of purposes and having a method for allowing revocation of consent; and a section with specific wording for obtaining consent for direct marketing.
  2. Determining who the data controller(s) is/are in complex data sharing scenarios: this includes a section on identifying the data controllers in a complex data sharing scenario and recommended ways of ensuring that privacy notices are communicated accordingly, for example the possibility of a collaborative end-to-end resource for all data controllers involved in processing that brings all the necessary privacy information for individuals together into one resource.
  3. Use of new technologies to obtain consent: this includes recommendations for the use of preference management tools (such as privacy dashboards); just-in-time notices (notices which appear on the individual's screen at the point where they input personal data); and the use of icons and symbols to indicate that processing is occurring (particularly in relation to Internet of Things devices.) The Code also recommends a blended approach to these new technologies, i.e. using a combination to enhance the user's understanding.
  4. Privacy notices on mobile devices: this includes ensuring that privacy notices are clear and readable on mobile devices and smaller screens.
  5. Content of privacy notices: this includes recommendations for writing privacy notices; the Code also suggests having different categories of privacy notice depending on the user involved, e.g. a separate privacy notice where children's data is processed.
  6. The test, roll out and review of privacy notices: this includes recommendations on how to test a privacy notice before rolling it out, and how to continually keep it under review.

The Code also contains a privacy notice checklist of requirements which organisations may find helpful when assessing their compliance.

The full Code of Practice can be found here.