Privacy notices: an overview of the ICO Code of Practice
The majority of websites capture information about their visitors. By law, these websites must inform their visitors of this data collection and the intended use of it.
What is a privacy notice?
A privacy notice is a statement about the organisation's policy on collecting and handling personal data. It is usually given or made available to an individual when data is collected about him or her.
Commonly, an organisation will publish a statement on a page of their website that can be reached from every other page. However, it does not have to be written. Auditory and visual notices are just as valid.
A statement's main purpose is to communicate how data is collected and used to the individual. However, in making their provision a mandatory requirement, the government hopes that the act of drawing the policy will force a business to assess whether personal customer information is collected and used fairly and in compliance with the law.
What is the Code of Practice?
The privacy notice Code of Practice (CoP) was written by the UK Information Commissioner’s Office (known as the ICO). It aims to provides guidance to organisations that collect and use personal information, so that data, whether it is collected and processed directly or indirectly, is done so fairly and transparently.
Following the recommendations of the Code of Practice ensures compliance with Section 51 of the Data Protection Act 1998. (Note that the law is not applicable if the data is anonymised).
What should a privacy notice cover?
A statement should, as a minimum, provide an individual with information about the organisation; how the information he or she provides will be used; and who the information will be shared with. It must also take in to account the current use of the information as well as likely future uses.
It should be clear and informative, allowing the individual to understand the consequences of providing the information.
Privacy notices for different organisations need to contain different information depending on the data they collect and how they process it. For example, it is necessary to consider how different departments within the organisation might use the data differently.
For clarity, it is sometimes necessary to issue separate notices aimed at different types of individuals, or for different data processes.
If an organisation has specialised or controversial data collection methods, additional help can be provided by the ICO.
Acknowledgement of a notice
When sensitive information is being provided, or when previously provided information is used in a significantly different manner (in other words, when the individual may object or may not expect to have to provide the required information) positive agreement to the policy must be obtained before the information can be used.
Even if an individual has little choice regarding the provision of information, the information must still be collected and processed fairly.
What are the benefits of the Code?
The Data Protection Act does not specify how an organisation should provide a privacy notice, or whether it has to do so.
However, following the Code of Practice when writing a statement should help an organisation:
draft clear and informative notices
meet the legal requirements for a notice, as set out by the Data Protection Act
create a trusting relationship between the organisation and the people whose information is being collected and processed. This could, in theory at least, give a business a competitive advantage over other organisations that don't publish notices
install confidence in customers and thus encourage the provision of more valuable information
reduce risk of complaints and queries about the use of the information provided
What are the disadvantages of compliance with the Code?
The main disadvantage is cost of compliance. Often, writing a privacy notice comes at a cost.
Additionally, following the code exactly can be difficult, as it contains unclear guidance regarding compliance with both the Data Protection Act and the Privacy and Electronic Communications Regulations.
It is also reasonable to question the benefits to society given that malicious sites do not comply.
It is not a legal requirement to follow the Code, but if alternative methods are used, the organisation must ensure that the notice complies with the basic legal requirements as set out by legislation.
Further information and related documents
Please note that the information provided on this page:
- Does not provide a complete or authoritative statement of the law;
- Does not constitute legal advice by Net Lawman;
- Does not create a contractual relationship;
- Does not form part of any other advice, whether paid or free.
We would love to hear what you think about this article and how we could improve it. Please do let us know. However, we shan't be able to reply to your specific questions. If you have a question about a document, please contact us.
If you have noticed a bug or a mistake on this page, or just want to give us feedback, we'd love to know. Nothing is too small or too big. Send your message on this feedback page.