Latest news and Articles

JULY 2009

Following a consultation in the first quarter of this year, the Information Commissioner's Office (ICO) has published a new Code of Practice on privacy notices.  The ICO has also published a Checklist for Small Businesses to help them collect and use information about customers properly, and Guidance for Consumers on what they can expect when organisations collect information about them.  All three publications can be found at the ICO website at www.ico.gov.uk.

The Code is designed to assist businesses to collect information properly using a clear and genuinely informative privacy notice.  The notice should ensure that the individuals know how their information will be used and the consequences.  Privacy notices can be oral or written statements.  They often appear on websites.  They are required by the Data Protection Act 1998 where personal information is being processed.  The Code is keen to stress that privacy notices should be genuinely informative and, using words that seem designed to make the average lawyer reel back in horror, the Code states that “a privacy notice that is legalistic or drafted with the primary objective of indemnifying an organisation is unlikely to achieve this objective.”

The Code is aimed at all organisations that collect information about people, whether directly or indirectly.  It does not apply to the collection of information that does not identify people such as anonymised or statistical data.  The Code has been issued because the ICO is required to promote good practice and is empowered to issue codes of practice following consultation.  However, organisations are not obliged to follow the recommendations in the Code provided they comply with provisions of the Data Protection Act 1998 where it applies to them.

The Code provides helpful guidance on what constitutes ‘fair’ processing of personal data.  It means that organisations should be honest and open about who they are and the purposes for which personal data will be used.  The Code stresses that privacy notices should not include long lists of possible future uses for personal data when it is unlikely that the data will be used in those ways.  The Code also discusses comprehensibility, transparency and consent, and sharing and selling information.  In particular, the Code warns organisations not to lead people to believe that they can choose how their information is collected and used when, in fact, they cannot.

The Code advises organisations not to state the obvious i.e. if a reasonable person is likely to anticipate and agree to the collection of their personal data and it would be necessary for the purposes of delivering a service or concluding a transaction with them and has no unforeseen consequences then there is no need to take positive action to provide a privacy notice.  Somewhat contradictorily, the Code then goes on to say that even in such cases, it is good practice to have a privacy notice available for those who wish to read it.  Of particular note in the current economic climate is that if businesses are insolvent, bankrupt, being closed down or sold, then databases may be sold and the seller should ensure that the personal information will only be used for the same or a similar purpose as stated in the original privacy notice.  If the buyer wishes to use the personal information for a new purpose, the consent of the individuals concerned should be sought.

The Code’s final section provides practical drafting advice and examples of well and poorly drafted privacy notices.  The Code recommends that the privacy notice is delivered in the same medium that is used to collect the information.  A ‘layered’ approach is highlighted whereby basic privacy information can be provided there and then with more detailed information available elsewhere.  Finally, privacy notices should be accessible and organisations should review them periodically.

Tanya Shillingford
Partner

If you would like any further information about the issues raised in this article please contact Tanya Shillingford (tshillingford@gdlaw.co.uk), or any other member of Goodman Derrick LLP’s corporate team on 0207 404 0606.

This guide is for general information and interest only and should not be relied upon as providing specific legal advice.