The Data Protection Act requires businesses to tell individuals
how information that is being collected about them will be used.
This can be done by telephone, in hard copy or on-line. This is
normally called a data protection notice.
A study was commissioned by Information Commissioner Richard
Thomas into the effectiveness of these notices and the
opportunities for improvement. He announced the results on Tuesday.
"Our research shows that around 60% of people say they care about
what happens to their personal information, yet many don't read
FPNs," he said.
In a campaign against jargon, his use of the abbreviation "FPN"
is disappointing. He explains that it refers to a fair processing
notice – a term that is rare, but synonymous with data protection
notice. In fact, the legislation refers to neither term,
concentrating instead on the nature of the information to be
provided and the need for notification of that information.
Mr Thomas said that, according to the research, "nearly
three-quarters of those asked said they would pay more attention to
better designed FPNs."
This finding and all the other conclusions were based on a study
that focused on the financial sector, identifying the notification
problems that test participants faced when they applied for a
credit card from Borchester Bank. There were 120 participants in
the study and they were asked for their opinions on different
versions of the bank's notice.
The study was not based on a real bank: Borchester is the
fictional town in BBC Radio 4's soap The Archers. The fiction
calibrates the findings: this was not a study of actual data
protection notices.
Three versions were used in the study, described as "typical,"
"plain English" and "layered text." But the conclusions drawn on
web site practices seem to send mixed signals. (It should be noted
that hard copy and telephone notices were also examined in the
study but are not covered here. In fact, the key findings from the
Commissioner did not differentiate the three media.)
On a dummy web site for Borchester Bank, the "typical" notice
was presented in a scroll box containing over 1,600 densely-packed
and unformatted words of legalese, with an "Accept" button beneath
the box.
The "plain English" version was little different: the word count
fell below 1,400 but users were still faced with a lot of text in a
small box. The main improvements were to some of the wording and
the addition of plain text headings for paragraphs, although with
no spacing between paragraphs and no other formatting, once again,
the text looked impenetrable.
The "layered" version was significantly different: just a list
of nine headlines, such as "Your information" and "Processing
Abroad," and an "Accept" button underneath. If a headline was
clicked, the list expanded to display further information on the
chosen headline, followed by a link to "More Information". This
link would further expand the page, revealing a few more paragraphs
of explanation, each one separated with a heading in bold text.
Predictably, users preferred the layered version, albeit around
90% of them ignored all the notices or gave them only a brief read.
The report says that this result suggests "that FPN format was less
a factor here than aspects of internet operation (i.e. the ease
with which participants could navigate through the site)." Those
who did read the notices recalled little about them later.
Internet users with a goal – in this case getting a credit card
– endeavour to achieve that goal as quickly as they can. They also
ignore what they don't see. So if a large "Accept" button offers a
shortcut to their goal, avoiding barely-readable text in a small
box, that's what they'll click. Similarly, the reason they skipped
the layered notice is surely because they could, notwithstanding
its aesthetic and usability advantages over the text box.
What makes this study so surprising is that none of the examples
– typical, plain or layered notices – conformed to what has long
been considered best practice. Existing guidance on web site data
protection notices, published in June 2001 by the then
Commissioner, Elizabeth France, sets this out.
The guidance, published 18 months before Richard Thomas took
office but still available at the Commissioner's site today, made
absolutely clear that a link to a notice is not sufficient. And
while it welcomes some degree of "layering" a notice, it surely
forbids the particular layered notice in the current study.
Mrs France's guidance, presented as a set of Frequently Asked
Questions, also helped to explain the difference between a web
site's notice and its privacy policy or privacy statement – terms
more familiar to internet users than either "data protection
notice" or "FPN".
"We have a privacy statement on our web site. Is this
sufficient?," asks the FAQ.
The answer in the guidance:
"Although a privacy statement
is important, it is not sufficient to provide the above information
simply in the form 'click here to view our privacy statement'. At
least the basic messages and choices should be displayed in an
intelligible and prominent form wherever personal data are
collected, even where a more detailed explanation is provided by
means of a privacy statement. Clearly, any basic messages or
information given about choices should correspond with the contents
of any privacy statement."
Since this guidance was published four years ago, many
businesses have understood the need to display a notice giving
these basic messages and choices on their web sites at the point of
data collection. These basic messages identify the data controller,
the purposes for which they intend to process personal data, and
anything else needed to ensure fairness. Only additional
information can be relegated to optional links – such as the
privacy policy.
An excessively long and unreadable notice in a small scrolling
box is arguably inconsistent with the Act's principle of fairness.
It certainly breaches web site usability principles. And the
alternative, a list of links to further information – with none of
the basic messages being displayed by default – is at odds with the
2001 guidance.
It would surely have been a more revealing study that examined
the data protection notices on real web sites. Compare the credit
card application procedures for, say, Lloyds TSB, Egg, Cahoot and
Morgan Stanely, and you see four different approaches to
notification.
Wouldn't we learn more from a study of user behaviour based on
these sites than we do from a Toy Town study? Apparently the reason
for not doing this was to avoid the influence of pre-existing
opinions on known brands and also "for legal reasons" that are not
identified. This is a pity. Were the banks approached? Perhaps they
would have welcomed an independent and funded study of their
notices.
The Commissioner has provided relatively little guidance over
the years on what amounts to best practice for data protection
notices. But such guidance as there is has not been followed in his
own study. So it seems wrong to generalise and tell real banks that
their notices contain too much jargon. Maybe they too have
excessive jargon; my point is that this study hasn't examined
them.
It gets worse.
The statement from the Commissioner's office applauds Microsoft
for the layered notice at its MSNUK site. The MSN notice is pleasing to the
eye: it is presented clearly on a page of its own and has
additional links to further details. But some information seems to
be missing: it should identify the data controller – presumably
Microsoft Corporation, MSN being just a brand – but it doesn't. And
what's really surprising is how you arrive at the notice.
The MSN notice is an optional link to a "privacy statement",
located in the navigation menu of pages such as the newsletters page. You
can also find it by creating an MSN account – this time with a line
of text above the personal information form: "MSN respects your
privacy. ".
These MSN pages that link to the privacy statement could conform
to best practice if they also carried the basic messages to ensure
fair processing – but they don't. There's nothing else on data
protection at the point when you provide your personal data.
Mr Thomas also praises the layered approach of Kodak. Again,
signing up to a Kodak service reveals that the most basic
information is only found by visiting a link to its privacy notice,
a practice upon which Mrs France would frown. The third company
mentioned is Proctor & Gamble – which does appear to follow
what we always understood to be best practice: a short paragraph of
clear data protection information on the page where personal
details are collected, together with a link to more detail.
Reaction
I put these concerns to Jonathan Bamford, Assistant Information
Commissioner, today. Mr Bamford, who has been with the
Commissioner's office since 1985, was able to confirm that the 2001
guidance still stands.
So when questioned about Borchester Bank's layered notice, he
conceded the point: this web page should have provided basic
information on the page by default, in addition to the links to
more details. Any layering approach requires basic information as
its first layer. "It was designed by consultants, not by us,"
explained Mr Bamford. "If this was in the real world and I was
advising the data controller, I would tell them to add more
information."
But he questioned whether people will bother to read the study
in this level of detail and spot the flaws in the notice. Of course
they won't – but they will see the conclusions, conclusions which
may have been different had the participants been offered an
example of best practice. Mr Bamford said that his office did not
want to contaminate the data by dictating the notices to be
used.
So what about MSN?
"We're not running the compliance rule over Microsoft," said Mr
Bamford, explaining that the mention of MSN in the Commissioner's
statement was "not an endorsement" of the company's data protection
compliance or otherwise. He would not comment on the means by which
users arrive at MSN's privacy statement because he said this had
not been examined.
I argued that businesses would surely interpret the
Commissioner's statement as a pledge of support for the layered
approach taken by Microsoft – and that they would reasonably look
to the way that Microsoft layered its statement and emulate that,
the first layer being nothing more than a link. Mr Bamford
disagreed. "It wasn't in our mind that people will read it that
way," he said.
So the 2001 guidance stands. The point of this research and the
Commissioner's statement, as Mr Bamford was keen to stress, is to
send a message that gobbledegook should be avoided and that obvious
information need not be given.
Did anyone ever suggest otherwise?
What we need is clarity from our Commissioner. Yes, a layered
notice is a good thing: a short notice that links to more detail
will help the reader. Web sites should display a short notice as a
mandatory screen presentation, something that does not require an
extra click to be found. The 2001 guidance said this clearly. It
made sense and was consistent with the Data Protection Act and the
European Directive from which the UK's Act was derived. Mr Thomas
just failed to remind us, this important message getting lost in
his own gobbledegook.
By Struan
Robertson, Editor of OUT-LAW. These are the personal views of
the author and do not necessarily represent the views of Pinsent
Masons.
