Out-Law / Your Daily Need-To-Know

Out-Law News 2 min. read

ICO to update privacy policies guidance


The UK's data protection watchdog is planning to produce new guidance on privacy policies in a bid to ensure it reflects changes in practices and technology.

The Information Commissioner's Office (ICO) said it was conducting a review of its existing privacy policies code of practice which was published in 2009 with a view to producing new guidelines next year.

"The ICO’s current privacy notices code of practice – gives good practice advice and explains how organisations can make sure their privacy notice is as informative and readable as possible, as well as highlighting the benefits that an effective privacy notice can provide," Steve Wood, head of policy delivery at the ICO, said in a blog. "Nevertheless, we believe the time is now right to undertake a review of our existing code."

"We’re keen to get the balance right between clear, general guidance and making sure the guidance works for new technologies – we’d therefore welcome your views on this aspect of the code," he added.

Wood said that businesses still have a "long way to go" to ensure that their privacy polices are fit-for-purpose. He said that too many online privacy notices were overly long, deterring internet users from reading them.

"Organisations are looking to analyse and use more and more personal data – transparency of that processing remains a vital tool in making sure that people continue to trust an organisation with their information," Wood said. "A clear and simple, but informative, privacy notice can be an effective way to demonstrate this transparency. This is important because providing genuine transparency lies at the heart of many emerging data protection issues – from the use of medical data for research to innovative uses of personal data in integrated internet services."

Earlier this year the ICO said too many companies were using privacy policies they publish "to protect themselves rather than inform the public" about the collection and use of personal data.

Mirroring action taken by other data protection authorities across Europe, the ICO this summer called for Google to alter its privacy policy after raising "serious concerns" about its compliance with the Data Protection Act. It has threatened to take formal enforcement action if Google fails to update the policy to its satisfaction.

"In particular, we believe that the updated policy does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products," an ICO spokesperson said in July.

In August the ICO said that "significant shortcomings" had been found during a privacy 'sweep' it had participated in alongside other regulators of more than 2,000 websites and mobile apps. Almost a quarter of the websites analysed had no privacy policy detailed and a further third were "considered to be difficult to read". Many privacy notices were not "sufficiently tailored to the actual website" they were published on, it added.

Of the UK websites assessed, a common problem was that the privacy notices failed to clearly specify "how long personal data would be retained for or if it would be transferred internationally", the ICO said at the time.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.