The Data Protection Act requires businesses to tell individuals how information that is being collected about them will be used. This can be done by telephone, in hard copy or on-line. This is normally called a data protection notice.
A study was commissioned by Information Commissioner Richard Thomas into the effectiveness of these notices and the opportunities for improvement. He announced the results on Tuesday. "Our research shows that around 60% of people say they care about what happens to their personal information, yet many don't read FPNs," he said.
In a campaign against jargon, his use of the abbreviation "FPN" is disappointing. He explains that it refers to a fair processing notice – a term that is rare, but synonymous with data protection notice. In fact, the legislation refers to neither term, concentrating instead on the nature of the information to be provided and the need for notification of that information.
Mr Thomas said that, according to the research, "nearly three-quarters of those asked said they would pay more attention to better designed FPNs."
This finding and all the other conclusions were based on a study that focused on the financial sector, identifying the notification problems that test participants faced when they applied for a credit card from Borchester Bank. There were 120 participants in the study and they were asked for their opinions on different versions of the bank's notice.
The study was not based on a real bank: Borchester is the fictional town in BBC Radio 4's soap The Archers. The fiction calibrates the findings: this was not a study of actual data protection notices.
Three versions were used in the study, described as "typical," "plain English" and "layered text." But the conclusions drawn on web site practices seem to send mixed signals. (It should be noted that hard copy and telephone notices were also examined in the study but are not covered here. In fact, the key findings from the Commissioner did not differentiate the three media.)
On a dummy web site for Borchester Bank, the "typical" notice was presented in a scroll box containing over 1,600 densely-packed and unformatted words of legalese, with an "Accept" button beneath the box.
The "plain English" version was little different: the word count fell below 1,400 but users were still faced with a lot of text in a small box. The main improvements were to some of the wording and the addition of plain text headings for paragraphs, although with no spacing between paragraphs and no other formatting, once again, the text looked impenetrable.
The "layered" version was significantly different: just a list of nine headlines, such as "Your information" and "Processing Abroad," and an "Accept" button underneath. If a headline was clicked, the list expanded to display further information on the chosen headline, followed by a link to "More Information". This link would further expand the page, revealing a few more paragraphs of explanation, each one separated with a heading in bold text.
Predictably, users preferred the layered version, albeit around 90% of them ignored all the notices or gave them only a brief read. The report says that this result suggests "that FPN format was less a factor here than aspects of internet operation (i.e. the ease with which participants could navigate through the site)." Those who did read the notices recalled little about them later.
Internet users with a goal – in this case getting a credit card – endeavour to achieve that goal as quickly as they can. They also ignore what they don't see. So if a large "Accept" button offers a shortcut to their goal, avoiding barely-readable text in a small box, that's what they'll click. Similarly, the reason they skipped the layered notice is surely because they could, notwithstanding its aesthetic and usability advantages over the text box.
What makes this study so surprising is that none of the examples – typical, plain or layered notices – conformed to what has long been considered best practice. Existing guidance on web site data protection notices, published in June 2001 by the then Commissioner, Elizabeth France, sets this out.
The guidance, published 18 months before Richard Thomas took office but still available at the Commissioner's site today, made absolutely clear that a link to a notice is not sufficient. And while it welcomes some degree of "layering" a notice, it surely forbids the particular layered notice in the current study.
"We have a privacy statement on our web site. Is this sufficient?," asks the FAQ.
The answer in the guidance:
"Although a privacy statement is important, it is not sufficient to provide the above information simply in the form 'click here to view our privacy statement'. At least the basic messages and choices should be displayed in an intelligible and prominent form wherever personal data are collected, even where a more detailed explanation is provided by means of a privacy statement. Clearly, any basic messages or information given about choices should correspond with the contents of any privacy statement."
An excessively long and unreadable notice in a small scrolling box is arguably inconsistent with the Act's principle of fairness. It certainly breaches web site usability principles. And the alternative, a list of links to further information – with none of the basic messages being displayed by default – is at odds with the 2001 guidance.
It would surely have been a more revealing study that examined the data protection notices on real web sites. Compare the credit card application procedures for, say, Lloyds TSB, Egg, Cahoot and Morgan Stanely, and you see four different approaches to notification.
Wouldn't we learn more from a study of user behaviour based on these sites than we do from a Toy Town study? Apparently the reason for not doing this was to avoid the influence of pre-existing opinions on known brands and also "for legal reasons" that are not identified. This is a pity. Were the banks approached? Perhaps they would have welcomed an independent and funded study of their notices.
The Commissioner has provided relatively little guidance over the years on what amounts to best practice for data protection notices. But such guidance as there is has not been followed in his own study. So it seems wrong to generalise and tell real banks that their notices contain too much jargon. Maybe they too have excessive jargon; my point is that this study hasn't examined them.
It gets worse.
The statement from the Commissioner's office applauds Microsoft for the layered notice at its MSNUK site. The MSN notice is pleasing to the eye: it is presented clearly on a page of its own and has additional links to further details. But some information seems to be missing: it should identify the data controller – presumably Microsoft Corporation, MSN being just a brand – but it doesn't. And what's really surprising is how you arrive at the notice.
The MSN notice is an optional link to a "privacy statement", located in the navigation menu of pages such as the newsletters page. You can also find it by creating an MSN account – this time with a line of text above the personal information form: "MSN respects your privacy. ".
These MSN pages that link to the privacy statement could conform to best practice if they also carried the basic messages to ensure fair processing – but they don't. There's nothing else on data protection at the point when you provide your personal data.
Mr Thomas also praises the layered approach of Kodak. Again, signing up to a Kodak service reveals that the most basic information is only found by visiting a link to its privacy notice, a practice upon which Mrs France would frown. The third company mentioned is Proctor & Gamble – which does appear to follow what we always understood to be best practice: a short paragraph of clear data protection information on the page where personal details are collected, together with a link to more detail.
I put these concerns to Jonathan Bamford, Assistant Information Commissioner, today. Mr Bamford, who has been with the Commissioner's office since 1985, was able to confirm that the 2001 guidance still stands.
So when questioned about Borchester Bank's layered notice, he conceded the point: this web page should have provided basic information on the page by default, in addition to the links to more details. Any layering approach requires basic information as its first layer. "It was designed by consultants, not by us," explained Mr Bamford. "If this was in the real world and I was advising the data controller, I would tell them to add more information."
But he questioned whether people will bother to read the study in this level of detail and spot the flaws in the notice. Of course they won't – but they will see the conclusions, conclusions which may have been different had the participants been offered an example of best practice. Mr Bamford said that his office did not want to contaminate the data by dictating the notices to be used.
So what about MSN?
"We're not running the compliance rule over Microsoft," said Mr Bamford, explaining that the mention of MSN in the Commissioner's statement was "not an endorsement" of the company's data protection compliance or otherwise. He would not comment on the means by which users arrive at MSN's privacy statement because he said this had not been examined.
I argued that businesses would surely interpret the Commissioner's statement as a pledge of support for the layered approach taken by Microsoft – and that they would reasonably look to the way that Microsoft layered its statement and emulate that, the first layer being nothing more than a link. Mr Bamford disagreed. "It wasn't in our mind that people will read it that way," he said.
So the 2001 guidance stands. The point of this research and the Commissioner's statement, as Mr Bamford was keen to stress, is to send a message that gobbledegook should be avoided and that obvious information need not be given.
Did anyone ever suggest otherwise?
What we need is clarity from our Commissioner. Yes, a layered notice is a good thing: a short notice that links to more detail will help the reader. Web sites should display a short notice as a mandatory screen presentation, something that does not require an extra click to be found. The 2001 guidance said this clearly. It made sense and was consistent with the Data Protection Act and the European Directive from which the UK's Act was derived. Mr Thomas just failed to remind us, this important message getting lost in his own gobbledegook.
By Struan Robertson, Editor of OUT-LAW. These are the personal views of the author and do not necessarily represent the views of Pinsent Masons.