The Information Commissioner has published a draft Code of Practice to address the problem of the poor-quality privacy notices that are all too common online, in printed documentation, or even used by call centres (the ‘we may record anything we like’ approach). The consultation quite rightly highlights the fact that too many notices are written in legal jargon, are hard to find, fail to clarify key issues about how personal data will be used, and in some cases appear to be deliberately misleading. Upon first read, it looks like a really good document – it covers a lot of ground, uses simple language, and even encourages the use of Privacy Impact Assessments to confirm that data usage is legitimate. Best of all, it provides examples of what good and bad privacy notices look like.
I find privacy notices to be one of the most frustrating issues in the privacy field – something that should be so simple is all too often a complete disaster. Unfortunately, this is often because the privacy policies and system implementations behind the notices are themselves a mess. All too often, privacy notices are horribly imprecise, something that happens when an organisation has issued a single notice to cover a host of possible data uses. Organisations seem to forget that data sharing is something that happens both within and outside of organisations – healthcare and public authorities are particular offenders for issuing ‘blanket’ privacy notices that cover many possible uses of data.
Another big annoyance is a lack of proportionality in data collection – the website that wants to know your date and place of birth, or the demand for a full postal address and phone number before an organisation will email a brochure to you. Again, these organisations obfuscate their privacy notices, or simply ignore their promise to collect no more information than they require.
I guess the most significant issue is those organisations that either don’t bother with privacy notices – for example, the authorities that operate roadside ANPR systems – or those that publish privacy notices and completely ignore them anyway, such as local councils that disregard data subjects’ privacy in their electoral roll or planning portals.
If you have any interest in privacy at all, I’d urge you to take a look at the document and submit your comments to the ICO if you have any. After all, this could actually be the start of a UK standard for privacy notices…