ICO slams privacy notices, seeking new code of practice

The data protection watchdog is to take action against organisations that post privacy noticeson their websites and printed documentaion...

The data protection watchdog is to take action against organisations that post privacy noticeson their websites and printed documentaion which are self-serving rather thanuseful to consumers.

TheInformation Commissioner's Office is asking for feedback on a new draft code of practice to redress the problem.

"Some privacy notices contain too much legal jargon and are written to protect organisations, rather than to inform the public about how their information will be used," the ICO said.

All firms that collect data about people that they may want kept private will be affected by the proposed code. Firms that use behaviour targeting technologies or profiling for commercial or law enforcement purposes may be specially affected.

Organisations' privacy notices set out how they handle people's personal details. The consultation covers aspects such as

• asking people to fill in their names, addresses and health information on an official form

• collecting information about shoppers from their loyalty card transactions

• recording and retaining the calls customers make to a call centre

• analysing a person's on-line purchasing habits to compile targeted offers and recommendations

• reading a car's number plate automatically and recording that its driver is in charge of an untaxed vehicle.

The ICO said firms should put themselves in the consumer's place. Would they then understand from the notice who is collecting the information and why, what the implications are, and whether they would object? "If you mistreat personal information, you are also mistreating the people it is about and will probably be breaking the law," the ICO said.

The ICO said firms may need to do more than the basic law requires. This included telling people if they intended to pass on any personal information to other organisations, and, if so, their identity and what they would do with the information.

Firms should say how long they or other organisations intend to keep the information. They should say whether replies to questions are compulsory or voluntary and the consequences of not replying. They should say whether the information will be transferred overseas.

The ICO said firms should spell out people's rights under the law, and say who they should contact to complain or to know more about how their information will be used.

Iain Bourne, head of data protection projects at the ICO, said, "The draft Code of Practice says that organisations should not be scared of using personal information in a reasonable way which people would expect. Where organisations are going to use personal information in a way that is controversial or unexpected, or if sensitive or confidential information is involved, organisations should ensure they explain this to people."

The draft code contains examples of good and bad practice and insists that organisations do not mislead the public, or provide people with choices they cannot understand, or that they will not honour.

The consultation runs until 3 April 2009.

Read more on IT risk management