In “Basic Law for Web Designers No 2: Website Terms and Conditions” JD Supra 27 Aug 2011, I discussed the terms and conditions that should appear on websites. I said that every website should have at least two sets of terms: “website access terms” and a “privacy statement.” I added that if a website owner intends to market his or her goods or services over the internet, his or her website should also set out his or her terms of business. I then discussed the contents of “website access terms”, “privacy statements” and terms and conditions of business and how they should be developed.
When I wrote that article the OECD website provided a useful tool for developing privacy statements known as the “Privacy Statement Generator”. Sadly, after more than 10 years if service, that tool has been removed. The space where the Privacy Statement Generator used to be found points to the paper “Making Privacy Notices Simple: An OECD Report and Recommendations”, OECD Digital Economy Papers, No. 120, OECD Publishing, the OECD. The foreword to that paper notes that:
“Privacy notices are an excellent tool to disclose an organisation’s privacy practices and policies. Research suggests, however, that many notices are too lengthy, confusing, and contain complex legal language. This report recommends that privacy notices be short, simple and usable to make it easier for individuals to assimilate the information they contain and to compare the privacy practices of the organisations processing their personal data.”
Part of the research to which the foreword refers was commissioned by the UK Information Commissioner. The researchers found that approximately 60% of people said that they cared about what happens to their personal information, yet most people ignore privacy statements. Even when they do pay attention to them, readers are not able to assimilate much of the information provided. The problem was that notices were too long and repetitive, they contained financial and legal jargon, they identified the main points inadequately and, above all, failed to engage the reader.
To address those points, the OECD has made the following recommendations:
“1, Identify data flows: Identify your organisation’s practices regarding the collection, use, sharing, protection, and destruction of personal data.
2. Conduct a legal review: Determine which laws, regulations, industry codes, contracts, corporate promises, or other legal requirements cover the collection and use of personal data by your organisation.
3. Prepare a comprehensive privacy policy statement: Prepare a comprehensive statement describing your organisation’s policies and practices with respect to the handling of personal data. Conduct internal reviews to ensure the accuracy of the statement. The OECD Privacy Policy Statement Generator can be of particular assistance for this phase.
4. Develop a simplified notice: Develop a shorter, clearer notice that includes key information that will enable consumers to understand how their personal data is used and any rights they have with respect to the organisation’s use of that information.
5. Test the usability of the notice: Conduct testing to ensure that readers of the simplified notice find it comprehensible and user-friendly.
6. Disclose the simplified notice: Prominently display the simplified notice on the organisation’s website or otherwise distribute it so that it can be readily and easily accessed and read by an individual whose personal data may be used by the organisation. Where needed, ensure easy accessibility to the comprehensive statement for those who want complete details, or where its availability is indicated by the legal review.”
Developing a privacy policy should involve everyone connected with a business including outside professional advisors and not just lawyers and techies. If done properly the process can identify opportunities for cost savings and improving competitiveness as well as enabling compliance with statutory obligations. The benefits should in many cases exceed the cost of carrying out the process.
Identification of data flows should take place as early as possible, preferably at the business planning stage and no later than the time of notification. The data flows to be identified are likely to be the same as the “registrable particulars” that need to be notified to the Information Commissioner under s.16 (1) of the Data Protection Act 1998. The legal review should be as broad as possible and must take account of the laws of every jurisdiction in which the business intends to operate as well as those of England or other part of the UK. Though data protection law regulates the processing of personal data there are many other laws that require the keeping of such data for health and safety, tax and other reasons. The privacy policy will set out the ways in which these often conflicting requirements can be reconciled. It is likely to be designed for the use of the managers, employees and others connected closely with the business rather than those who come into occasional contact with it. The notice will be a distillation of the policy and contain such information as the data to be collected, how such data are to be held and how to make a subject access request. Ideally, it should not be more than a few hundred words and it should be written in everyday language rather than legalese or tech speak. The process of developing and reviewing a privacy policy and the resulting public statement should be a continuous one, partly to comply with the Data Protection Act 1998 since notification must be renewed every year but also to ensure that the information processing resources remain efficient.
Having contributed the first chapters on data protection to Butterworths Encyclopaedia of Forms and Precedents and Atkins Court Forms nearly 30 years ago I have been consulted on a lot of privacy statements. Should anyone wish to discuss this article or any topic concerned with data protection, he or she call me on 0800 862 0055 or use my contact form.
NIPC Law 