Privacy & Information Security Law Blog

In its October 2013 e-newsletter, the UK Information Commissioner’s Office (“ICO”) announced that it is reviewing its Privacy Notices Code of Practice (the “Code”) to assess whether it should be updated. The Code, last updated in December 2010 and issued under Section 51 of the UK Data Protection Act 1998 (the “DPA”), is designed to assist organizations “to collect and use information appropriately by drafting clear and genuinely informative privacy notices.”

The ICO is seeking feedback on the Code and suggestions on how it may be improved. It currently provides an overview of the notice requirements under the DPA, emphasizing that a privacy notice should, at a minimum, provide notice of:

• the organization collecting the data;
• what the organization will do with the data; and
• with whom the data it will be shared.

A privacy notice may provide additional information; the key is that “its primary purpose is to make sure that information is collected and used fairly.” The Code also provides guidance on when privacy notices must be actively communicated (i.e., sent by letter or email or included in a telephone script) and when they simply may be made available (e.g., through a link on a website which members of the public can access). The Code also addresses the sharing and selling of personal information and explains how to provide notice in practice.

All comments on the Code should be sent to the ICO by November 22, 2013, by email to newsletter@ico.org.uk.