ICO to press ahead with 'privacy seals' initiative

Out-Law News | 30 Jan 2015 | 4:25 pm | 2 min. read

The UK's data protection watchdog will press ahead with plans to endorse certification schemes that recognise good privacy practices.

The Information Commissioner's Office (ICO) said that it would progress its proposals on 'privacy seals' (11-page / 211KB PDF) despite calls for it to delay doing so until after the planned new EU General Data Protection Regulation, currently being negotiated, is finalised.

"We do not agree that we should delay our progress and intention to introduce a privacy seal scheme in the UK," the ICO said. "We are taking this opportunity to build the ICO’s expertise in an area that will become significant in the near future because of the Regulation."

"Ideally, we would like to see ICO endorsed schemes to be consistent with the provisions at the European level once the Regulation is in force, and are watching developments closely. At the same time, there is a risk our plans for a privacy seal won’t fit with the requirements in the final provisions for a European wide seal. But there is no suggestion that a national level seal will be made redundant either," it said.

The ICO's comments were contained in a document containing a summary of the responses it received to its consultation on its proposed new privacy seals initiative that was held last year.

Privacy seals schemes afford businesses the chance to obtain recognition for good privacy practices. The ICO said that, although there could eventually be a number of different privacy seals schemes it endorses to recognise particular sector-specific practices, it is in the process of designing a "single, universal seal to be used by endorsed schemes" and that it is looking into obtain trade mark protection for the sign.

Under the ICO's plans, privacy seals schemes will only be endorsed by the watchdog if they are operated by independent bodies. In addition, those bodies would need to gain official accreditation from the UK Accreditation Service (UKAS) before the ICO would provide its endorsement.

However, the ICO said that some respondents to its consultation had questioned the ICO's decision to put a UK limit on its endorsement of privacy seals schemes, but it defended its decision to do so in its summary of responses paper.

"A scheme operator may wish to replicate its scheme in another jurisdiction, or for its scheme to be used for processing that occurs outside of the UK," the ICO said. "This will be possible, but the ICO will not have a role in relation to any processing that is outside the UK. The UK data protection authority can only operate within the limits of its own jurisdiction – it cannot endorse a scheme that is subject to other states’ data protection legislation. It is unlikely that, in the absence of legislation, that there would be mutual recognition between data protection authorities where schemes are based on their own national laws’ requirements."

Gemma Farmer, senior policy officer at the ICO, said that the ICO hopes to announce the first tranche of operators of privacy seals schemes it will endorse later this year with a view to the first scheme being operational next year.

In an ICO blog, Farmer said there are a "number of benefits" to the ICO developing a privacy seals framework.

"Firstly, the awarding of a seal will help to promote organisations that are going above and beyond the call of duty when it comes to looking after people’s information, giving them an opportunity to gain an advantage over their competitors," Farmer said. "Secondly, the seal will help to build consumer trust and choice, as it will demonstrate that an organisation is looking after their information to a notably high standard. More widely, the seal will raise the bar for privacy standards across the UK by incentivising good practice."