Out-Law / Your Daily Need-To-Know

Organisations using privacy policies 'to protect themselves', says ICO

Out-Law News | 13 May 2013 | 2:56 pm | 1 min. read

Too many companies are using the privacy policies they publish "to protect themselves rather than inform the public" about the collection and use of personal data, the UK's data protection watchdog has said.

The Information Commissioner's Office (ICO) said it is to assess the privacy policies published on 250 UK-based websites as part of an international 'privacy sweep'.

The watchdog said that it is "crucial" that organisations explain to consumers how they use their personal information.

"We'll be examining 250 sites based in the UK, looking closely to see how easy the policies are to read, and how clearly they explain how personal information is being handled," Ian Williams, the ICO's international team's lead policy officer, said in a blog.

"Privacy policies might not sound like the most interesting topic for such a study, but they're crucial in making sure consumers know how their personal information is being used. Too often we find organisations using the notices to protect themselves rather than inform the public, and there's no excuse for this," he added.

Williams said that the ICO is one of 19 data protection authorities involved in the 'privacy sweep' project, which is being co-ordinated by the Global Privacy Enforcement Network (GPEN). The results from the project are to be collated by the Office of Privacy Commissioner of Canada and will be outlined in a GPEN report, which is due to be published in the autumn. The report will give "a global overview of whether the privacy policies available are compliant" and "is expected to also identify websites where further action may be required to comply with relevant national and international laws", he said.

Williams said that firms' privacy policies should explain to consumers how their personal data is used in a clear, honest and easy-to-understand way. He said companies should avoid using a "confusing mixture" of opt-in and opt-out 'tick-boxes' when trying to obtain individuals' consent to the collection and processing of their data.

Privacy policies should be reviewed for the purposes of accuracy, updating and to ensure accessibility from "time to time", whilst it should also inform consumers what information they need to provide in order receive goods or services and what other information is purely optional to provide, he added.

In 2009 the ICO issued a code of practice (26-page / 968KB PDF) for organisations to adhere to on privacy notices. The watchdog is one of a number of EU data protection authorities that are currently assessing whether to levy a penalty against Google over data protection concerns expressed about the internet giant's privacy policy.

Microsoft and Facebook are two other high-profile companies that have had their privacy policies scrutinised by regulators in recent times.