To comply with the first data protection principle, individuals should be provided with fair processing information.
Fair processing information consists of:
- the identity of the data controller, including name and address of the organisation,
- what the organisation intends to use the information for, and
- anything else necessary in the circumstances to make the processing fair.
A fair processing notice, or privacy notice, containing the fair processing information should be given to individuals when information about them is collected to ensure the transparency of the processing.
The notice must be:
- up front
- easily accessible
- in plain, clear, language which is:
- relevant to the target audience, and
- avoids confusing mixtures of ‘opt-ins’ and ‘opt-outs’
- clear about the difference between information that is required and information which is optional
The notice should not:
- require the person to navigate multiple hyperlinks to find the information.
To assist individuals access the relevant information it is probably best to avoid technical language, such as 'fair processing' or 'privacy notice', and use plain language, such as “how we use your information”.
Organisations may take a layered approach to providing fair processing information - for example, providing brief information on a form, or sign, with directions for seeking further information if the person requires it. Additional fair processing information may then be provided by other means, for example on a website or in a booklet.
When should fair processing information be provided?
Where personal data are obtained directly from the individual, fair processing information must be given or made available to the individual either before the data are obtained, or at the time of collection.
When data are obtained from a third party then a notice must generally be given to the individual when the data are first processed or as soon as reasonably practicable thereafter.
The UK Information Commissioner's Office has published a "Privacy Notices Code of Practice" which is designed to help organisations draft clear privacy notices to ensure that they collect information about people in a transparent and fair way. This has been written to explain how to comply with both the existing Data Protection Act and the EU’s General Data Protection Regulation (GDPR).
Other websites carry advice that may assist in the drafting of privacy notices or data protection policies. The following, whilst not endorsed by the Commissioner, do provide such advice: