Written and recorded by Robert Edwards, Law Hound
Welcome to this training session from Data Law. My name is Robert Edwards. I'm a consultant with Law Hound. Previously, I was a counterintelligence and I t security specialist with Her Majesty's government before moving on to lecture on Do provide legal training GDP Our privacy notices The General Data Protection Regulation GDP are is designed to update the data Protection Act 1998 d p A. To provide greater transparency, enhance rights for citizens and increased accountability. In this session, we're going to examine what the GDP are says in relation to providing information to individuals on the use off privacy notices. I shall be using the following terms individual meaning the data subject. The individual whose data is held by an organization or data controller organization, meaning the data controller, the organization holding the data data to mean personal data as applicable within the meaning of the Data Protection Act 1988 or D P. A. On GDP are I C e. O. Meaning the Information Commissioner's Office, the basis for providing information as outlined in articles 12 13 and 14 of the General Data Protection Regulation. Individuals must be provided with fair and transparent information about the processing of their personal data. The information required is more detailed than under the d. P. A. According to Article 12 information provided to individuals about how their personal data will be processed must be concise, transparent, intelligible and easily accessible, written in clear and plain language, particularly where the information is addressed to a child, which means giving proper consideration to the nature of the intended recipient free of charge. How should you provide the information under Article 12 of GDP? Are organizations must take appropriate measures to provide the prescribed information. Article 12 1 says that the information could be provided in writing or by other means such a sign ege, including where appropriate by electronic means. The information can also be provided orally if the individual requests this, but only provided that the identity of the data subject is proven by other means to be effective. The I C E. O. Advises that when you write and present the information, you use clear, straightforward language adopter style, which your audience will understand. Don't assume that everybody has the same level of understanding as you avoid confusing terminology or legalistic language. Draw on research about features of effective privacy notices. Align the information on the presentation of it to your house style. Align with your organization's values and principles. Be truthful and don't offer people choice. Is that a counterintuitive or misleading? Follow any rules specific to your industry sector. Ensure all your notices are consistent and couldn't be updated rapidly on DPI. Provide separate notices for different audiences. The I C E. O. Describes a privacy notice as all the privacy information that you make available or provide two individuals when you collect information about them. It is regarded as one of the most common ways to provide individuals with the necessary information they need to be aware of developing. What the I. C. E. O. Refers to as a clear and effective privacy notice should be straightforward for many organizations, however, it will not be suitable for all businesses on for some organizations. It will be necessary to have more than one notice or document to provide to individuals with the relevant information in different ways, particularly when people interacting with an organization have varied levels of intellect or maturity. Combining privacy notices with other techniques in order to help organizations provide individuals with greater choice and control over how their personal data is used. On Demonstrate that the organization is using personal data fairly and transparently. The I C E. O has issued guidance to assist organisations when providing information to individuals. In this, the I. C E O advises that it is good practice to develop a blended approach, using a number of techniques to present privacy information to individuals. The I C E. O favors a layered approach which is described as usually consisting of a short notice containing the key information, such as the identity of the organization on the way you will use the personal information. It may contain links that expand each section to its full version or a single link to a second longer notice, which provides more detailed information. This can, in turn, contain links to further material. That explains specific issues, such as the circumstances in which the information may be disclosed to the police. Other suggested techniques include just in time notices, which work by appearing on the individual screen at the point where they input personal data, providing a brief message explaining how the information they're about to provide will be used. Video icons and symbols privacy dashboards, in which changing settings cause additional information to become available. The I C E. O advises that organizations consider using preference management tools such as a privacy dashboard, where applicable ONDA, particularly a few, process personal data across a number of applications or services because you can embed links to it from within your privacy notice. It gives individuals a riel choice about who data is shared with because they could manage the preferences they can agree or withdraw consent where consent is relevant by altering settings, which can help you to comply with your obligations more easily. Before you start on your privacy notice, be clear about how you process data. Before you can provide any information to individuals about the processing of their personal data, you need to be clear about what information you're collecting on exactly how you're going to use it. Therefore, the I C e. O. Advises taking the time to consider what information you hold that constitutes personal data. What you do with the personal data you process, why you actually need to carry out these processes. Consider a privacy impact assessment, which could help you to answer this question whether you're collecting the information you need, whether you're creating derived or inferred data about people, for example, by profiling them. In which case could you be creating new data whether you will be likely to do other things with the data in the future? This can be particularly important if you're undertaking a large scale analysis of data. Big Data Analytics. Be clear about whom you share data with. The next step is to be clear who you're sharing information with. Unless there is an exemption from this than to ensure your processing is fair, you need to tell the individual what you're doing with the data, even if you have a lawful basis to process it. Individuals must be clear about all of the parties involved in data sharing, how their personal information is shared and why it is shed in some situations. There can easily be a number of people with whom you share the data, but it is important that you are clear about this so that you comply with the requirements. The individual's consent to data processing, where your lawful basis for processing is based on an individual's consent. Then you need to be sure that you obtain consent, making sure that you're not merely telling the individual how you're going to use the information on and record that consent. It makes sense, therefore, to consider this at the same time as your privacy notice as the I. C E. O advises, your method of obtaining consent should be displayed clearly and prominently. Ask individuals to positively opt in in line with good practice and give them sufficient information so that they can make a choice. If your consent mechanism consists solely often I agree box with no supporting information then uses are unlikely to be fully informed on the consent cannot be considered valid. In addition, the I. C. S. It clear that if you're processing information for a range of purposes, you should explain the different ways you will use the information. Andi provided clear and simple way for individuals to indicate that they agreed to the different types of processing that will be applied to their data. In other words, people should not be forced to agree to several types of processing simply because your privacy notice only includes an option to agree or disagree to. All people may wish to consent to their information being used for one purpose but not another. As the I. C E O advises. Good practice means to list the different purposes with separate UnTech. Opt in boxes for each or yes or no buttons of equal size and prominence prominently placed. Opt in boxes in your privacy notice. Alternatively, use just in time notices so that relevant information appears at an appropriate time. You should also bear in mind how you can obtain consent if you make any changes to your privacy. Notice on how an individual can withdraw their consent. If they don't agree with those changes, what information should you provide? Well, what does GDP are require? The information you provide must be more detailed on depends on whether the organization gathers the information directly from the individual or indirectly. There is additional information to be provided, irrespective of how the data was obtained. Article 13 makes it clear that irrespective of how or from where the information is obtained, you will need to provide the individual with additional information, including the following who you are. The identity and contact details off the data controller, the lawful basis for processing the legitimate interests of the controller Andi, or where applicable any third party. Details of transfers to third countries outside the EU on the safeguard applied to transfers how long the data will be retained, the retention period, or what criteria will be used to determine the retention period. The existence of each oak. The individual's rights, including those of data portability To object to processing on the right that the individual has to withdraw their consented any time where relevant, which is applicable if processing is based on consent. The right to lodge a complaint with the supervisory authority, the existence of automated decision making, including profiling and information about how decisions are made, the significance open on the consequences. Direct information. In addition, if the data is obtained directly from the individual, then you must also provide the following information. Whether the provisions of personal data, it's part of a statutory or contractual requirement or obligation on the possible consequences of failing to provide the personal data. All of the information that is the basic information and the additional information should be provided to the individual at the time the data is obtained in direct information. Article 14 makes it clear that, in addition, if the information is obtained other than directly from the individual, then you must also provide the following information the categories of personal data and where the data came from. The source on whether it came from a publicly accessible source providing information in practice based on the icy of guidance. Let's examine how you will actually provide the information required in practice. The starting point is to Brooke. The starting point is to provide the basics about who you are, what you're going to do with their information on who it will be shared with and beyond the basics. The I C e o encourages organizations to provide information, including the following the links between different types of data collected on the purposes that you intend to use each type of data. Four. The consequences of not providing information what you as an organization are doing to ensure the security of personal information, information about people's right of access to their data and what you will not do with their data, As the ICE CEO advises, you also need to ensure that your information is in sufficiently broad terms to allow for development in the way you use personal data while still providing individuals with enough detail for them to understand what you will do with their information. But it must be based on how you intend to process personal data, not simply a list of potential future uses. So if you don't intend to share data with anyone else than explicitly declare this in your privacy notice, however, make sure that you build in regular reviews just in case the situation should change. It's also good practice to build in system warnings or flags so that data, which is sharing restricted, cannot accidentally be shared. Sharing such data will constitute a data breach, and that concludes this session for data law. Thank you for joining me, Robert Edwards, on this session.
00:17:09