When thinking about what processes you undertake and what personal information you process, you’ll need to include the more obvious “identifiable” attributes such as names, addresses, email addresses, and anything by which your users can be identified directly; and also those indirect attributes such as Cookies, IP addresses, Device ID’s or Vehicle Registration Number which initially may not identify the person, but could in future, identify that person when combined with other data you have, or could reasonably come into possession of.
1. Ensure compliance with the law and certainly written in the ‘spirit’ of the law.
- It should state that you are a Data Controller for the information you collect and include your contact information
- State in general terms the processing you undertake including the legal basis you rely upon to undertake that processing
- The broad categories of data you process, and if you don’t get this from the individual directly, from where you obtain it
- Who will use or access the information, or who you will share it with and why?
- The individuals rights and how to exercise them
3. It must be relevant to your business. There are examples filtering through the Information Commissioners caseload now where the business has merely copied someone else’s policy, or used a template, but failed to make it tailored to their own business.
Depending on your business’s activities, size and use of data, there will undoubtedly be a lot of information to get across and how you present this will be very important. It should not be cluttered with legal jargon or irrelevant information, should be easy to find and the content easy to navigate. For example, if I visit your website to place an order, I should be able to easily see what you do with data when I place that order.
- If you collect data on your website, it should be on your website
- If you collect data in reception or at a store front, it needs to be printed or otherwise made available at that location
- If you obtain data via a third-party (for example you run an Amazon or eBay store), you need to ensure that your policy can be accessed from those suppliers
It is that third point which also ties in your due-diligence processes, particularly where third-parties are used to supply goods, services or functions for your business, including payroll administration, website hosting, data storage, confidential waste management, and IT management.
In the final part of this three-part series, I look at some examples of best-practice privacy policies, and a few less appropriate ones which could see the owners fall foul of the law ….