I’ve written on this topic here before.
Effective “Large C” Compliance and “Big G” governance, particularly with regard to the processing of personal data, is all about ensuring that an organisation has the capability to draw a clear and unbroken line between what they say they’ll do with data and what actually happens to it.
That’s why simply copying a Privacy Statement either from a boiler plate template, from your old website, or from a website that has one that you think is cool is a risky undertaking. You need to invest the time and effort into your public statement of your goals, intent, controls, and governance of a mission critical asset otherwise you’ll risk a potentially damaging disconnect between what you say and what you actually do. That is as bad as, or possibly worse then, NOT having a privacy statement.
- Not having one shows you didn’t think about your duties
- Having one that doesn’t actually match what is actually happening with the information shows you care, but just not that much.
Ultimately, the objective of the Privacy Statement is to redress the balance between Data Controller and Data Subject by requiring the Controller to share some information in order to get some.
For that reason it is not a static document that you write once and set aside. It needs to be kept under regular review, particularly when you are changing systems or processes which will affect the nature and extent of your processing of personal data.
What you say you should must match what you actually do or your Privacy Statement will not be worth the ether it is written on.
So, assuming you care enough to actually want to do your Privacy Statement properly, what should be in it?
- Identity of Data Controller
This needs to be more than just a glib reference to the organisation or business. If I’ve gone to “joeswidgets.ie”, I’ll probably be assuming that JoesWidgets Ltd is the Data Controller. The organisations name on its own is not enough. What you need to provide here is some information so that the Data Subject can feel they’ve been introduced properly. According to the Data Protection Commissioner:
Identification should ideally include complete and useful contact details. Useful details would include an e- mail address and postal address that a visitor may use if he/she wishes to discuss any matters relating to the processing of personal data on your website.
So, Joes Widget’s Ltd, email: firstname.lastname@example.org, Widget House, Fenian St. Carlow would be a lot better than just the company name.
All personal data must be captured for a specified purpose. If you don’t have a reason to have it, you shouldn’t have it. Having it without a reason is an offence under the Data Protection Acts.
So, why not share with people the purposes for which you are processing personal data and the various processes which you will fuel using the information people provide. After all, you have nothing to hide (do you?)
Disclosure to 3rd parties who are not working for you under contract need to be flagged. So if Joe’s Widgets was sharing information about widget buyers withFrank’s Flanges, that would be an disclosure that would have to be disclosed. But if Dave’s Data was providing data cleansing services to Joe’s Widgets, there wouldn’t be an immediate need to disclose that relationship.
However, if you have nothing to hide why hide it. You don’t need to mention specific organisations, just the class and category of disclosure and why. For example:
From time to time we may share some or all of your data with seleted business partners where we believe their products and services may be of interest to you with the intent of offering you bundles of products at more specially discounted prices.
In addition, from time to time we may use the services of specialist data management firms to help us maintain the accuracy, quality, and integrity of the data we hold.
- Rights of Access, Rectification and Erasure
It is always nice to remind people that they have a right to access the data that you hold about them and request erasure, correction, or blocking of that data. Again – its is not your data, you are holding it on trust for the Data subject. Again, if you have nothing to hide, why not let people know how to exercise their Statutory rights over their own data?
- The extent of the data being processed
If you have more than one purpose for the data, and if different sets of personal data are being used for different purposes it is important to clearly explain what those purposes are and what data is being used for what.
It doesn’t pay to keep Data Subjects in the dark as if something happens to their data that they weren’t expecting they may complain to the Data Protection Commissioner or blog about it or tweet about it or just tell 100 of their closest friends. Either way you face the headache of answering questions from the DPC or trying to win back a damaged brand.
This has nothing to do with healthy eating. It has everything to do with letting people know that they can choose not to have nuggets of information captured about them and reused by you to identify them. Why not take the opportunity to let them know how to actually block cookies?
Other information you might want to consider including in the Privacy Statement might include an outline of the measures you take to keep Personal Data Safe and Secure (not the detail obviously). Other areas for consideration might include how you keep information accurate and up to date (“hey, use the webform to correct any errors in the info we have about you”), how long you will keep information for (“We keep your data for X period for Y reason”). Likewise if you have a policy to review the amount of data and what you use it for, that might add some additional value to your Privacy Statement.
You might also include information about any cross-border data transfer that might happen (e.g if your web host is in the US or you make use of facilities on your site that process personal data and run on servers in the US). In this case it would be a good idea to link to the Privacy Policies of that service provider (as they form part of your written contract with them) and link to any evidence of Safe Harbor registration or equivalent evidence of adequacy of controls. You don’t need to drown people in data, just give them enough information so they know you’ve actually thought seriously about all of this stuff with their privacy in mind.
How to Complain and Who To
Finally, you should include some information about the process for raising Data Protection issues with the organisation and who those complaints should be sent to. This rounds out the openness and transparency and also means that the first port of call for people with an issue need not be the Data Protection Commissioner.
Once you start processing personal data whether on-line or via CCTV or on paper, the alignment between what your Privacy Statement says you will do and what you actually do is a critical indicator of your compliance capability. The Privacy Statement needs to reflect how things get done in your organisation and on your website. If they don’t, you might as well post Shakespearean sonnets in their place (at least they are more pleasing to read).