The ICO has recently published a commentary about the review of 30 UK websites in several sectors, finding that privacy notices are often too vague and generally inadequate. The main concerns identified include:
- Failure to specify how and where information would be stored as well as to provide details about international data transfer.
- Failure to adequately explain whether and how data would be disclosed or shared with third parties.
- Failure to provide users with information on how to delete or remove personal data form that website
- Failure to notify users of their Subject Access Request right.
- Failure to refer to a retention policy.
The review of the UK websites was part of an international examination of notices, communications and practices of 455 websites in sectors like retail, finance and banking, travel, social media, gaming and gambling, education and health. The study called the 2017 GPEN Sweep has been conducted by the Global Privacy Enforcement Network (GPEN), an international network of data protection agencies, with the cooperation of 24 international data protection regulators. Overall, GPEN concluded that:
- Privacy communications across the various sectors tended to be high level and vague, with generic clauses and no specific details (i.e. data may be collected).
- Whilst privacy communications were easy to locate and organisations were generally quite clear on what information they would collect from the users, most of them failed to explain what would happen to their information once it had been provided.
- Organisations generally failed to specify with whom data would be shared (i.e. data may be ‘transferred outside the EEA,’ without saying where or for what purpose).
- Many organisations failed to refer to the security of the data collected and held – it was often unclear in which country data was stored or whether any safeguards were in place.
- Just over half the organisations examined referred to how users could access the personal data held about them.
Organisations need to be more open, honest and transparent in their online privacy notices about how they handle people’s personal data. Adam Steven from the ICO commented “There is significant room for improvement in term of specific details contained in the privacy communication”.
Food for thought: with the GDPR coming into force soon, it is critical for organisation to re-think of their practices in relation privacy communications. People need to be properly informed about what happens to their data once it has been collected and how they can control their information online, and organisations need to make sure they properly inform users on how to do so.