Point number 1: Simplicity is key
You’ll see below that as long you’re stating what data you’ll be taking, how you’re going to use it and what the person will expect to receive, as well as an option to consent then you’re doing it right.
Point number 2: Transparency is essential
The ICO themselves have this to say: “Being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.”
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
It’s also important to state where the source of the data may be coming from. Are you collecting your data from sources; which are a little unconventional like social media, ad platforms, martech & rectech? The ICO lists these three sources:
- observed, by tracking people online or by smart devices;
- derived from combining other data sets; or
- inferred by using algorithms to analyse a variety of data, such as social media, location data and records of purchases in order to profile people for example in terms of their credit risk, state of health or suitability for a job.
Point number 3: Don’t force consent
One thing that’s important to remember is that you can’t force the consent of the individual. This means things like pre-ticked boxes or not consent box at all. The ICO explain this as: “Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.”
“You must ask people to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or other default settings. Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing.”
The Privacy Notice Checklist
Decide what to include by working out:
- what personal information you hold;
- what you do with it and what you are planning to do with it;
- what you actually need;
- whether you are collecting the information you need;
- whether you are creating new personal information; and
- whether there are multiple data controllers.
If you are relying on consent, you should:
- display it clearly and prominently;
- ask individuals to positively opt-in;
- give them sufficient information to make a choice;
- explain the different ways you will use their information, if you have more than one purpose;
- provide a clear and simple way for them to indicate they agree to different types of processing; and
- include a separate unticked opt-in box for direct marketing.
Also consider including:
- the links between different types of data you collect and the purposes that you use each type of data for;
- the consequences of not providing information;
- what you are doing to ensure the security of personal information;
- information about people’s right of access to their data; and
- what you will not do with their data.
Give privacy information:
- in writing;
- through signage; and
Consider a layered approach:
- just-in-time notices;
- icons and symbols; and
- privacy dashboards.
Actively give privacy information if:
- you are collecting sensitive information;
- the intended use of the information is likely to be unexpected or objectionable;
- providing personal information, or failing to do so, will have a significant effect on the individual; or
- the information will be shared with another organisation in a way that individuals would not expect.
Write and present it effectively:
- use clear, straightforward language;
- adopt a style that your audience will understand;
- don’t assume that everybody has the same level of understanding as you;
- avoid confusing terminology or legalistic language;
- draw on research about features of effective privacy notices;
- align to your house style;
- align with your organisation’s values and principles;
- be truthful. Don’t offer people choices that are counter-intuitive or misleading;
- follow any specific sectoral rules;
- ensure all your notices are consistent and can be updated rapidly; and
- provide separate notices for different audiences.
This is one I’ve been playing with, which I believe we’ll be using for our Inbound enquiry forms.
Here at The Recruitment Network we take your privacy seriously and will only use your personal information to provide the products and services you have requested from us.However, from time to time we would like to contact you with details of other products that we may offer, such as marketing collateral, value adding articles, eBooks and whitepapers, software, competitions, discounts and membership opportunities, which we provide. This will be through email. We promise to only limit the amount of emails we send you to be limited to no more than 5 a week.
If we deem your interest in our products and services, or your suitability to our services we may contact you to discuss the opportunity of offering some of our premium services. This will be through either email or telephone.
If you consent with these terms, then please tick the box below to confirm.