ICO to update privacy policies guidance

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.out-law.com/en/articles/2013/november/ico-to-update-privacy-policies-guidance/

The Information Commissioner's Office (ICO) said it was conducting a review
of its existing privacy policies code of practice which was published in
2009 with a view to producing new guidelines next year.

"The ICO’s current privacy notices code of practice – gives good practice
advice and explains how organisations can make sure their privacy notice is
as informative and readable as possible, as well as highlighting the
benefits that an effective privacy notice can provide," Steve Wood, head of
policy delivery at the ICO, said in a blog. "Nevertheless, we believe the
time is now right to undertake a review of our existing code."

"We’re keen to get the balance right between clear, general guidance and
making sure the guidance works for new technologies – we’d therefore
welcome your views on this aspect of the code," he added.

Wood said that businesses still have a "long way to go" to ensure that
their privacy polices are fit-for-purpose. He said that too many online
privacy notices were overly long, deterring internet users from reading
them.

"Organisations are looking to analyse and use more and more personal data –
transparency of that processing remains a vital tool in making sure that
people continue to trust an organisation with their information," Wood
said. "A clear and simple, but informative, privacy notice can be an
effective way to demonstrate this transparency. This is important because
providing genuine transparency lies at the heart of many emerging data
protection issues – from the use of medical data for research to innovative
uses of personal data in integrated internet services."

Earlier this year the ICO said too many companies were using privacy
policies they publish "to protect themselves rather than inform the public"
about the collection and use of personal data.

Mirroring action taken by other data protection authorities across Europe,
the ICO this summer called for Google to alter its privacy policy after
raising "serious concerns" about its compliance with the Data Protection
Act. It has threatened to take formal enforcement action if Google fails to
update the policy to its satisfaction.

"In particular, we believe that the updated policy does not provide
sufficient information to enable UK users of Google’s services to
understand how their data will be used across all of the company’s
products," an ICO spokesperson said in July.

In August the ICO said that "significant shortcomings" had been found
during a privacy 'sweep' it had participated in alongside other regulators
of more than 2,000 websites and mobile apps. Almost a quarter of the
websites analysed had no privacy policy detailed and a further third were
"considered to be difficult to read". Many privacy notices were not
"sufficiently tailored to the actual website" they were published on, it
added.

Of the UK websites assessed, a common problem was that the privacy notices
failed to clearly specify "how long personal data would be retained for or
if it would be transferred internationally", the ICO said at the time.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.