Last weekend, the Observer newspaper reported the medical research company, UK Biobank, has opened up its vast database to insurance companies. Those companies allegedly then used that data to create digital tools that predict a person’s risk of getting a chronic disease. The database had been populated by the personal information of half a million UK citizens, who had donated it to Biobank for medical research. And, the Observer notes, Biobank had made several public commitments not to share the information with the insurance sector. The Information Commissioner’s Office is now considering the matter.
High profile news stories like this are becoming more common. And it highlights the danger of not being clear with your customers and service users when it comes to privacy. In another example, Google picked up a €50m fine from the French regulator in 2019 for not being open about how data was collected and used for targeted advertising.
Beyond substantial fines, there’s also the question of reputational damage. People want to deal with businesses that are transparent and trustworthy. Research has found an average person’s data is held by 350 brands, and people are becoming less willing to share private information for fear of it being sold or used for other purposes.
Our third Privacy Promise is about transparency, and it’s a key part of building customer trust. If your customer doesn’t believe you’re looking after their data, they’re more likely to report you to the regulator, or stop doing business with you altogether.
One of the easiest ways to show your commitment to privacy is through your privacy notices. We have three templates in the Privacy Compliance Hub – one for staff, one for customers, and one for job applicants – but all of them are an opportunity to show how you’re taking privacy seriously.
Here are 10 things to tell your customers about privacy:
1. What you do with their data
Your privacy notice should be written in plain, easy to understand language and explain all of the ways you use personal data. That could include purposes such as marketing, order processing and staff administration, or perhaps you’ll collect customer account information or browsing history to help you improve products. TikTok’s £12.7 million from the ICO this year was partly due to its failure to provide clear and understandable information to users (particularly children) about how their personal data is collected, used and shared. You can also explain what the benefits are – customers may be more happy to share data if they receive more personalised products and services, for example.
2. Your lawful basis for processing
If you’re collecting and processing personal information, you need to have a lawful basis for each processing operation. A lot of organisations rely on consent (which must be of the standard required by law to be valid), or legitimate interests. Remember, personal information should not be collected for one purpose and then used for another. This can be particularly pertinent in the case of artificial intelligence, where data might be repurposed and used for algorithmic training.
3. Who you will share data with
It’s important to identify the names of the organisations (or specific categories they fall into) that you will be sharing data with. The online counselling service, BetterHelp was fined $7.8 million in the US earlier this year after it shared its users’ sensitive health data for advertising purposes after promising to keep it private. Make it clear that you only share personal information with third parties that are taking the same steps as you are to keep it safe. You will also need to identify where you’re sending personal information to if the recipient organisation is outside of the UK or EEA and set out the safeguards in place to keep that information safe.
4. How long you’ll keep someone’s information for
Be definite about how long you’ll keep someone’s data for, or the criteria you’ll use to determine when that data is no longer required. Reassure them that you’re collecting the minimum amount of data necessary, and that you’ll keep it for the shortest time possible.
5. The rights of individuals in respect of processing
Tell people what legal rights they have in relation to your use of their personal data such as the right of access to the data you process about them (known as a subject access request or SAR). People have an absolute right to object to direct marketing (such as receiving offers from you) at any time which must be complied with. Giving customers control over how much data they share and when they do so helps build trust.
6. The right to withdraw consent
Let people know they can withdraw consent to your processing of their personal data at any time and tell them how to do it. Consent must be as easy to withdraw as it is to give. In July 2022, for example, the EU forced Amazon to revamp its complicated Amazon Prime unsubscription process to one that allows users to unsubscribe in just two steps. Remember this does not apply where one of the other lawful bases such as legitimate interests is being used (although the right to object to processing does apply here).
7. The right to lodge a complaint
Tell people they can complain to a supervisory authority (the regulator). Individuals have the right to raise a complaint with the supervisory authority in the member state where they live, where they work, or where the infringement took place. It’s good practice to include the contact details of the supervisory authority individuals are most likely to complain to – in the UK, for example, it’s the Information Commissioner’s Office.