Going through the past pages of our diary, we may surprisingly discover an everlasting list of organisations and individuals to whom we have provided our personal information. If we were to challenge ourselves with questions concerning the purposes for which our personal data had been requested or to whom such information may be disclosed or for how long will it be retained, we will be certainly surprised and left without a plausible reply.
The data protection directive lays down that a data controller, the individual or organisation processing personal data, should provide citizens with essential or basic information which may be even supplemented with further information having regard to the specific circumstance in which data is collected. This information must be provided by the controller at data collection stage and when the individual is signifying agreement to the conditions of processing.
It is good practice to provide information in a multi-layered structure, where each layer offers individuals that information required to fully understand their position. This approach shall not be the rule, but this Office feels compelled to recommend best practice procedures to the business community in order to gain ownership of the data protection principles and use them as a main selling factor.
Where communication space and time is limited or restricted, multi-layered formats will certainly improve the readability of notices. This will ensure transparency in the fulfilment of the obligation to provide the required information prior to the processing of personal data.
Generally, notices tend to be lengthy, in small print and contain technical and legal jargon which will often deter the individual from going through. Unfortunately, this will lead to an undesirable situation whereby individuals are not in a position to grant an informed consent. The prerequisite for the layered structure is to have short notices with limited categories of information and text to assist comprehension and memory retention.
As opposed to conventional notices, layered notices are more customer-centric and ensure improved awareness on data protection rights and responsibilities, coupled with enhanced quality of information.
The short notice shall provide data subjects with the core information namely, the identity of the controller, the purposes of processing and any additional information which, in the particular circumstances of the case, must be provided to ensure fair processing. This notice shall also indicate access to additional information.
The condensed notice shall provide data subjects with information intended to include the identity and habitual residence or principal place of business of the controller, the purpose of processing, the recipients or categories of recipients, whether replies to any questions are obligatory or voluntary, the possibility of transfer to third parties and the right to access, to rectify and to oppose. Additionally, a point of contact must be given for questions and information on redress mechanisms.
This structure is well-suited for on-line activity, especially where a click-through is provided from the short to the condensed notice. However, it can be easily adapted for hard-copy formats in case of off-line transactions, provided that the data subject is given a simple means to obtain the required information.
There has always been a relentless drive from all European authorities for a more harmonised information provision, intended to facilitate compliance across the EU and also to improve citizens’ awareness of data protection rights. The clauses should contain the information which is most important for individuals to know and that the individuals are most likely to want to know.
Individuals are urged to read carefully the privacy notices and clauses contained therein, prior to giving out consent for the processing of their personal data. The data protection law does not stipulate or oblige a controller to seek the consent of the data subject in writing. A verbal indication shall suffice. However, this Office always recommends that, as good practice dictates, it is always better for consent to be in writing.
Any individual may seek legal remedy in case of a breach of privacy rights by lodging a complaint with the Data Protection Commissioner. This Office provides free assistance to any person on the drafting of information notices and privacy policies.
Our right to privacy is a fundamental human right enshrined in the Constitution. Our personal data is our identity. Once we sell our data, especially in cyberspace, it would be absolutely arduous to buy it back. This notion should remain fossilised in our minds.