Although privacy notices are an important aspect of the General Data Protection Regulation, it seems unlikely that we will have final guidance from regulators for several months. Since we need to start rolling out GDPR-friendly privacy notices for Jisc services sooner than that, we’re using what information we have – the GDPR itself, the Information Commissioner’s GDPR summary and their existing guidance under the Directive – and implementing something that we hope won’t be too hard to modify if required in future.
The key to this is the ICO’s recommendation for “layered notices”. We’ve put most of the legally-required information in a single central page, with individual data collection forms linking to that and providing additional information – either on the form itself or hyperlinked – where they need to. The style tries to combine user-friendliness with legal rigour, but favouring the former. We expect lawyers to be able to work out that when we say “you asked us to process data” we’re talking about what they know as “consent”.
The central notice is structured around the four legal bases that we expect to rely on when handling customer data:
- necessary for contract (“to provide a service you’ve requested”);
- necessary for legitimate interests (“to identify faults or ways to make the service better”);
- consent (“you asked us”); and
- data processor for an educational organisation (“we’re operating a service provided to you by a third party”).
In each case, it turns out that the GDPR’s information requirements can be covered in a paragraph or two.
For data collection pages, we’ve identified three types of service:
- transaction, where the processing has a natural end-point (e.g. a helpdesk query);
- relationship, which is likely to be indefinite (e.g. subscribing to a Jisc service); and
- free consent (e.g. providing input to a survey).
The minimum information in each case is to state which of the four legal bases apply, point to the central notice and, for relationship and consent, tell the individual how to end the processing. We’re also proposing to add optional information, either on the collection page itself or through a link, where appropriate to the particular service:
- If it’s covered by Jisc’s ISO27001 certification; if it involves placing information in a public directory; if any third parties are involved in processing; if data may be transferred outside the EEA; and if there has been a Data Protection Impact Assessment;
- Any option to convert a “transaction” to a “relationship” (e.g. keep my data for the next conference);
- If the service involves a user providing personal data about others (e.g. when managing an organisation’s subscription to a Jisc resource);
We’ve started to roll this approach out for a small number of our services. So far it seems to be working well for those, so expect to see more information in this style over the next few months.