Demystifying Article 12 – Don’t cloud over the importance of transparency

With the evolution of the digital age and its knock-on effect in terms of the ease with which information is collected (including in ever-increasing amounts), it’s now more important than ever for individuals to have clarity and certainty about how their personal data is used, and for organisations to be clear about exactly why they need an individuals’ data and what they’re going to do with it.

A key obligation when it comes to data protection is transparency.

Transparency is defined as a process which involves decisions and processes being completely visible and open to scrutiny, so that it's clear that nothing is being hidden.

Article 12 of the Data Protection (Jersey) Law 2018 (DPJL 2018) states that, as a data controller for an organisation, it is necessary to be clear about exactly what information is being collected and for what purpose, and that the data is being used in a lawful and transparent way. Not only that, but this intent must be communicated in a concise, intelligible and easy to understand way, using clear and plain language that is appropriate for the individual whose information is to be processed. This generally needs to be done at the time the data is obtained from the individual.

The easiest and most direct way to communicate to your data subjects that you are abiding with Article 12 of the Law before collecting their data, is through writing a clear statement (usually called a ‘privacy policy’ or ‘data protection statement’ or similar) which is made easily accessible to those individuals. Many organisations choose to make this information available on their website so that individuals can access this information easily and freely.

 

Constructing a Privacy Policy

When constructing a privacy policy, remember to make sure that it includes all of the information set out in Article 12(4) of the law. As a guide, think about what it is you are trying to tell the individual: this can be broken down simply as follows;

  • WHAT: What personal data are you collecting?
  • WHY: Why do you need to collect and process that exact data?
  • WHERE: Where is the data going to be stored?
  • WHO: Who will the data be shared with?
  • HOW: How long do you need it for?

Don’t forget to also explain that individuals have certain rights under the law and give them a contact point, letting them know who they need to contact to exercise those rights.

Achieving Transparency

However, even with a privacy policy in place there are still some common issues we see which can obstruct achieving transparency:

  1. Using uncertain words like “may” and “might” in privacy policies.

Tip: Having information represented in an unambiguous way is important to be transparent. Words such as “may”, “might”, “often” and “most commonly” should be avoided. If you are doing something – you should say it. If you’re not, then you don’t need to mention it.

  1. Not having accurate retention information in the privacy policy, instead using generalisations like “we only keep personal information for as long as necessary to fulfil the purposes it was collected for”.

Tip: For retention periods, phrases “as long as necessary to fulfil the purposes…” are unlikely to be sufficient to fulfil the transparency obligations. Be specific. It is key that data subjects can clearly understand how their data is being used in each specific case, including the specific retention period or criteria.

  1. Failing to keep the privacy policy up to date.

Tip: Create a mechanism to review your privacy policy regularly to make sure that information is up to date. This might be a time-based review schedule or a mechanism to review after a change in processing operations. Although achieving transparency is the primary aim when communicating your intentions with data collection, it must be done in accordance with Article 12. There are a few common issues when it comes to achieving Article 12.

Article 12

  1. Controllers fail to provide complete information on the purposes and lawful basis for each of those purposes.

Tip: We have in the past suggested controllers consider using a table structure to present this information to subjects. This way, data subjects can easily search for the relevant purpose and check the relevant information. This table can also contain retention information for each purpose.

  1. Using legitimate interests as a lawful condition without providing an explanation.

Tip: Any use of legitimate interests must be accompanied by an explanation of the legitimate interests.

  1. Providing little or only general information of the recipients of personal information.

Tip: Controllers need to provide the recipients or categories of recipients of personal data to subjects. This should include processors like software providers and other recipients like group companies and government departments. If the recipients are not named, the controller should provide as much information as possible and be able to demonstrate why this is fair.

  1. Not realising that certain software tools are based in countries designated as third countries and to which special transfer rules apply. Controllers need to know where the data is being processed and if a controller is transferring data to a third country it must inform data subjects of this and outline whether there is an adequate level of protection.

Tip: Have a look at our Tools and International Transfers guidance. Remember that there must be adequate protection for any transfer to a third country to be lawful.

  1. Not providing all the required information under Article 12.

Tip: Use the Privacy Policy Checklist on our website and check Article 12 of the law to ensure that you are providing all the required information.

We want you to be data protection confident. If you are looking for further guidance to assist with constructing a robust privacy policy or are concerned that your organisation is not currently abiding by Article 12, you can contact our team via email to enquiries@jerseyoic.org or you can view our Privacy Policy Checklist.