Privacy Notices – what to look out for when you read

By Emmanuel K. Gadasu
Social & Status Privacy Notices – what to look out for when you read

Let us begin with the right foundation to drive home the relevant education to guide organizations and provide insights to invigorate the well-informed. Privacy Policy and Privacy Notice are two different documents, but privacy policies have been used significantly to represent privacy notices. Both terms have been used interchangeably, but the difference is clear, and they serve different purposes. The difference is explained below.

Privacy policies are internal documents that tell your employees how to protect customer data whiles privacy notices are external documents that inform visitors, users of your system, and other stakeholders about how their data is used and the privacy rights they can exercise. So, technically, the term privacy policy on various websites, mobile apps, portals, etc. should read privacy notice–this is the external document on privacy you present to your stakeholders to read. The privacy policy is the internal document for internal use, and this may contain some critical or privileged information that is reserved for only employees of that organization.

Privacy Notice–what is it?

The privacy notice is a document you present to people who visit your website, download, and use your mobile apps, install your applications, subscribe to your products and services, use your portals, etc. This is the document used to explain to your audience how you collect their information and how they can opt-out. Most data privacy laws, acts, regulations, and directives require organizations (data controllers or processors) to provide a privacy notice.

The privacy notice tells your customers, regulators, and other stakeholders what your organization does with personal information. It answers questions about the types of personal data processed, the lawful basis for processing personal data, and the data being transferred to third parties. A privacy notice must also tell users how long the organization will store their data, the user’s rights to data collected, and the privacy team’s contact information. A privacy notice is sometimes referred to as a privacy statement or a fair processing statement.

Your Personal Responsibility.

It is important to actively seek to always protect your privacy. Before you give any personal or identifiable information out, you need to learn and understand how the organization will use your personal information. It is a good personal practice to read an organization’s privacy notice before you fill out a form, install an app, subscribe to their service, use their products, or continue to browse their website. If you are unhappy with the privacy notice’s terms - or if you are told there is no written privacy notice, your best option is to STOP. At this point, it is best you consider looking for an alternate service provider that respects its customers enough to explain how it handles and protects their personal information.

A privacy policy should answer at least the following basic questions. Be deliberate to seek answers to these questions.

Q1: What personal information is collected?

What kinds of personal information does the organization collect from you? The mere statement that they collect personal data is not enough–you need to go in more depth. Another important thing to look out for when you read a privacy notice is the exact types of personal data that the organization collects or processes.

For example:

We request the processing of personal data of visitors, such as IP address, a cookie identifier, and email address (but only if visitors request information be sent by email). We also collect non-personal data to learn how visitors found our website, what kind of device they are using, how long they stayed, which pages they visited, etc. This non-personal data is tied to a temporary identifier that is removed after the end of each browsing session.

Q2: How is the information collected?

Besides asking you to provide personal information either manually on a sheet of paper or via an online form, an organization may collect information "automatically" using cookies or other related technologies through its website, mobile apps, or other platforms. A cookie contains information on you that your browser saves and sends back to a website when you revisit it. Websites can use cookies to track your purchases and the different pages you visited or ads that you clicked on. Such information can create a more detailed profile on you that may be sold to marketers. Look for a description of the site's use of cookies or other tracking technology in its privacy policy.

Q3: Why is the information collected?

Does the personal information asked for seem appropriate to the transaction? For example, your name, home address, phone number, and credit card number may be necessary for making and shipping your purchase. Your household income and hobbies are not. Pay attention if a business asks for information beyond what is needed for the transaction. The purpose of the extra information should be clearly stated. Look for an opportunity to opt-out of, or say no to, giving the extra information. Consider going somewhere else if you can't complete the transaction without giving up personal information you think is unnecessary.

Q4: How is the information used?

A privacy notice should explain how the organization collecting the personal information intends to use it. Will it be used just to complete the transaction you requested? If additional uses are intended, you should be given the opportunity to opt-out of them. For example, if the company plans to use your information to market to you, you should be given an easy way to say no to this. You should get this opportunity right up front before you receive any unwanted email ads, telemarketing calls, or mail offers.

Q5: Who will have access to the information?

Does the company share your information with other companies? Government agencies, service providers, etc.? Does it share information with its affiliates or companies in the same "corporate family"? The privacy policy of a commercial website or online service that collects personal information on Accra consumers must list the categories of third-party persons or entities with whom that personal information may be shared.

Q6: What choices do you have?

Look for opportunities to opt-out of the use of your information for marketing and the sharing of your information with others. There should be an easy way to opt out, such as by calling a toll-free phone number or emailing.

Q7: Can you review or correct your personal information?

An organization may give you the opportunity to review or request changes to the personal information that it has collected from you. Look for instructions on how to do this. Many organizations allow a customer to review and request changes in the customer's own personal information. A company that collects personal information on its consumers must describe its process for giving consumers access to their own personal information, if it has such a process, in the privacy notice posted on the site.

Q8: What security measures are used to protect your personal information?

The privacy notice should give a general description of the security measures the organization uses to keep customers' and visitors' personal information safe. It should also cover security safeguards that the organization requires its business partners and vendors to use.

Websites requesting personal information should use Secure Socket Layers (SSL), the industry standard for protecting private information sent over the Internet. Good security also means using strong security measures, such as encryption, to protect personal information when it's stored on company computers. It includes technology and procedures to limit access to customers' personal information to only those who need it to perform their duties.

Q9: How long will the organization honour its privacy policy?

What is the effective date of the privacy policy? Does the policy state that the organization will honor its current policy in the future? Does it say that if they change the policy, they will notify customers and site visitors? Or, it says they will give customers and visitors a chance to opt-out of having their information used according to the terms of the new policy?

The privacy policy of a commercial website or online service that collects personal information on Accra consumers must include a policy effective date and information on how consumers will be notified of changes.

Q10: Who is accountable for the organization's privacy practices?

Someone in the organization should be responsible for its privacy policy and practices. Does the notice give you someone to contact with questions and concerns? Is there an easy way to contact the correct person by email or by a toll-free phone number?

Author: Emmanuel K. Gadasu

(Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner at Information Governance Solutions)

For comments, contact author ekgadasu@gmail. com or Mobile: +233-243913077