October 30, 2017
A review by the Information Commissioner’s Office of 30 UK websites in the retail, banking and lending, and travel and finance price comparison sectors found that data protection and privacy notices were often inadequate. Problems identified in the operation included the following:
- while organisations were generally quite good at specifying what personal information would be collected, 26 of the 30 failed to specify how and where information would be stored. Detail about the international transfer of data was often unclear and vague;
- 26 organisations failed to adequately explain whether they share data with third parties and who that data would be shared with. Three failed to address whether personal information would be disclosed to third parties at all. Only six made reference to their retention policy;
- 24 organisations failed to provide users with a clear means for deleting or removing their personal data from the website; and
- seven organisations did not make it clear how a user could access the data held about them (i.e. through a Subject Access Request).
The UK study was part of a global investigation by 24 data protection regulators from around the world, led by the ICO, which concluded that “there is significant room for improvement in terms of specific details contained in privacy communications.” To read the ICO news release and for more information on the global findings, click here.