Although it is common practice to approach privacy notice and privacy policy as the same, they are very different and serve different purposes. This article aims to define both privacy policy and privacy notice and to address their differences.
To understand the differences between both vehicles, let us look at semantics.
Privacy Policies
A policy, as expected in the ISO management family of norms, like ISO 9000 for the management of quality and ISO 27000 for the management of security, intends to outline and specify a set of standards within an organisation. It helps to clarify the company objectives and set out the best practices that staff and other stakeholders should observe to reach those objectives.
Hence, a privacy policy is a document that outlines the organisation’s approach and best practices regarding privacy and data protection, setting the organisation’s privacy goals and strategies and defining the means of achieving them. This policy can reference other internal documentation about privacy and data protection practices. These might include handbooks, guidelines, standard operating procedures, manuals, job-aids, etc.
The format of the privacy policy will follow the organisations standards, however, it should include at least (1):
- the purpose of the policy, setting out the organisation’s privacy goals and delineating how the policy is meant to help the organisation achieve them;
- the scope of the policy, and to whom it applies;
- the risks and responsibilities, setting out the roles responsibilities regarding privacy and data protection within the organisation and clarifying how violations of the policy impact compliance and the business and how might be sanctioned by management, including the disciplinary actions if staff is found to fail the fulfillment of those responsibilities.
The privacy policy must be published and communicated within the organisation, in order to ensure that all employees and stakeholders are aware of its responsibilities. Alternatively, this policy may be referred to as the data protection policy.
Privacy Notices
Therefore, the “privacy policies” published by organisations on their website in order to provide transparency for data subjects regarding the processing of their personal data, are not a privacy policy per se, as a privacy policy is an internal document that organisations use to structure their internal governance in privacy and data protection. A privacy notice is what actually organisations publish on their website.
A notice is a disclaimer. It is purely a way of communication that transparently informs the reader. Therefore, a Privacy Notice is a notice that data controllers use to fulfill its duty to inform data subjects and transparency obligations.
The common elements of a privacy notice are:
- information about the organisation and its contact details, including the Data Protection Officer (DPO) contact details when applicable;
- description of the personal data that is being processed by the organisation, how it will be used, for what purposes and for how long;
- the legal bases for processing, when applicable;
- information about the recipients that the organisation may share personal data; and
- information about the data subject rights and how to exercise them, including the information about the existence of automated decision-making, when applicable;
- Information about the international data transfers and safeguards in place, when applicable.
For instance, articles 12 to 14 of the GDPR outlines what information a data controller must provide to data subjects with regards to what data they process (data points), why they need those data (purposes), how they legitimise their use (lawful basis), what rights can be exercised in relation to that processing, for how long they will retain the information, among other details.
The privacy notice may also be referred to as a privacy statement or even privacy policy, although the latter is not adequate.
In a nutshell, a privacy policy is an internal instrument that will outline the organisation’s approach and best practices regarding privacy and data protection. The target audience is internal: the organisation’s staff and stakeholders and it constitutes a data protection governance tool.
Meanwhile, a privacy notice is a notice that organisations use to provide transparency about the processing of personal data to data subjects and comply with the information obligations set in privacy laws and regulations. The target audience is external to the organisation: the data subject whose personal data is being processed by the organisation.
(1)IAPP. Privacy Program Management. P. 78.