Hi and welcome back to the CIPN Course 7 on privacy rights. Probably my favorite element of the course because we're talking here about people's rights. As you remember, data protection law and privacy in general is [inaudible] free aspects. It gives organization's obligations, it gives regulators powers, and finally it gives us as individuals rights. I think this is a great place to spend a bit of our time. We're going to start talking about the right to transparency. We're going to talk about the rights to transparency. Again because I'm from the UK, I'm going to talk a lot about here the GDPR rights. But I think it's also worth talking about rights across the globe, and the fact that our rights will differ depending on where we are. But one of the constant rights is the right to transparency. Generally speaking, looking at the GDPR here, there is some general stuff about rights that we need to understand, first start especially with the GDPR. Those rights are free. You can't charge people for their rights. You can't charge people for access to their rights. Generally speaking, you've got to give them within the calendar month. You can ask them to verify their identity so that you know you're not giving data to their own person, or giving the right to their own person, and you can also ask for enough information to find the data or to find who that person is on your systems. If it's a CCTV request for example, you could say what time did you walk pass the CCTV camera? What do you look like? You could ask for a customer reference number. But generally speaking under the GDPR, you're not allowed to ask why? You're not allowed to ask why, you can limit the scope of the request by asking for identity or for making it complicated or hard. I personally got a problem with a lot of people who ask for the masses of identity documents. "We're just verifying who you are." I always say to them, "Well, that's funny because I didn't need all this to take up your service, I didn't need all of this to login to your service, so I didn't need all of these to authenticate for anything else you do. So why are you making it harder for my rights?" You've got to to give them enough information to interpret and explain all of the data and rights you're giving them, and then further rights they have as a follow on. Let's just talk about what those rights you might actually have. The rights underneath the GDPR and other global privacy laws. You could GM really put into all of these different buckets so, this is what we're going to talk about today. We're going to go through transparency, data subject access or their rights to have access to your data, rectification, making the data correct or incomplete, objection. Basically saying, I don't want you to protect my data, I need you to reevaluate that decision, especially when the legal basis and some sort of balancing tests. You're going to have rights around AI or automated decision-making in the GDPR, that would generally be the right to know what the logic of that decision is. It'd be re-evaluated by human for example. You may have a right to erasure, normally extremely limited. We'll talk about that. People often misinterpret the right to erasure. The right to portability. More of a competition law right actually, more about moving data from one provider to another. Restriction that do not use or suppress the data. Normally where you're arguing about the veracity of some data or where you're asked for that data to be suppressed. That's not delete to my personal data, it is just do not use it for a specific purpose such as direct marketing for example. In the ones with the blue at the bottom, I've changed their color because actually the GPI, they come a little bit later, but they are still rights, they're just not in the rights section. Right is a complaint to the regulator or for the door to the organization, rights to have your day in court for example, rights for compensation for damage or distress, and rights to be represented by another organization to act on your behalf, a pressure group, some of the privacy international law or someone like that. Loads and loads of different rights to be aware of and we're going to go through them in the next few sessions. But let's start by looking at the first right to transparency. Let's start with the control of course. It pretty much says, "No covert surveillance without lawful authority." That's a really interesting for process that we should not be surveilled without our knowledge or understanding. No one should collect data on us without us having an awareness. I think that's fair. Even if there is lawful authority, I believe the GDPR use the word necessary and proportionate in a democratic society i.e law enforcement perhaps were to tell you they'd be surveilling you would be to defeat the purpose. There are going to be some cases where the national security within law enforcement, where they can do covert surveillance. But even in those cases, you should generally be open about how you'll be in covert. I know that sounds ridiculous, but there should be a level of transparency there. There should be a level of transparency. In fact, that's what one of the data transfer issues between the US and the EUR. It's not that the USA using national security to collect data, is the fact that they're not being output and about how they're using it. They're encouraging organizations to be secretive about if they are having to disclose data for example. What is the lawful authority if you're going to do covert surveillance? If you're going to take out investigations on an individual? It's really interesting when you talk about surveillance to think about what your lawful authority is if you are doing things covertly. If you're not doing things covertly, well, then you have to tell people, and it's Stage 1 to pursue any of our other rights. Well, you need to understand that you're being monitored. You need to understand that you're being surveilled. Generally, how we do this is some privacy notice. We talked about this. We talked about the difference between a privacy notice in a privacy policy. Now, I know and you know that most of the times we got up there on the Internet, privacy notices will be called privacy policies. I'm sorry, that's just the way is, privacy notices will be called privacy policies. But for the exam, we're going to have to know the difference. We're going to have to know the difference between a privacy notice and a privacy policy. Privacy policy, as I said, high-level statement and management intention, privacy notice exactly what state you're processing and how. Generally speaking, we give these are the points of collection. Again, looking at the GDPR, there's a number of information you need to communicate. You need to communicate who you are, the controller. Even if you're not the controller, you need to say who the controller is, where you are, who your Data Protection Officer is, what purposes you might use that data is, what the legal justification for using the data is, who you might give it to, where you might send it across the globe, if you're relying on a legitimate interests arguments, what those legitimate interests are. If you're relying on a legal obligation or a contractual obligation, what the contract is, what the law is, how long are you going to keep it, what rights and individual has, and finally, if you're doing any AI, automated decision-making to find out exactly how that data is going to be processed. There's quite a lot of information. That's quite a lot of information to get around to someone. Unfortunately, what's happened is because data protection is often a legal thing, the privacy notices are written by lawyers. Now, this is nothing personal against lawyers. I'm legally trained myself, I know a lot very good privacy lawyers. But generally speaking, they got to be the worst person to write the document. The document to me, the privacy notice is about being transparent. Often if we write in legalese, that destroys that transparency. For me, it's having one big long document that tells me everything I need to know. I think we need that big long documents somewhere. But I'd rather be drip fed smaller bits of information as and when I need to know them. We call this a layered approach, which you need to know for the exam, a layered approach. The idea that we get the information as and when we need it in different layers. For example, just considered your bank, you might have a privacy notice for the app you download, you might have a privacy notice for the cookie policy on that website, you might have a privacy notice when you go into the branch and you get recorded on CCTV, you might have a privacy notice when you fill in a form, you might have a privacy notice when you telephone them and get your voice recorded. All of these different privacy notices, it's not one big privacy policy at all, it's a number of privacy statements, a number of privacy notices in order to be transparent because we wanted to tell the individual all points, "Hey, we're collecting your data. This is what we're going to do with it." Depending on how the data is used, that privacy notice is going to look very different. Consider the fact that an organization might well, going to have a privacy notice for its operational things, let's go back to our [inaudible] 1, they are caring for patients in the community. Then when they collect the data on the patients, they'll need a privacy notice to say, "Hey, we collected your data." But equally, they might go out, recruit new staff, new nurses perhaps. But when they go out and recruit new staff, new nurses, that privacy notice, that privacy policy for their staff recruitment, it's going to look very different from the one from their patients because the amount of data they collect is vastly different. Go to make sure that we're intelligent in the way we tell people about our privacy notices. This is not a one-and-a-done big legal document. This is a series of statements over time, we've got to make the intelligent, succinct, easily accessible, with clear and plain language generally speaking, at the point we're collecting the data or very soon afterwards. We're also going to tell them under the GDPR actually if they put in an access request or if there's a data breach, we're going to tell them exactly that same thing. It's worth trauma difference, redirects and indirect collection as well. We can collect data, fine. But equally, if we've got data from someone else, we might also have a requirement to say, "Hey, we've now got your data." We didn't collect it directly from the data subjects. We'll have to reach out to the data subject and go that we didn't get it from you, but now we've got it, now we're your data controller, now we need to tell you we've got it in order to be transparent, in order to not be covert. That's what privacy notices are. I think it's also worth talking about what they're not. They're not privacy policies, we've said this already. They're not the same thing as a policy. A policy is that high-level management statement of intent. But equally, they are not agreements, they are not contracts, you don't agree to a privacy notice at all. They're simply information you give, so they can't be signed or accepted by anyone. They've got nothing to do with consent. Apart from the fact that you might collect consent to the similar time that you tell them a privacy notice. So that you don't have to accept a privacy notice, any statements that say by using our website, you except a privacy notice, it's kind of a rubbish. It's not a contract, it's not a terms conditions. In fact, the GDPR is pretty specific that you should not bundle them with terms and conditions. They should be a separate thing to the legal contract. Whether you're relying on contract or consent or legal obligation, you still need to privacy notice. Completely separate things. Don't sign them, they don't accept them. They're nothing to do with the legal basis. There's not only a single one of these. It should be in multiple places depending on the different data types customized for the different data types. Don't make them difficult to read or walls of text, just anything but simple. Look, we're collecting your data and here's what we're going to do with it. It's just information. It's just a notice. Don't mystify these to make them into anything. Best people to read privacy notices, always consider your audience. I'm very lucky in that I've worked a lot with young people and I think about the right age to pitch your privacy notice at is about 10 year old. When you read a lot privacy notices, they're written with some educated legal professional in mind. You've got to be at least a graduate level to understand the terminology. I think pitch them about 10-year-olds because they're adults out there with reading age of less than 10. I would pitch them at about 10 year old. There you go. Some tips and tricks for you. If you've got a lot to say, use a layered approach, give them a little bit of information in your short space. If you haven't got a lot of space, you're using a mobile phone or you've got some limited screen, you might want to consider putting information in what we call just-in-time. A little bit here, a little bit there. When you click on something, it expands to tell you something. When you click on something else that expands to tell you something. Yeah, this is a way to do it with a good user experience around the bad one. Use icons, symbols for clarity. Think about your audience. You're adults, for example, consumes information in a different way than a child does. Children don't like reading anymore. They like YouTube. They like videos. Video privacy notices could be the way of the future, if you ask me. Consider the facts, you've got different channels. You're going to be collecting different information from the Internet, from an app, from a mobile phone from an audio recording, from an in-person CCTV. These different channels are going to require different types of privacy notices as well. In terms of accessibility, well, you might want to give them access to a logo on a user self-service, some sort of dashboard. Few examples. This one's an example from Northern Ireland Water. You can see here this is a physical privacy notice for a CCTV system. Again, privacy notice. Says it very clearly what it is, says it very clearly who it's about. Then you can see some of that information required by the GDPR in icon form. I quite like the fact it's got loads of icons here for different purposes, but it gives you a summary as well, gives you where to go for further information. In fact, if you want to see the full big privacy notice in a layered approach, again, there's even a QR code here to go from the physical world to the virtual world. A few others I've direct you to, I'm just going to walk you through a couple of these. I like the one at Juro.com. They're actually going to license the use of their notice that it's become very popular. There's some good video notices of easyJet and Superdrug and the ICO. I just took a quick look at them. Here's the ICO is one. Its a video, if you go to the ICO's webpage or type in ICO video privacy notice, you can find their privacy notice there in video form as well. Not bad one. I like Superdrug's. What's good about the Superdrug is there is a sort of a short version here and then there is a longer version here which you can go to. Again, you see this sort of Q&A examples and there's a video as well. Very sweet marketing like video, actually really done in a way that's appropriate to their audience. So consider the audience. EasyJet's, I really like easyJet's one as well. For those people who are thinking about easyJet or for thinking about video privacy notice, I think you go onto YouTube and type in easyJet privacy notice or use a jet privacy policy. That's called a privacy policy here, you'll find that one. The final one I really like here is Juro. Other people are available, of course, but when you look at their privacy notice, if I can look at their privacy notice, you'll see again, you've got a much more text-based, but you've got a single view here to look at different types of data and how they use it all in clear source of text without trying to use legalese, some quite graphical representation. If you want to know more with this layered approach, you can click through, see another layer. Again, there's another layer beyond that as well, if you want to know exactly into the detail that you want. So plenty of good examples out there. There's no excuse anymore. There's no excuse for one big legalese privacy notice. The requirement is to be transparent. The next section we're going to look at is subject access requests, and that's an important one. We're going to took the information provision. There are a number of laws around the globe now that require you to give copies of the data to individuals. We're going to talk about that in the next session. Thank you.
