A Notice Does Not Notify Unless It Can Be Understood

‘Ontario has a law that protects your personal health information, including information about you kept at this hospital. We are required to keep your personal health information safe and secure. You have the right to know how we may use and give it out and how you can get access to it.’

These three sentences ‘ short, sweet, simple ‘ begin the text of a poster called ‘Health Information Privacy in our Hospital.’ This poster, one of three in a series (which includes ‘in our facility’ and ‘in our office’), and the three accompanying brochures, are the result of an innovative collaboration that has taken an international consensus and turned it into printed products that are garnering great reviews.

The office of the Information and Privacy Commissioner of Ontario, along with the Ontario Bar Association’s Privacy and Health Law sections and the Ontario Dental Association, spearheaded a team to develop short notices for the province’s new Personal Health Information Protection Act (‘PHIPA’), which launched the products earlier in June 2005.

‘When you’re dealing with the law of consent ‘ and PHIPA is a consent-based statute ‘ adequate notice is a required feature,’ said Ken Anderson, Assistant Commissioner (Privacy) of the Information and Privacy Commission of Ontario (‘IPC’). ‘Ontario’s new health privacy legislation was no exception in requiring custodians of personal health information to make available a statement of information practices. Often, lengthy notices have been used to comply with such requirements, with the result being a failure to communicate. Notices are too long, too complex, and, as research has shown, actually raise more doubts in people’s minds than they allay.’

The short notices movement was born to address these inadequacies.

Background

Research on privacy policies conducted in the United States and elsewhere has provided persuasive evidence that a layered approach, with an emphasis on clear, short notices of information-handling policies and practices, is the most effective way of building consumer trust. For example, the Hunton & Williams Center for Information Policy Leadership, which has done pioneering work on short notices, conducted focus groups on privacy policies. The Center found that consumer trust in companies is eroded by long, legalistic privacy policies. Focus group participants preferred short privacy notices that clearly communicated how a company was using and sharing their personal information and expressed support for a common ‘template’ that could be used by different companies.

The Annenberg Public Policy Center of the University of Pennsylvania surveyed Americans in 2003 and found that even self-styled, savvy Internet users not only fail to understand how online companies typically compile information about visitors to Web sites, but also do not understand privacy notices and will not spend much time to learn more. For example, a majority believed that the very existence of a privacy policy meant that no information about them would be shared.

The European Union’s Article 29 Data Protection Working Group has made consistent recommendations since 2000 (WP 37, 43, 100) calling for simple and understandable information being provided to online consumers prior to the collection of personal information. This would facilitate compliance with the EU Data Protection Directive’s Article 10 requirements concerning information to be given to the data subject.

The growing movement to establish a global short privacy notice had its official birth at the 2003 International Conference of Data Protection and Privacy Commissioners in Sydney, Australia. At that conference, the Commissioners passed a resolution that endorsed the development and use of a condensed privacy notice format that would be standardized across the globe. Our resolution noted the importance of enabling individuals ‘to be well informed and able to exercise choices when the organizations with which they are dealing operate globally’ and called for ‘development and use of a condensed format for presenting an overview of privacy information that is standardized world-wide across all organizations.’ In addition, simple ways for the individual to locate further, more detailed (but still understandable) information (if desired) should be made available.

Since the Sydney conference, a working group of Commissioners, including the IPC, business leaders, lawyers, and privacy practitioners, has been hammering out solutions for developing and implementing a global privacy notice. The group met in Berlin in March 2004 and prepared a memorandum (the ‘Berlin Memorandum’) that emphasized that effective privacy notices should be multi-layered, with all layers using plain language. Other parts of the suggested framework included: