Best Practice Update

Transparency written in pen, with the Data protection education logo above, a hand holding a pen on the left and a reflection of the hand below it


What Is Transparency

Transparency is about being clear, open and honest with your users about what they can expect from you.

Why is it important?

Transparency is key to the requirement under Article 5 (1) of the GDPR for the processing of personal data and underpins the fairness element of Article 5 (1). If you aren’t clear, open and honest about what you do and why you do it, your original collection and ongoing use of personal data are unlikely to be fair to a data subject

Transparency and being open and honest about what you do facilitates the exercise of individuals’ rights and gives people greater control over the use of their personal data. This is particularly important if the processing is complex, involves sensitive data or if it relates to a child. Proactively respecting people’s privacy and their rights to privacy can give you the advantage of increasing the confidence of the public, regulators and business partners in your organisation.  

The GDPR also contains other specific provisions about the information that you must give to data subjects when you process their personal data namely:

  • Article 13 (privacy information that you need to provide when you have obtained the personal data directly from the data subject) 
  • Article 14 (privacy information that you need to provide when you have not obtained the personal data directly from the data subject). 
  • Article 12 which requires you to provide children with privacy information required by Article 13 and Article 14 in a way in which they can access and understand.

How can you ensure that you are transparent?

The ICO makes the following recommendations as part of the process of being transparent;

  • Provide clear privacy information in your privacy notice as set out in Article 13 and Article 14 in a clear and prominent place such as your website; 
  • Make your privacy notice easy to find and accessible for children and parents who seek out privacy information; 
  • Do not rely on children or their parents seeking out privacy notice information instead draw their attention to your privacy notice at the point of each collection of personal data;
  • Use a ‘bite-sized’ ‘just in time notice” of privacy explanations when necessary and make sure it is suitable for both children and adults to understand;
  • Produce a separate privacy notice for use with children and young people;
  • Encourage children and young people to speak to an adult before they activate any new use of their data, and always inform them not to proceed if they are uncertain;
  • Consider if there are any other points in your user journey when it might be appropriate to provide bite-sized explanations to aid a child or young person's understanding of how their personal data is being used; 
  • The information you provide for users about your service should be clear and accessible. This includes terms and conditions, policies and community standards; 
  • In every case you should provide information that is accurate and does not promise protections or standards that are not routinely upheld by you; 
  • If you believe that you need to draft your terms and conditions in a certain way in order to make them legally robust, then you can provide child-friendly explanations to sit alongside the legal drafting;
  • Present information for services aimed at children and young people in a child-friendly way that is likely to appeal to the age of the child who is accessing your service. This may include using diagrams, cartoons, graphics, video and audio content, and gamified or interactive content that will attract and interest children, rather than relying solely on written communications;
  • Consider the use of tools such as privacy dashboards, layered information, icons and symbols to aid children’s understanding and to present the information in a child- friendly way. You should consider the modality of your service, and take into account user interaction patterns that do not take place in screen-based environments, as appropriate; 
  • Dashboards used for online services should be displayed in a way that clearly identifies and differentiates between processing that is essential to the provision of your service and non-essential or optional processing that the child can choose whether to activate; 
  • Tailor your information to the age of the child. For younger children, with more limited levels of understanding, you may need to provide less detailed information for the child themselves and rely more on parental involvement and understanding. However, never use simplification with the aim of hiding what you are doing with the child’s personal data and consider providing detailed information for parents, to sit alongside any child-directed information;
  • You should make all versions of resources, including versions for parents, easily accessible and incorporate mechanisms to allow children or parents to choose which version they see, or to down-scale or up-scale the information depending on their individual level of understanding;
  • Depending on the size of your organisation, your number of users, and your assessment of the risk you may decide to carry out user testing to make sure that the information you provide is sufficiently clear and accessible for the age range in question; 
  • Always document the results of any user testing in your DPIA, or use the DPE Record of Processing tool to support your final conclusions and justify the presentation and content of your final resources. If you decide that user testing isn’t warranted, then you should document the reasons why in your DPIA; and 
  • Consider any additional responsibilities you may have under any equality legislation applicable to you and set this out