Making privacy policies plain and simple

Toni Sekinah, research analyst and festures editor, DataIQ

Everybody who has ever read a privacy notice will know how turgid the language can be. In addition, they can be as long as dissertations. But a new website has been set up to help people better understand the privacy policies of financial services companies. Data Rights Finder was created through a collaboration of Open Rights Group and Projects by IF. Ed Johnson-Williams, policy and research officer at Open Rights Group, told DataIQ, “we’ve got 40 of the biggest banks, insurance providers, some financial services and some price comparison websites. We hope to make it a little bit easier to use your data protection rights when you want to contact companies.”

The main page of the site shows a list of the companies and clicking on a company name leads to a set of categories with drop-down menus. These tabs set out information such as under which lawful basis the organisation justifies its collection and use of customer data, the retention rules, the data categories collected as well as whether a data protection officer is in place, among other topics.

The database is in its alpha iteration and the teams behind it are looking at ways to improve the functionality and usability, so are actively seeking feedback from users on what information is most useful and which sectors people would like to see added next.

"It is a challenge to clarify how data is used in the NHS."

Lots of open booksThe feedback suggests that information about the BBC, the NHS as well as social media networks should be next on the list, though Johnson-Williams foresees the NHS being a considerable challenge. “The NHS is a much bigger challenge to try and clarify how data is used there. The law is different for medical data compared to other sectors and other categories.”

He hopes that some ideas of how to face that challenge will come out of the Data Rights Finder Hackday that will take place on 13th October. The two organisations believe that developers will participate and use the dataset and API to create new ways for the public to access that data.

Data Rights Finder lists companies from challenger banks like Monzo and Starling Bank to incumbents like RBS and Santander. Johnson-Williams said Data Rights Finder was initially populated with companies from financial services because “some of the biggest changes in the way that organisations usually process data are happening in that sector.” He also said that it is a sector that almost everybody in the country comes into contact with.

"Privacy notices are not consistent nor clear."

The database was launched in June 2018 with Johnson-Williams saying it was conceived because he and his colleagues at Open Rights Group saw that in the wake of GDPR implementation many organisations were informing people about their new privacy notices. However, those people were not necessarily going to read them and, if they did, they were quite difficult to read. “They’re either not consistent in terms of their structure or format, but also length, or they're not as clear as they could be and it is hard to compare different competitors.”

The issue of privacy notices coming in many forms is a bane for consumers and posed a challenge for Open Rights Group and Projects by IF. “Many privacy policies are PDFs, some are single web pages, some are multiple web pages and the structure and language used varies quite considerably.” Because of this, writing a programme to read all those notices would be very challenging and take a lot of time.

Instead they created a form, which is accessible via a link on the About page on the website. A person who is reading the privacy notice of a company can complete this 16-part questionnaire simultaneously. This creates a JSON file which is them uploaded to a GitHub repository. “All the companies on our website pull in data from that GitHub repository. So it is human-analysed,” explained Johnson-Williams. Individuals and organisations can complete the form and once it is submitted, those who maintain the site review it and make alterations if necessary, then make it live on the site.

The project is funded by the ICO which will take the maintenance of the website up to December so Johnson-Williams is open to working with a variety of funding organisations.

The aim for the database to grow so if someone wanted to find any company that is particularly respectful of data, this site would help them do so. “It is a difficult thing to do by yourself, but hopefully our site is a first step towards making that process a little bit easier.”


Knowledge-based content manager, DataIQ
Toni is the senior features editor responsible for the origination of DataIQ's interviews, articles and blogs.