Question to the Department for Science, Innovation & Technology:

To ask Secretary of State for Science, Innovation and Technology, if she will take steps to require that statutory disclosures under articles 13 and 14 of the General Data Protection Regulation be presented in a standard format that (a) identifies (i) all the personal data categories processed for each purpose and (ii) the lawful basis for each purpose and (b) itemises the rights available to data subjects in each case.

Articles 13 and 14 give data subjects the right to be informed about the collection and use of their personal data. Article 13 and 14 already stipulate that controllers must include (i) information about the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, and (ii) information about the rights available to the data subject in relation to their information, such as the rights of access, rectification and erasure.

Article 12 of the UK GDPR states that the information provided in Articles 13 and 14 must be provided in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’. Additionally, Article 12 makes provision for this information to be provided in a variety of formats, rather than a single, standard format (‘the information shall be provided in writing, or by other means, including, where appropriate, by electronic means’).

The Information Commissioner’s Office (ICO) provides detailed guidance on the right to be informed. This guidance sets out that it is most effective to provide information to data subjects using a combination of different techniques including layering, dashboards, and just-in-time notices. The guidance also provides advice for controllers on what to consider when presenting this information to a data subject. This can be accessed here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/