CONSENT & ANTI-PATTERNS

Owned by Former user (Deleted)
Last updated: Aug 30, 2013 by Former user (Deleted)
4 min read

CONSENT AND ANTI-PATTERNS

Contributor

Edgar Whitley

Summary

Proposal is that P3 collect examples of consent anti-patterns... i.e. if we see real instances of poor practice in the collection of user data, or presumed consent, or making service provision conditional on acceptance of privacy-hostile terms, etc to record these instances (not with the intent of alienating the service provider concerned).

In the first instance, we will need to collect some examples of policies which are not necessarily "poor", but which serve as discussion points for the topic.

Hopefully out of the process of collection and categorization would come a list of common mistakes. P3 could then propose alternatives.

Sample 1:

Note: the example below reflects aspects of a real Privacy Policy statement; for that reason, I have changed some details of the company concerned, and only reproduced those sections of the policy statement which I felt could provide us with a basis for discussion.

Excisions from the original statement are indicated thus:  [...]

I make no express or implied comment about whether the policy statement is "good" or "bad", but present it as an illustrative example for discussion.

Context:

Accepting this privacy policy was a condition of completion of an online form for requesting an appointment (in other words, a task which should require no personal data beyond the customer's name, preferred date/time and possibly return contact details).

Excerpts:

2 – Supply of personal information

To process your order we will ask you for personal information at the time you register as a customer (which you are required to provide before you place your first order). We may also collect personal information for Sample competitions for which entries are accepted online. We may also ask you for your personal information when you request information from us, submit any comments to us or if you report a problem with the Website. No personal information will be collected without your consent. We may collect and process the following information about you:

    * your name;
    * date of birth;
    * contact telephone numbers (including mobile);
    * e-mail and postal address;
    * details of any prescription supplied to you by your healthcare professional or medical practitioner;
    * information that you provide by filling in forms on the Website;
    * details of your visit to the Website and any transactions you carry out on the Website.

3 - Our use of your personal information – order placement, competition entry, contacting Sample and Website browsing
[...]

You expressly consent to the Group:
    * processing data relating to your credit/debit card and order details to enable the fulfilment of your order;
    * processing your personal information so that the Group can inform you about new healthcare related products and services available from the Group;
    * processing your personal information to enhance the services and goods the Group makes available to its customers;
    * processing your personal data to conduct research about your health and shopping habits;
    * transferring personal data to offices located in Offshore and the United Kingdom for the purposes of processing by the Group (OFfshore has Data Protection laws which are largely the same as the UK) ;
    * using cookies and traffic data as per Clause 4 below.

If you do not register as a customer but wish to email Sample through the Website (customerservice@Sample.co.uk) you will be providing us with personal information about yourself, including your email address, name and contact details. This may include medical information. You may also be required to supply personal information (but not medical information) through the Website for entering a Sample competition. We will only use such information for the purposes of providing a reply, reviewing any feedback or improving the Website. Such processing may include the purposes set out in Clause 5 (of this Privacy Policy) and transferring the personal information to our offices in Offshore.

If you are simply browsing our Website we will not collect any personal information which will identify you however, we will collect information using cookies and/or traffic data which uses IP addresses or other numeric identifiers which analyse navigation and use of the Website.

Personal information collected will be retained by the Group for as long as is reasonably necessary (or as defined under applicable healthcare laws and regulations) to provide products and services (including after sales service) to you.

4 - Cookies and traffic data
[...]

5 – Disclosure to third parties

We will not pass your personal information to anyone outside of the Group, without your prior consent, except the following:

    * health authorities including NHS or national equivalent bodies;
    * third party service providers for the purpose of fulfilling your order
    * in the event that the Group sells or buys any business or assets, in which case we may disclose your personal information to the prospective buyer or seller;
    * any agents or subcontractors that process data on our behalf;
    * where we are otherwise legally required to do so (for example to the Inland Revenue, Benefits Agency, any court of competent jurisdiction or any law enforcement agency with statutory authority)