Users need to know how their data will be used

[sanjaypoyzer]

Services have a legal obligation to inform users how their data is going to be used.

The patterns need to follow our privacy principles. If they councils differ from the pattern in any way, they still must follow those principles. (There's a more public version of this list here).

Also worth looking at the GOV.UK Verify Privacy notice, but I'm really keen that we don't just obscure how we're using user's data in a notice that nobody will read.

[sanjaypoyzer]

Oh, also forgot to mention - There is already a link to a non-existent 'privacy policy' on the photo upload page (/service-patterns/concessionary-travel/example-service/photo/upload). Worth thinking about whether or not this should link to a general council privacy statement, or a photo specific one. This will differ based on what the councils will do with the data, but we should work out a recommendation of how to communicate this based on different cases.

Related to that is working out whether or not we think councils should store the photos to make renewals easier. Possibly that should be a separate Issue and discussion though.

[sanjaypoyzer]

@kaydale Did any work happen on this while I was away?

[EUzkuraityte]

Further advice from Lizzie: Orvokki Lohikoski advised @sanjaypoyzer and @lizziebruce on 24/04 that there's a need to flag how personal data is stored. Key information that the user may be concerned about should be contextualised in the on-page copy. Full details of all data storage should be accessible throughout the user journey, but it is ok to do this in a tradional way for example a footer link.

[lizziebruce]

@EUzkuraityte @sanjaypoyzer

2 things I can see here:

1. councils need to have a privacy policy to link to (council's own, following Verify principles, possibly extra content around photo uploading/any retention for renewals if agreed on)
2. data use to be flagged contextually through journey

1 > council team will update their privacy policy to incorporate Verify principles, link to their amended policy will be in footer content 2 > will be done contextually

So can I take the label 'content fix' off this?

[EUzkuraityte]

@lizziebruce @sanjaypoyzer yup, I think there isn't any content here that needs fixing, however, as Lizzie mentioned we need to add in those links throughout the journey as required

[lizziebruce]

@EUzkuraityte @sanjaypoyzer this would be in the council website footer which would automatically show at bottom of all their website pages. Councils should already have this in place. I think it's a legal requirement. So it's more an education piece to ensure council's existing privacy policy follows Verify principles. Perhaps we could add privacy policy as a link in the footer of the prototype to reinforce this, linking to the Verify principles.

[EUzkuraityte]

@sanjaypoyzer can you add (as per Lizzie's suggestion we have privacy policy as a link in the footer of the prototypes).

[lizziebruce]

This is fixed for Argleton and other councils that didn't have privacy link in footer yet i.e. Sunderland, Oxfordshire & Northumberland. Also added examples of other links they might want to include in footer based on quick look at what Bucks, Oxford and Sunderland had.