The term ‘Privacy Policy’ is most often used in an online environment to describe a document which explains to individuals how information about them is collected and used. It may also touch on the wider data protection policy of the organisation. It is important to note that ‘Privacy Policy’ is not a legal term (at least not in the UK) but a user friendly one. Data protection lawyers typically refer to the document which provides an individual with information about how information about them is used as a ‘privacy notice’. The requirements for what should be in such a notice are in articles 13 and 14 of the UK GDPR. Typically an organisation which operates mostly in a real world environment will have a number of privacy notices for different categories of individuals and separate data protection policy. Online, the term ‘privacy policy’ may refer to something which is designed to cover the requirements under articles 13 or14 or it may be more of a hybrid between ‘privacy notice’ and ‘data protection policy’.

Guidance produced by the Information Commissioner’s Office (ICO) does not refer to the term ‘privacy policy’. The term ‘privacy notice’ is normally used by the ICO both in guidance and in their own privacy notices. However, I have noticed that there is one exception; if you click on the link for the privacy notice template then it is, in fact, headed ‘Privacy Policy’.  All the notes in it then use the term ‘privacy notice’. My conjecture is that the ICO takes the line that their guidance should use the term ‘privacy notice’ but that this heading on the template slipped through the net.

The overall conclusion is that the confusion around the term ‘privacy policy’ is ubiquitous.  ‘Privacy policy’ may mean the same thing as ‘privacy notice’ but be aware that a ‘privacy policy’ may sometimes incorporate an element of data protection policy.