Privacy Policy

Guidance notes relate to on a website’s standard policy regarding the collection, storage and use of non-sensitive personal data, as detailed in our privacy policy template. Our template is for use on a website which collects data in an online application form for the purpose of supplying goods or services to users of the site, or for contacting users with direct marketing information such as a newsletter.

GENERAL DOCUMENT NOTES
A privacy policy outlines a business’ practice concerning the collection, storage and use of personal data. The standard document should be used on a website collecting only basic personal information which is non-sensitive in nature, in an online application form (e.g. name, contact and credit card details). Information collected for the purposes of supplying goods or services for users of the site and for contacting users with direct marketing information.

LEGAL ISSUES
Within the UK the collection and use of personal data by e-businesses must comply with UK data protection laws. Such laws are contained in the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the Regulations).

Although it is not a specific requirement to have privacy policies under the DPA it is good practice as it may help with compliance to some of its provisions. Any failure to comply may lead to criminal sanctions and in some cases personal liability, liability for damages and negative publicity. Such policies aid the data controller to comply with specific obligations. Obligations include:

• That data must only be processed for “specified” purposes (Para 2, part 1, Sch 1, DPA).

• To provide information regarding processing at the time when it collects the data. (para 2(3), part 2, sch 1, DPA)

• The processing of personal data will require the consent of the data subject (Sch 1, 2 and 4, DPA) “Processing” is widely defined. It includes disclosing, as well as obtaining, holding and using data. (S1 DPA) “Personal Data” includes a wide range of information.
Although data controllers may, in certain circumstances process data without consent, it is considered the safest approach, especially with the web as transfers of information are likely to occur outside the jurisdictions of the European Economic Area (EEA). Such consent must be freely given, specific and informed. It is not a requirement that consent should be in writing and implied consent can occur within the UK. This has caused some difficulties in cases where it is not practical to obtain clear consent from the individual. Data controllers may not infer consent from non-response to a general communication.
In order to comply with the fair processing requirement a link to the privacy policy may be included on the website which visitors can view before agreeing to send their
data to the site. It should be made clear that by submitting their data, they consent to it being used in accordance with the policy. The link should be placed in a prominent position and located above the agree or submit button.

Where permitted under the DPA and Regulations a privacy policy should:
• Be worded in such a way which implies the data subjects consent to the processing of such data.
• Have an ‘opt in’ box in order to ensure that consent was given expressly. This must be provided by an appropriately worded tick box.
• Obtain consent for the use of cookies.

A privacy policy is also a useful marketing function in re-assuring customers that their personal data will be kept secure and used responsibly.

INTERNATIONAL CONSIDERATIONS
The DPA applies to all data controllers that are established within the UK under section 5(1) (a). These include; UK registered companies, those who maintain an office, branch or agency within the UK and individuals who reside in the UK. It also stretches to apply to data controllers who are established outside of the EEA but use equipment within the UK for processing data.

If a website operator has establishments that hold data in several countries, they need to ensure that they comply with the data protection laws in each jurisdiction. Although the standard document ensures compliance with the DPA based on the EC Data Protection Directive, considerations must be given to the laws of each state. The Data Protection Directive may not be implemented in the same way in each member state therefore any obligations on the data controller may be more onerous than those imposed by the DPA.

OPTIONAL DATA
Data controllers are under an obligation not to collect data which is excessive in relation to the purpose of collection; therefore there must be an indication on the form whether any information is optional. This can be found in para 3, part I, Sch 1, DPA. It would not be necessary to collect an individuals name and address in providing an online quote for example. If the privacy policy covers the purpose for which data is to be used then it may not be necessary to mark the data as optional. It may help to ensure a data controller is complying with his obligations by marking particular information as optional. This is particularly useful where a website owner may find information useful but not necessarily essential to the business. It also serves to reassure customers that the owner of the website has a sensible approach to privacy.

DRAFTING ISSUES
Our template document is drafted to include square brackets [ ] around terms where you have a choice to make regarding the privacy policy. Simply delete the information that is not relevant and then remove the square brackets. The standard document is appropriate for use on sites which sells books or groceries, or those who provide travel or news information services, also brochure sites as these generally are only intended to provide information about the website owner’s offline services. The policy is not suitable for a situation where sensitive personal data is collected.

Sensitive personal data includes data relating to racial or ethnic origin and religious beliefs. If such data is collected “explicit consent” is required, (S2 and Sch 3, Data Protection Act). Also it is advisable to include a separate privacy policy incorporating its contents into a click-wrap consent form in which the user can then indicate their wishes with respect to the processing.

Once added to a website a privacy policy ideally should be displayed in a prominent position by means of a hyperlink accessible at all points of the site where data is requested. The data subject must have seen the terms on which his or her data is to be used before submitting personal data if it is to be said that consent to processing was given “freely, specific and informed”. The Information Commissioner has indicated that although the use of privacy policies is important, the basic information and choices available should be displayed in an intelligible and prominent form wherever personal data is collected. The commissioner favours a layered notice as the most effective way of raising awareness of how information will be used. This consists of three linked notices:

• The longest one being the full notice including all legal provisions.

• The condensed notice containing the main information, and

• The short notice drawing attention to how the information will be used.

This notice should be clear and easy to read and displayed wherever personal information is collected.

The general website terms and conditions must not contradict the terms of the privacy policy.

The Privacy Policy will be an enforceable contract so it should not promise anything that the data controllers cannot fulfil.

CLAUSE NOTES
Key considerations to the terms of our privacy policy template are highlighted below.

PRIVACY POLICY
Under para 2(3)(a), Part 2 Sch 3, DPA the full name of the data controller must be provided. It does not require data controllers to appoint a representative but if one is appointed the details must be given to the data subject.

INFORMATION WE MAY COLLECT ABOUT YOU
To ensure that an obligation that consent to processing is “informed”, information should be provided regarding the types of data which the site will process. The policy should also refer to less obvious data such as email addresses and times and dates of visits to the site. Also to data which is not collected directly from the data subject.

IP ADDRESSES AND COOKIES
Since the regulations were adopted, regulation 6 expressly requires a website operator to provide his users with clear information about the use, storage of and access to cookies in which he places on the user’s computer. Cookies are small data files placed on the hard drive of the user’s computer. They serve to gather information about the user’s use of the website or to allow the website to recognise the user when he or she visits again. Most browsers automatically accept cookies although they can be set to request acceptance. The Information Commissioner has always been of the opinion that cookies store personal data therefore their use has always had to comply with the DPA.

The regulations do not specify when or how the information should be provided but the Information Commissioner guides that if the information is included in the privacy policy then it should be clearly signposted on the pages where a user may enter the website. Sites who allow third parties to use cookies must also make this clear. The user must also be able to reject the use of cookies. Although how to is not clear the Commissioner suggests that the mechanism used for such a task should be made simple and easy to understand and to use.

As the regulations allow website operators to refuse access to certain parts of the site if the option of cookies is rejected, it is a requirement that the user is made aware of this, as a matter of good practice. Wherever relevant, a privacy policy should make it clear as to whether cookies are served to non-registered users and whether third parties will place cookies on visitor’s computers.

WHERE WE STORE YOUR PERSONAL DATA
The transfer of any data outside the EEA is only permitted where the receiving country has adequate protection (para 1, sch 4, DPA) or if the data subject consents to such a transfer. It should be stated in the policy together with details of the processing involved if data will, or may be transferred outside of the EEA. Wherever possible the website owner should specify the countries to which data is to be transferred.

The act of posting information to a website which can be accessed overseas may constitute a “transfer” of data but not necessarily according to the Lindqvist Case (C-101/01). This can cause problems for website owners who publish personal data on their sites, particularly where they cannot be sure where the information will be accessed.

Such sites include those which enable users to contact one another, such as auction sites and those providing instant messaging facilities. Rules of conduct should be imposed on such sites to ensure that privacy is still protected and these may be included within the privacy policy.

The privacy policy should also include an assurance that the data is to be kept secure. There are security obligations imposed on the data controller by the DPA (para 7, part I, sch1). This helps to promote confidence in the users of the website. The assurance must be qualified by a statement informing the user that the transmission of data via the internet is never completely secure. The policy must also exclude the website owners liability for any personal data lost in transmission to the website.

USES MADE OF THE INFORMATION
Under Paragraph 2, Part 1, Sch 1 and Para 2(3)(c), part 2, sch 1, DPA, information must be provided about the purposes for which the data will be processed. Although this can be general, the data controller must ensure that any non-obvious uses are specified. It should be made clear whether the data will be used for direct marketing purposes and whether they will be published on the site. As individuals tend to refuse to their data being passed onto third parties the data controller must consider the issue of data transfer carefully in their drafting of the privacy policy.

In order to meet the requirements of the regulations, users must be provided with appropriate opt-in and opt-out tick boxes which users can complete before they submit their personal data.

The privacy policy allows data controllers to provide information on future goods or services which might be subject to future direct marketing. Although it is not a legal requirement, it is included to ensure that any opt-in or opt-out consents are given on an informed basis. It also allows the website owner to specify any different types of communication which may be used for direct marketing purposes, it also serves to ensure that informed consent is given.

There are specific requirements that apply to the provision of direct marketing by electronic means. Since the regulations were adopted, sending unsolicited commercial communications on an opt-out basis has been limited. Regulation 22 allows this by electronic means but only on an opt-in basis. This is unless the recipient’s contact details were obtained in the course of a previous sale or in negotiations for a sale; and the communication was in respect of the sender’s goods or services that are similar to the ones purchased in the previous sale. The sender is still required, even if the conditions are met, to provide the option to opt-out of receiving future communications, they must also provide information on how this can easily be done. The drafting of the privacy policy ensures that the website owner complies with this requirement. The use of opt-in and opt-out boxes must be provided in relation to receiving direct marketing information by electronic means.
If there is a change in the purpose for data collection then the policy will need to be amended and the data subjects to be notified. It would be good practice for a website owner to give careful consideration to any future uses of the data they collect so as to avoid the need to gain further consents.

DISCLOSURE OF YOUR INFORMATION
Users of the website should be provided with information regarding whether their data will be accessed by, disclosed or sold to third parties, and for what purpose, (para 2(3)(d), Part 2, sch 1, DPA). In the event of the sale of the business it is crucial that the data controller has the right to transfer data.

YOUR RIGHTS
The legislation does not prevent consent being withdrawn at any time. It is also not an obligation to include a provision reminding customers of their right to withdraw consent, with the exemption of cookies or of direct marketing by electronic means. To include such a provision would help instil confidence in the site.

The privacy policy clarifies that users of the website should always check the policies contained in third party websites before submitting their data as they may not realise that the website is not governed by the original website owner’s privacy policy.

ACCESS TO INFORMATION
Under section 7 of the DPA, users have the right to make written request:
• “To be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller; and

• Where that is the case, to be given by the data controller a description of the personal data, the purposes for which they are processed and the recipients to whom they may be disclosed.” (Subject access request)

The privacy policy is drafted to remind users of such a right. Although it is not a legal requirement it may help to instil confidence in the site. The individual is in most cases entitled to receive a copy of the data held by the data controller and to be told the source of that data. The data controller may charge a fee of up to £10 and the information must usually be provided within 40 days.

CHANGES TO OUR PRIVACY POLICY
In order to ensure continued enforceability, the privacy policy states that any changes made will be notified to users. Any changes made to the policy will only affect how data controllers use the information collected after the changes. Users who provided information before the changes will have done so under the old policy and data controllers are obliged to honour the assurances contained within that statement. Website controllers looking to change the way they use personal data should gain individuals opt-in consent. This ideally will be done by notifying them and gaining their agreement. If an email is sent explaining the new changes, consent is not implied if that individual does not reply. If however, the changes are for a new use and not a new purpose, it will be enough to advise the individuals of the changes giving them the chance to object. This is also the case if the nature and purpose of the use is close to the terms of the original statement.

CONTACT
Ideally the geographical address of the website operator should be given to allow users to withdraw their consent to certain types of processing, wherever the law permits them to do so. You can provide just a contact email address unless you are selling goods or services in which case the law requires a geographical address be provided.