GENERAL DOCUMENT NOTES
Within the UK the collection and use of personal data by e-businesses must comply with UK data protection laws. Such laws are contained in the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the Regulations).
Although it is not a specific requirement to have privacy policies under the DPA it is good practice as it may help with compliance to some of its provisions. Any failure to comply may lead to criminal sanctions and in some cases personal liability, liability for damages and negative publicity. Such policies aid the data controller to comply with specific obligations. Obligations include:
• That data must only be processed for “specified” purposes (Para 2, part 1, Sch 1, DPA).
• To provide information regarding processing at the time when it collects the data. (para 2(3), part 2, sch 1, DPA)
• The processing of personal data will require the consent of the data subject (Sch 1, 2 and 4, DPA) “Processing” is widely defined. It includes disclosing, as well as obtaining, holding and using data. (S1 DPA) “Personal Data” includes a wide range of information.
Although data controllers may, in certain circumstances process data without consent, it is considered the safest approach, especially with the web as transfers of information are likely to occur outside the jurisdictions of the European Economic Area (EEA). Such consent must be freely given, specific and informed. It is not a requirement that consent should be in writing and implied consent can occur within the UK. This has caused some difficulties in cases where it is not practical to obtain clear consent from the individual. Data controllers may not infer consent from non-response to a general communication.
data to the site. It should be made clear that by submitting their data, they consent to it being used in accordance with the policy. The link should be placed in a prominent position and located above the agree or submit button.
• Be worded in such a way which implies the data subjects consent to the processing of such data.
• Have an ‘opt in’ box in order to ensure that consent was given expressly. This must be provided by an appropriately worded tick box.
The DPA applies to all data controllers that are established within the UK under section 5(1) (a). These include; UK registered companies, those who maintain an office, branch or agency within the UK and individuals who reside in the UK. It also stretches to apply to data controllers who are established outside of the EEA but use equipment within the UK for processing data.
If a website operator has establishments that hold data in several countries, they need to ensure that they comply with the data protection laws in each jurisdiction. Although the standard document ensures compliance with the DPA based on the EC Data Protection Directive, considerations must be given to the laws of each state. The Data Protection Directive may not be implemented in the same way in each member state therefore any obligations on the data controller may be more onerous than those imposed by the DPA.
• The longest one being the full notice including all legal provisions.
• The condensed notice containing the main information, and
• The short notice drawing attention to how the information will be used.
This notice should be clear and easy to read and displayed wherever personal information is collected.
Under para 2(3)(a), Part 2 Sch 3, DPA the full name of the data controller must be provided. It does not require data controllers to appoint a representative but if one is appointed the details must be given to the data subject.
INFORMATION WE MAY COLLECT ABOUT YOU
To ensure that an obligation that consent to processing is “informed”, information should be provided regarding the types of data which the site will process. The policy should also refer to less obvious data such as email addresses and times and dates of visits to the site. Also to data which is not collected directly from the data subject.
IP ADDRESSES AND COOKIES
Since the regulations were adopted, regulation 6 expressly requires a website operator to provide his users with clear information about the use, storage of and access to cookies in which he places on the user’s computer. Cookies are small data files placed on the hard drive of the user’s computer. They serve to gather information about the user’s use of the website or to allow the website to recognise the user when he or she visits again. Most browsers automatically accept cookies although they can be set to request acceptance. The Information Commissioner has always been of the opinion that cookies store personal data therefore their use has always had to comply with the DPA.
WHERE WE STORE YOUR PERSONAL DATA
The transfer of any data outside the EEA is only permitted where the receiving country has adequate protection (para 1, sch 4, DPA) or if the data subject consents to such a transfer. It should be stated in the policy together with details of the processing involved if data will, or may be transferred outside of the EEA. Wherever possible the website owner should specify the countries to which data is to be transferred.
The act of posting information to a website which can be accessed overseas may constitute a “transfer” of data but not necessarily according to the Lindqvist Case (C-101/01). This can cause problems for website owners who publish personal data on their sites, particularly where they cannot be sure where the information will be accessed.
USES MADE OF THE INFORMATION
In order to meet the requirements of the regulations, users must be provided with appropriate opt-in and opt-out tick boxes which users can complete before they submit their personal data.
If there is a change in the purpose for data collection then the policy will need to be amended and the data subjects to be notified. It would be good practice for a website owner to give careful consideration to any future uses of the data they collect so as to avoid the need to gain further consents.
DISCLOSURE OF YOUR INFORMATION
Users of the website should be provided with information regarding whether their data will be accessed by, disclosed or sold to third parties, and for what purpose, (para 2(3)(d), Part 2, sch 1, DPA). In the event of the sale of the business it is crucial that the data controller has the right to transfer data.
The legislation does not prevent consent being withdrawn at any time. It is also not an obligation to include a provision reminding customers of their right to withdraw consent, with the exemption of cookies or of direct marketing by electronic means. To include such a provision would help instil confidence in the site.
ACCESS TO INFORMATION
Under section 7 of the DPA, users have the right to make written request:
• “To be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller; and
• Where that is the case, to be given by the data controller a description of the personal data, the purposes for which they are processed and the recipients to whom they may be disclosed.” (Subject access request)
Ideally the geographical address of the website operator should be given to allow users to withdraw their consent to certain types of processing, wherever the law permits them to do so. You can provide just a contact email address unless you are selling goods or services in which case the law requires a geographical address be provided.