MacRoberts Technology Media & Communications e-update 21/07/10

GUIDELINES FOR PROTECTION OF PRIVACY ONLINE

In pursuance of its duty to promote good practice under the Data Protection Act (DPA), the Information Commissioner's Office (ICO) has published a new Code which contains numerous "do’s and don’ts" for the processing of personal data gathered online. This includes information such as names, addresses and contact details, as well as information gathered about an individual using cookies or IP addresses.

It is worth remembering that, whilst the Code itself is not legally enforceable and therefore compliance with it not mandatory, data controllers are well advised to follow the Code where at all possible in order to avoid falling foul of the provisions of the DPA.

The Code itself can be found at: http://www.ico.gov.uk/for_organisations/topic_specific_guides/online.aspx

and a summary of the main guidance it provides is as follows:

• Do not be secretive or misleading when you collect personal data. People will not trust you and will go somewhere else.
• Do be clear about the purposes for which you use or disclose personal data, and do not change these purposes without consent once the data has been collected.
• Do not collect personal data you don't need or collect it too early in the process. People do not like organisations that collect too much information about them.
• Do not keep records about people that are inaccurate or out of date. Everyone expects their information to be correct.
• Do not keep personal information for longer than you need to in a personally identifiable form. People do not like too much information being retained about them.
• Respect individuals' rights over the information you hold about them; for example, do not deny them access to their personal data.
• Make sure you have adequate security and maintain responsibility for the personal data you collect. Everyone expects their information to be looked after properly.
• Ensure the personal data you are responsible for is protected properly if it is transferred overseas, i.e. using cloud computing.

And finally, remember that the provisions of the DPA apply to the "processing" of "personal data". "Processing" is very broad in scope, and includes everything that happens to personal data that is collected online. "Personal data" is information which relates to a living individual who can be identified from that data. So if you process personal data, read the Code, and try to comply with its guidelines where at all possible; after all, its better to be safe than sorry.

For further information, please contact David Flint or Valerie Surgenor on 0141 303 1100.

© MacRoberts 2010

To register for MacRoberts e-updates on a variety of legal topics, please click here.