|
The Data Protection Act (DPA) 1998 brings the existing data
protection laws up to date, taking account of the growth
in the availability of information over the internet.
This document is intended as a brief primer to website
owners, laying out their responsibilities. This document
is written from a lay perspective, and readers are advised
to seek professional expert opinion on the subject.
The main thrust of the DPA is that
when information is being collected, it must be clearly
stated what the information is being used for, and by
whom. The provider of the information must also be told
how they can opt out of their information being used,
and who they can contact to have their information removed/edited.
The first suggestion for website owners is the creation
of a privacy statement. This must be accessible from
every page within the site, as it cannot be assumed
that visitors will always visit the site through the
main page. The statement should, unless it is clearly
available elsewhere, state who the site operator/owner
is, giving a physical contact address for them. The
statement should also give the visitor information on
what rights they have, and how they can exercise those
rights. This should include a contact address for the
data controller.
The privacy statement must include information on who
ALL data controllers are, this includes third party
banner operators/secure payment providers.
The privacy statement should display what information
is being collected, how it is being collected, and to
what use the information will be put. Information being
collected for marketing purposes, outside of the core
business of the site, should be clearly labelled and
be optional.
On the subject of options, many sites use the opt-out
model, where by the supplier of information must explicitly
chose to opt out, usually by using a checkbox. While
this is acceptable for some cases, best practice is
to use an opt-in model. For certain sensitive information
the opt-in model has to be used. This information includes:
- racial or ethnic origin
- political opinions
- religious or similar beliefs
- trade union membership
- physical or mental health
- sexual life
- commission of criminal offences
- involvement in criminal proceedings
On forms collecting data, basic information and choices
must be provided on the form, in addition to a link
to more detailed information/the privacy statement.
Forms collecting information should utilise a secure
connection method, such as SSL. Once collected information
should be stored securely, possibly in an encrypted
form. Access to the information should also be restricted
to those who need access to the information.
If personal information is to be published on the internet
then informed consent must be given. This means that
as well as using an opt-in model it is necessary to
inform the information source of the possible consequences
of having the information published on the internet.
If the use to which collected personal data is to be
put changes then consent for the change in use must
be obtained again. This can be done using the opt-out
model, as long as the new use is close to the original
use given.
Website operators established in the UK must inform
the Data Protection Commission. There are exemptions
for certain core business roles (marketing own business,
keeping accounts/records etc), however you should consult
the Commission if you have any doubts.
Responsibility for compliance with the DPA lies with
the data controller (probably the site owner/operator),
not with the site hosts. Use of a third party data processor
must be governed by a written contract under which the
processor is only to operate under instruction of the
website operator. They must also have in place technical
and organisational security measures to ensure the security
of the data.
This is a brief primer and is NOT legal advice. Anyone
interested in actual legal advice should contact a lawyer.
Further information can be found on the Commissions
website:
http://www.dataprotection.gov.uk/
|
