Data protection is an issue that many businesses have not taken too seriously in the past, even ones trading online. But the authorities are now taking a tougher line, both here and in the US. The UK Information Commissioner is increasingly active in enforcement.
1. fairly and lawfully processed
2. processed for limited purposes
3. adequate, relevant and not excessive
5. not kept longer than necessary
6. processed in accordance with the data subject’s rights
8. not transferred to countries without adequate protection
“Processing” is very widely defined, and includes obtaining data via a web site and storing it in a database. The definition of “personal data” covers both facts and opinions about individuals, including information regarding the intentions of the data controller towards the individual.
Particular care must be taken over websites aimed at children. Explanations will need to be particularly clear and straightforward, and consents can only validly be obtained from parents.
Many web site operators fall foul of the third data protection principle, that the personal data obtained must be adequate, relevant and not excessive in relation to the purposes for which it is processed. User registration pages should not contain fields requiring extraneous information unless that information is required for processing to which the user has consented. For example, if the user is only registering to receive email updates, the only data that is relevant is his email address. Name, address, telephone number or date of birth are all excessive in this case.
Where the data requested constitutes “sensitive personal data” (relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life or commission of criminal offences) then it can only be processed if one of a second set of conditions applies. The most relevant condition here is that the “explicit consent” of the data subject has been obtained. Failing to click an opt-out box is not sufficiently explicit. There is also a limited exception for certain non-profit organisations. Many website operators will not request this sort of information, but an online recruitment agent for example might ask whether an applicant is a trade union member, has any physical disabilities or has a clean driving licence.