Data protection is an issue that many businesses have not taken too seriously in the past, even ones trading online. But the authorities are now taking a tougher line, both here and in the US. The UK Information Commissioner is increasingly active in enforcement.
So how do you, as a UK business establishing an online presence, ensure you comply? You have notified your data processing to the Information Commissioner under the Data Protection Act 1998, and included a Privacy Policy statement on your website. Can you now go ahead to obtain and process personal data from your users? Well, not necessarily – you still have to comply with the eight data protection principles set out in the Act. These require that data must be:
1. fairly and lawfully processed
2. processed for limited purposes
3. adequate, relevant and not excessive
4. accurate
5. not kept longer than necessary
6. processed in accordance with the data subject’s rights
7. secure
8. not transferred to countries without adequate protection
“Processing” is very widely defined, and includes obtaining data via a web site and storing it in a database. The definition of “personal data” covers both facts and opinions about individuals, including information regarding the intentions of the data controller towards the individual.
The first data protection principle goes on to say that personal data can only be processed if certain conditions are met. The most important of these conditions for web site operators is that the data subject has given his consent to the processing. An alternative condition which may be applicable to e-commerce websites is where the processing is necessary for the performance of a contract with the data subject or in order to enter into that contract. When constructing a website, it is therefore necessary to ensure that the consent of users is obtained to every use to which their personal data may be put. Users must always be given the opportunity to opt out of the use of their data for marketing purposes. Typically, separate options are given to opt out of mailings from the web site operator, or from third parties. The information regarding the uses to which the personal data may be put should be set out in the Privacy Policy, explaining also those uses to which it will not be put. Where information on individuals is collected by covert means, such as “cookies”, they must be informed of this.
Particular care must be taken over websites aimed at children. Explanations will need to be particularly clear and straightforward, and consents can only validly be obtained from parents.
Many web site operators fall foul of the third data protection principle, that the personal data obtained must be adequate, relevant and not excessive in relation to the purposes for which it is processed. User registration pages should not contain fields requiring extraneous information unless that information is required for processing to which the user has consented. For example, if the user is only registering to receive email updates, the only data that is relevant is his email address. Name, address, telephone number or date of birth are all excessive in this case.
Where the data requested constitutes “sensitive personal data” (relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life or commission of criminal offences) then it can only be processed if one of a second set of conditions applies. The most relevant condition here is that the “explicit consent” of the data subject has been obtained. Failing to click an opt-out box is not sufficiently explicit. There is also a limited exception for certain non-profit organisations. Many website operators will not request this sort of information, but an online recruitment agent for example might ask whether an applicant is a trade union member, has any physical disabilities or has a clean driving licence.
In conclusion, think carefully about what information you actually require about individuals and what you intend to do with it. Limit your forms to obtaining only relevant data, set out clearly what you will use it for, and ensure you have obtained consent to all such uses. A well drafted Privacy Policy can help ensure you stay within data protection laws, and so avoid enforcement action, as well as helping to increase users’ confidence in your site.