This month saw the launch of the ICO’s first code of practice on online privacy, following extensive consultation earlier in the year. The code provides good practice advice for organisations providing goods and services using the web and explains how the Data Protection Act applies to the collection and use of personal data online.
The code is divided into the following 7 chapters, and also includes a helpful annex and glossary of terms, for those less familiar with online jargon. You can read on to see our summarised highlights of the code, but we also recommend reading the full guidance document on the ICO website, through the link provided above. It should be of particular interest to businesses engaged in behavioural advertising, online sales and cloud computing.
1. About this code
There is no legal requirement to adhere to the code, so organisations cannot be penalised for failing to follow the guidance it contains; only breaches of the DPA are actionable by the ICO. However, the ICO encourages all organisations, from electronic service providers to small online businesses to use the guidance and to give individuals easier ways to manage their online choices and protect their privacy. Anticipated benefits of using the code include:
• Improved levels of trust and relationships with customers;
• Increased public confidence in the way their information is handled and retained;
• Minimised risk of data breaches and enforcement action by the ICO and
• Reduced risk of customer questions, complaints and disputes over data use.
2. How does the DPA apply to information processed online?
The ICO understands that personal data will be processed online, as information is collected and analysed to distinguish one individual from another, to sell them a product, or perhaps to direct them to other websites, or advertisements. Data processing, as defined by the DPA, can take place even if there are no obvious identifiers, such as names or addresses. In the context of online processing, non-obvious identifiers, such as cookies, or IP addresses are linked to devices (such as home PCs), used by multiple users. In such cases, the ICO advises that even if it is not possible to identify the actual user of the device, the data should still be treated as personal data. Accordingly, the DPA principles of keeping that data secure, protecting it from inappropriate disclosure and being open about its collection and use, will apply.
Data should only be processed if it is necessary and can be justified. The ICO suggests that individuals should not be asked to give their personal data too early, as this may be off-putting and intrusive. Instead, organisations should wait for individuals to interact with them, by requesting details of their services, or loyalty schemes, for example. This will make it easier for organisations to seek consent and to legitimise their data processing.
The code also gives updated guidance on the retention and disposal of personal data, with this link to the National Archives guidance on retention schedules.
3. Marketing your goods and services online
Online advertising is often the subject of bad publicity, but the ICO adopts a sensible approach in the code. This chapter begins with the introduction "Organisations have always used information about their customers to market goods and services to them. This is an established practice that customers have come to expect and are generally happy with."
It is noted that relatively few complaints are made about online behavioural advertising, but individuals often misunderstand the use of technology. As a result, the ICO advises organisations to:
• be open about the marketing techniques they use;
• make individuals aware of the options they have to opt out of marketing, including the use of web browser settings and
• give clear and simple explanations.
Organisations are also reminded of the need to observe other laws (such as the Privacy and Electronic Communications Regulations), industry rules and other codes of practice on marketing, for example, those issued by the Direct Marketing Association and Advertising Standards Authority .
4. Privacy choices
Individuals may also be unfamiliar with the privacy settings available to them online. The code states that people often simply do not understand privacy settings and may not know how or where to find them. Although the code aims to improve individuals’ control over their online personal data, if they do not adopt appropriate privacy settings themselves, it can be hard for organisations to do it for them. However, the ICO’s view is that it is good practice for providers to set privacy defaults in a way that balances privacy protection and functionality. Individuals should be given choices over access to their information at the time data are collected. Even if they ignore the options, organisations are expected to set privacy defaults to reflect their likely wishes and expectations.
5. Operating internationally
As the DPA prohibits the transfer of personal data outside the EEA (unless an exemption applies), the code includes a chapter on the difficulties of complying with this principle online and offers advice on the use of encryption and contracts between data controllers and processors. This chapter also contains helpful guidance on cloud computing, where services, such as data storage are provided over the internet.
6. Individuals’ rights online
The DPA gives individuals rights to access their data. This is interpreted by the ICO in the code, to enable individuals to gain access to their personal data as easily as possible. Although data controllers can charge individuals a fee of £10, organisations are advised to waive, or reduce this fee, as limited administration costs are expected online. Furthermore, the 40 day time-limit for providing the requested information, should be shortened.
7. Things to avoid
The final chapter of the code contains a neat summary on what not to do. Organisations doing business online should avoid:
• being secretive
• not being clear with customers
• collecting information too early, or when it is not needed
• keeping inaccurate or out of date records
• keeping data for longer than necessary
• not respecting individuals’ rights
• providing inadequate security
• failing to ensure that data are transferred safely