Paul Lambert, eBSI Specialist Advisor takes us through some key points to ensure our website’s data protection policy complies with legislation.

Exporters the world over should anticipate future data protection legislation in their countries as more governments get tough on improper uses of internet users personal data.

In this article I will be focusing on the Irish perspective and legislation, but many of these principles will also be relevant to other countries, as Irish legislation reflects what is considered to be best practice in the field.

Firstly, What is Data Protection?
The Data Protection regime operates to protect the rights of individuals when their personal information is collected and processed by organisations. All organisations, whether controlling personal data themselves or when processing data on behalf of third parties, must comply with the obligations imposed by the Data Protection Act 1988, as recently amended and extended by the Data Protection (Amendment) Act 2003 (collectively the “DPA”).

All organisations must be aware of and comply with their obligations and responsibilities under the new Data Protection regime. Emphasizing this point, the Data Protection Commissioner intends to carry out compliance audits in a range of commercial sectors. He has also recently began to take legal actions against non-compliant organizations, and will continue to do so.

The Guidelines
The Guidelines distinguish between website Privacy Statements and Privacy Policies, and makes clear that a Privacy Statement is not a Privacy Policy. A Privacy Policy documents the organisation’s compliance with the Data Protection Principles across the organisation as a whole. It applies to all personal data processed by the organisation, including customer data, third party data and employee data. A Privacy Policy can be a very complex document, often requiring specialist legal advise.

Organisations must also comply with the 8 Data Protection Principles, namely:-
* Obtain and process data fairly;
* Keep it only for one or more specified, explicit and lawful purpose(s);
* Use and disclose it only in ways compatible with these purposes;
* Keep it safe and secure;
* Keep it accurate, complete and up-to-date;
* Ensure that it is adequate, relevant and not excessive;
* Retain it for no longer than is necessary for the purpose(s);
* Comply with individual access requests.

A Privacy Policy is an internal organizational document. Therefore it can detail internal procedures, assigning individual/departmental responsibilities, etc.

Privacy Statements on the other hand are public facing documents, declaring how the organisation complies with the Data Protection regime in terms of the data processed on its website. It is as such a much more narrowly focused document.

Websites Need Privacy Statements
This is a legal requirement pursuant to both the DPA and SI No. 535 of 2003 European Communities (Electronic Communications Networks and Services)(Data Protection and Privacy) Regulations 2003 (the “Regulations”). Section 2(l)(a) DPA requires that “data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed fairly.” This fair obtaining principle generally requires that a person whose data are processed is aware of at least the following:-

* The identity of the person processing the data;
* The purpose or purposes for which the data are processed;
* Any third party to whom the data may be disclosed;
* The existence of a right of access and a right of rectification.

Regulation 5 imposes certain obligations with respect to Internet activity:-

“(1) No person shall use an electronic communications network to store information or to gain access to information stored in the terminal equipment of a subscriber or user unless
(a) the subscriber or user concerned is provided with clear and comprehensive information in accordance with the DPA, which is prominently displayed and easily accessible and which, without limitation, includes the purpose of the processing
(b) the subscriber or user is offered the right to refuse such processing by the data controller.

(2) Paragraph 1 does not prevent any technical storage of or access to information for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network or which is strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.”

This Regulation refers to the use of cookies, web beacons, the collection of IP addresses and other technical matters.

Failure to Have a Privacy Statement
In Ireland, contravention of the DPA, such as failing to have a website Privacy Statement, can result in investigation and enforcement action by the Data Protection Commissioner. The Commissioner can issue an enforcement notice requiring a Privacy Statement, or the cessation of data processing. Prosecution can also result in a penalty of up to €l00,000 and/or a data deletion order. Section 7 DPA also gives individuals a civil right of action if they suffer damage from the manner in which their data is processed.

When a Privacy Statement is Required
A Privacy Statement is required when a website does any of the following, namely:-
* Collects personal data (visitors filling in web forms, feedback forms, etc);
* Uses cookies or web beacons;
* Covertly collects personal data (IP addresses, e-mail addresses).

What Information Privacy Statements Must Contain
Information should be specific to the processing of personal data on the website. Such information should be sufficiently detailed so as to be useful to the visitor to the website in deciding whether to progress. Statements such as “all data collected on this site shall be processed in compliance with the DPA” are no longer sufficient (on their own), according to the Data Protection Commissioner. They need to be amended/replaced by an explanation of how, in practical terms, the website complies with its obligations.

The information should include the following:-

* Identity
Details of the organisation should be clearly identifiable. An organisation’s name on its own is insufficient. Identification should include complete and useful contact details. Useful details would include an e-mail address and postal address that a visitor may use if they wish to discuss any matters relating to the processing of personal data on the website.

* Purpose
There can be many overt purposes for which visitors should reasonably expect their data to be used. These may include data necessary in the context of a transaction. However, it is possible that data may be processed for non-obvious purposes such as profiling or future marketing. All these purposes must be clearly referred to in the Privacy Statement. Data volunteered on that understanding are fairly obtained. If a purpose is not obvious and not referred to, then it will be difficult for the organisation to lawfully process data for that purpose.

If an organisation plan to release personal data to a third party (other than a person acting as the organisation’s agent) this is a disclosure and must be referred to in the Privacy Statement. A general exception to this rule is where the disclosure is required by Law.

* Right of Access
Under Section 4 DPA a person has a right to be given a copy of their personal data. If an organisation is retaining personal data, the organisation should refer to this Right of Access in the Privacy Statement. The organisation should include reference to procedures to be followed. Under the DPA, a subject access request should be in writing, organisations may charge a fee not exceeding €6.35 and must reply within 40 calendar days. Organisations should identify to whom such a request should be directed.

* Right of Rectification or Erasure
Under Section 6 DPA, a person has a right to have his/her personal data corrected, if inaccurate, or erased, if you do not have a legitimate reason for retaining the data. Organisations cannot charge for complying with such a request and shall comply within 40 calendar days of the receipt of such a request. An organization’s Privacy Statement should make reference to this, if it retain personal data, as well as detailing the procedures a person should follow when making such a request.

* Extent of Data Being Processed

If different data are used for different purposes, this should be clearly referred to in the Privacy Statement, rather than a person assuming that all data shall be used for all purposes. This is even more important in relation to the covert processing of data, such as the collection of IP addresses, use of cookies or web beacons.

* Right to Refuse Cookies
If it is not necessary to use cookies in the context of a transaction, the user should be informed of this and given an opportunity to refuse to have cookies placed on their computers. The use of cookies might also be explained to the user.

Other Recommended Information

Detailed above is the information that must be included in a Privacy Statement. However, if an organisation intends its Privacy Statement as a comprehensive description of its on-line data processing, it can also include the following information:-

* Security
Whilst an organisation is required to have adequate security measures in place to prevent the unauthorised access to, or alteration or destruction of personal data in its possession, any detailed reference to such measures in a publicly available Privacy Statement would be unwise. Rather, it should confine itself to stating that it takes security responsibilities seriously, employing the most appropriate physical and technical measures, including staff training and awareness and that you review these measures regularly.

* Accurate, Complete and Up-to-date
This is largely a reactive policy, as problems are often only discovered when dealing with the data subject. However, an organisation may make reference to the need to hold only accurate, complete and up-to-date data, suggesting means by which data subjects may update their details or actions the organisation may take to ensure accuracy, such as contacting customers by email.

* Adequate, Relevant, Not Excessive
Organisations are obliged not to hold more data than is necessary for the purpose for which they collect them. Any data in excess of this requirement should either not be requested or, if volunteered, deleted. In a Privacy Statement, organisations may make reference to a policy to review all data supplied/obtained and delete that which is not necessary, or which is no longer necessary.

* Retention
Data should not be held for longer than is necessary for the purpose(s) for which they were obtained. The Privacy Statement could refer to a policy to delete credit card details once a transaction had been finalised, unless the organisation obtains the consent of customers to retain details to ease further transactions. If an organisation holds different types of data for different time periods, this can also be referred to in the Privacy Statement.

* Complaint Resolution Mechanism
Some means of dealing with complaints received from the website’s users about data processing is recommended by the Data Protection Commissioner.

Location of Privacy Statement

A Privacy Statement should be placed in an obvious position and not contained within another document. As a minimum, a Privacy Statement should be placed in the upper half of the entry page to a website. As some web browsers will only display part of a page, the upper page requirement means that a visitor need not scroll down to look for the Privacy Statement.

Placing a statement only on a Home Page may not be sufficient, as links from other web sites or through search engines may bring a visitor into the site via a page other than the Home Page. One solution is to place a link to the Privacy Statement on each page. Alternatively, a link could be placed on any page on which data are collected, though if the website uses cookies, effectively this could mean all pages.

Privacy Statement and “Terms & Conditions”

A Privacy Statement is a legal requirement and is distinct from terms and conditions, copyright or disclaimer notices. It should stand alone and be clearly identifiable. In order for a Privacy Statement to be of value, it must be readily accessible to the user, quickly read and easily understood. If it is buried within a lengthy document covering a variety of legal issues, it will be difficult for the organisation to demonstrate that it has fulfilled its obligations under the DPA and the Regulations.

Reviewing Privacy Statement

It should only be necessary to conduct a review if there is some change to the online processes. However, some mechanism should be in place to notify the appropriate staff member to initiate a review if:-

* There is a change to data processing on the website;
* There is a planned/actual redevelopment of the website;
* There is a new web hosting arrangement;
* There are suggestions/received from site users.

In any case, the Privacy Statement should be reviewed in the context of an internal audit procedure, which also should review the organisational Privacy Policy, at least on an annual basis.

Other Issues

Any person using a third party Data Processor to host a website should be aware of a number of issues. All Data Processors processing personal data are obliged to have a current entry in the register maintained by the Data Protection Commissioner. Processing data whilst not having such an entry is an offence.

If the web hosting service hosts your site on a server outside the EEA, they are obliged to meet at least one of the conditions set out in Section 11 DPA. The organisation is ultimately responsible should the web hosting company unlawfully process data. Section 2C DPA obliges organisations to have a contract in writing (or equivalent) with the Data Processor specifying:-

* What the Data Processor may do with the data on your behalf;
* What security measures the Data Processor must have in place.

Organisations must also take reasonable steps to ensure that the Data Processor complies with these instructions.

Paul Lambert

paul.lambert@merrionlegal.com
MERRION LEGAL
Solicitors & Community Trade Mark Attorneys
Clifton House
Lower Fitzwilliam Street
Dublin 2
Ireland
T: + 353-1-6690523
E: info@merrionlegal.com