Personal information online code of practice
Personal information online code of practice
Data protection Personal information online code of practice On 26 May 2011, the rules on using cookies changed. This guidance reflects the law before that date. Our advice on the new cookies Regulations sets out the changes and explains what steps you need to take now to ensure you comply.
Introduction 5 1. About this code 6 2. How does the Data Protection Act apply to 9 information processed online? 3. Marketing your goods and 19 services online 4. Privacy choices 25 5. Operating internationally 28 6. Individuals’ rights online 32 7. Things to avoid 36 Annex: Preserving privacy online 38 Glossary 40 Contents 3
The internet can offer greater convenience and new experiences, but it can also present risks. A record of our online activity can reveal our most personal interests. This is as true of major electronic service providers as it is of small online businesses. This code explains the privacy risks that may arise and suggests ways for organisations to deal with them. It stresses the importance of transparency, of treating consumers’ information properly and being straight with people about how you use their information. This applies just as much in the public sector as it does in the private.
As regulator of the Data Protection Act I recognise the need for clear, comprehensive guidance for handling personal data properly and for giving individuals the right degree of choice and control.
I encourage the industry to continue to develop simpler, easier ways for individuals to manage their online choices and to protect their privacy. This is a fast-moving ﬁeld of activity where the law may sometimes be difﬁcult to interpret. I hope this code will help all organisations comply with the law, adopt good practice and prosper online. Christopher Graham Information Commissioner Introduction 5 4 Introduction The online world is expanding and developing all the time. Change is a given. And the pace of change is a challenge. New technologies and services are transforming the way we do business.
The accelerating take-up of social networking, email, e-commerce and e-government reﬂects our growing dependence on the internet to conduct business, whether personal or professional. To help you navigate this book better look out for these markers Link to a web page Good practice tip – Advice on what’s good to do Bad practice – Advice on what NOT to do
About this code 7 6 About this code About this code 1 Personal recommendations, just for you, Thomas! You viewed Customers who viewed this also viewed This Week’s Most Popular Features SALE SALE SALE SALE Find all sorts of savings from across the site, in our Super Sale. Hi Thomas! Thanks for coming back to our website! Don’t forget to check out our new products and articles! We’ve picked out some you might like! Thank us later! © 2010 Information Commissioner’s Office POPULAR BUTTON BRAND Free one-day delivery. Go to our site now! Book £5.95 Bicycle £89.95 Telephone £89.95 Tape measure £12.95 Blank CDs £4.50 Carrot £0.20 High heels £10.95 Cup cake £2.95 Third party behavioural advertising These adverts have been placed by an advertising network to which the publisher is afﬁliated.
The publisher has chosen the adverts based on which other afﬁliated websites have been visited by the user. This information is linked by an identifying cookie on the user’s machine, which can be accessed by the network but not the publisher. Untargeted advertising Untargeted adverts can be placed by the publisher or an advertising network. The adverts could be randomly selected, and aren’t based on website content or user behaviour. These adverts are unlikely to involve the processing of personal data by the publisher or network.
This code does not cover the use of information that does not, or could not, identify an individual - for example the collection of anonymised or statistical information. The DPA does not apply to such activity. Nor does it apply to activities such as displaying the same broadcast-type content to everyone who visits a website – for example showing the same adverts for ﬂights to everyone who visits a travel site. This code explains how the Data Protection Act 1998 (the DPA) applies to the collection and use of personal data online. It also provides good practice advice for organisations that do business online and are therefore subject to the DPA.
How does the DPA apply to information processed online? 9 8 About this code How does the DPA apply to information processed online? 2 How the code can help Adopting the good practice recommendations in this code will help you to collect and handle personal data in a way that’s fair, transparent and in line with the wishes and expectations of the people you collect information about. Speciﬁc beneﬁts include: • greater trust and a better relationship with the people you collect information about; • reduced reputational risk caused by the inappropriate or insecure processing of personal data; • better take-up of online services, meaning economic savings and greater convenience for customers; • minimised risk of breaches and consequent enforcement action by the Information Commissioner or other regulators; • gaining a competitive advantage by reassuring the people you deal with that you take their privacy seriously; • increasing people’s conﬁdence to provide more valuable information, because they are reassured that it will be used properly and kept securely; and • reduced risk of questions, complaints and disputes about your use of personal data.
The code’s status The Information Commissioner has issued this code under section 51 of the DPA in pursuance of his duty to promote good practice. The DPA says good practice includes, but is not limited to, compliance with the requirements of the Act. This code is the Information Commissioner’s interpretation of what the DPA requires when personal data is collected and used online. It gives advice on good practice, but compliance with our recommendations is not mandatory where they go beyond the strict requirements of the Act. The code itself does not have the force of law, as it is the DPA that places legally enforceable obligations on organisations.
Organisations may ﬁnd alternative ways of meeting the DPA’s requirements and of adopting good practice. However, if they do nothing then they risk breaking the law. The ICO cannot take enforcement action over a failure to adopt good practice or to act on the recommendations set out in this code unless this in itself constitutes a breach of the DPA.
We have tried to distinguish our good practice recommendations from the legal requirements of the DPA. However, there is inevitably an overlap because although the DPA sets out the bare legal requirements, it provides no guidance on the practical measures that could be taken to comply with them. This code helps to plug that gap. • The DPA applies to the ‘processing’ of ‘personal data’. ‘Processing’ has a very broad meaning and includes everything that happens to personal data collected online.
• The DPA deﬁnes ‘personal data’ as data which relate to a living individual who can be identiﬁed from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller.
• In the Information Commissioner’s view, personal data is being processed where information is collected and analysed with the intention of distinguishing one individual from another and to take a particular action in respect of an individual. This can take place even if no obvious identiﬁers, such as names or addresses, are held. • A practical difﬁculty arises when collecting information online because non-obvious identiﬁers, such as cookies or IP addresses, are linked to a device rather than a particular user. In many cases a device will have multiple users, for example a shared household PC.
This may make it impossible to tell whether the information obtained is about a single user or a group of users. Example A single household PC may have different family members using it under the same login identity. As a result, the IP address and cookies cannot be connected to a single user. Therefore it is unlikely that this information will be personal data. However, if each family member logs in separately, then any online activity will relate to that particular login identity. This will mean that the cookies used are more likely to be personal data. An IP address is only likely to be personal data if relates to a PC or other device that has a single user.
• When you cannot tell whether you are collecting information about a particular person, it is good practice to treat all the information collected as though it were personal data. In some cases the information will be personal data and the DPA will apply to it. In particular, compliance would involve: – keeping the information secure; – protecting it from inappropriate disclosure; and – being open about how the information is being collected and used.
How does the DPA apply to information processed online? 11 10 How does the DPA apply to information processed online? • The Information Commissioner recognises the practical and sometimes insurmountable difﬁculties in complying with all aspects of the DPA in respect of non-obvious personal identiﬁers. In particular he recognises the security issues that may be involved in trying to give an individual subject access to information linked to non-obvious identiﬁers. He will not necessarily enforce the right in this context unless there is a genuine risk to an individual’s privacy if he fails to do so.
This issue is explored in more detail in section 6 - Individuals’ rights online. • The Information Commissioner also recognises the practical difﬁculties in attempting to gain an individual’s consent as a means of legitimising the processing of non-obvious identiﬁers. In most cases the DPA provides alternatives to this. • Special restrictions apply to the processing of ‘sensitive’ personal data, such as information about a person’s health or political opinions. There may be no alternative to obtaining the individual’s consent in order to legitimise the processing of such information. • Some online content is displayed without any personal data being processed, for example where the same content is displayed to everyone who visits a website.
In such cases the rules of data protection do not apply, although other laws or standards may do. Further information about personal data can be found in our guidance note A quick reference guide – What is personal data? and in our more detailed Technical guidance note on determining what is personal data, these are at: https://ico.org.uk/media/for-organisations/documents/1554/ determining-what-is-personal-data.pdf https://ico.org.uk/media/for-organisations/documents/1609/ what_is_data_for_the_purposes_of_the_dpa.pdf Responsibility for data protection • The ‘data controller’ has ultimate responsibility for complying with the DPA.
Online, it is possible that a number of data controllers, and possibly ‘data processors’ working on their behalf, will act together to deliver content or services. Organisations should establish which of them has legal responsibility as a data controller. Example A shopping website may allow payments to be taken online via a company which specialises in online payment methods. The customer may have an account with the website, which means it will be the data controller for that personal data e.g. name, address and shopping history with that website. The customer will often have a separate account with the payment company, which will hold details such as bank account number and credit / debit card details in order to facilitate payment to the website.
That company will be the data controller in relation to that set of personal data. It is important for each of these parties to be clear about what personal data they are responsible for in case, for example, a customer wishes to exercise their rights under the DPA. Further guidance can be found in the rights of individuals section of The Guide to Data Protection which is available at: https://ico.org.uk/for-organisations/guide-to-data-protection/ principle-6-rights/ • It is good practice for organisations to work together to ensure that members of the public, who may be unaware of which organisations are involved and how, are treated fairly.
This includes explaining to the public who will use their information and how. The website publisher must take on this role in respect of its own information collection and any collection carried out by third parties via its website. However, the third parties still have their own legal obligations under the DPA.
• If there is evidence of a breach of the DPA, it is the data controllers involved that could be subject to enforcement action or prosecution. Legal responsibility is a matter of fact that the Information Commissioner will establish in the circumstances of the case. • Where a data controller uses a data processor to provide services on its behalf, there must be a written contract in place ensuring that appropriate security is maintained. This means that the security must be as good as, or exceed, the data controller’s own standards, which must in turn be appropriate.
Collecting the right personal data The DPA says that personal data can only be collected where this is ‘necessary’.
This means that you must not collect personal data too early in your relationship with someone. It is bad practice to collect personal details like names and email addresses just to let someone look at your website. Individuals may ﬁnd it intrusive and inappropriate to be asked to provide their details too early on.