The Regulator of the Data Protection Act, the Information Commissioner, has launched the "Personal Information Online Code of Practice". It applies to all organisations, in the private as well as the public sector, which operate online services handling users' personal data.

The introduction of the Code states: "This Code explains the privacy risks that may arise and suggests ways for organisations to deal with them. It stresses the importance of transparency, of treating consumers' information properly and being straight with people about how you use their information... I hope this Code will help all organisations comply with the law, adopt good practice and prosper online".

It also contains guidance for consumers, and indeed a guide for consumers is published alongside the Code giving advice on avoiding online scams, the importance of being cautious about disclosing information and using privacy settings effectively.

The Information Commissioner summarised the Code as follows: "Organisations must be transparent so that consumers can make online privacy choices and see how their information will be used. Individuals can take control by checking their privacy settings and being careful about the amount of personal details they post to social networking sites and elsewhere online."

The Code and Guide highlight and bolster the existing principles under data protection legislation, which the Information Commissioner's 7 July press release summarises as follows:

Any organisation processing personal information must comply with 8 principles i.e.:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection.

In practice this means that any information that is no longer needed by an organisation (such as email addresses) should be deleted. It must also not be passed on to third parties without prior consent. On sites that require a login, all privacy settings should be well highlighted and simple to use and update. The aim is to make users aware of what information is held, how it is used and who else might see it.

In a checklist published with the Code, the Information Commissioner sets out these guidelines to businesses:

  1. Consider whether you actually need to collect information about people. Don't ask people to login, register or provide their personal details unless you need them to. It is acceptable to ask for this information once people make an enquiry or decide to do business with you.
  2. When you collect information about people they should know who you are and what you're going to do with their information. There should be a clear, prominent explanation of this on your website.
  3. You are under a legal duty to keep customer information secure. Ask your IT supplier to give you advice on encrypting information and make sure staff with access to the information are trained to keep it secure and look after it properly.
  4. If you use a subcontractor, for example to manage your database, make sure there is a written contract in place that requires them to look after your information properly, including keeping it secure.
  5. If you are going to use customer information to send them marketing material, e.g. promotional emails, give them a clear choice over this. You should be aware that different rules under the Privacy and Electronic Communications Regulations 2003 might apply depending on the method you use to send the marketing.
  6. Your website might show content provided by third parties, for example adverts. Although you may not be legally responsible for this content, your customers may assume you are. Therefore it is good practice to act as a single point of contact for the content displayed on your site. For example you need to have proper procedures in place where a customer objects to a particular advert.
  7. Ensure that you only collect the information that you use. If you no longer require the information then stop collecting it and dispose securely of any unnecessary information that you may have collected.
  8. Remember that people have a right of access to information you hold about them. Make sure your staff recognise a 'subject access request' and know how to deal with it.
  9. Encourage your customers to check the information you hold about them, for example by giving them online access to their account details. Give them facilities for updating and correcting their records if they are wrong.

The full code can be found at this link:

http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/personal_information_online_cop.pdf

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.