What is website privacy?
The terms "website privacy" and "website data protection" are commonly used to refer to the web of UK and EU data protection laws and regulations which apply to the collection and use of personal data via websites. These include the Privacy Regulations (full name: The Privacy and Electronic Communications (EC Directive) Regulations 2003.
One key aspect of web privacy compliance when collecting personal information online is to obtain a sufficient level of consent from the person providing the data ("data subject").
However, in some cases - e.g. if you want to use personal data to send marketing emails or provide personal information to third parties for email marketing - internet privacy laws dictate you have to go further and get appropriate consent from web users at the point where you collect the data. There are different and rather complex web privacy requirements applicable to the privacy consent wording (known as "opt in", "soft opt in" or "opt out") depending on the information you are collecting and what you plan to do with it.
If you don't get the right level of consent, then amongst other things you can be sued by data subjects or subject to regulatory enforcement action.
Another important aspect of internet data protection, concerns the EU restrictions on transferring personal data outside the European Economic Area, known as the EEA (the EU plus Iceland, Liechtenstein and Norway). There are various exceptions including export to various countries recognised by the EU as providing an adequate level of data protection, export to US companies which have signed up to "Safe Harbour" (with a set of requirements similar to those under EU laws), or transfer abroad under contracts which contain certain provisions sanctioned by the EU. These issues crop up more and more nowadays due to the propensity for hosting of data in servers located abroad either in identified countries or in the vague cyberspace concept known as "the cloud".
Amongst the other internet privacy issues which arise are the special steps which must be taken when one is collecting "sensitive personal data" (such as details of racial or ethnic origin or physical or mental health) or when acquiring any form of personal data from children / minors.
Data protection FAQs
Here are some frequently asked questions about the data protection regime in the UK:
What exactly is personal data?
Any information that is held on a living individual, and can be used (possibly in conjunction with other information) to identify that individual.
What is data protection?
Data protection concerns the protection of personal data. The Data Protection Act 1998 is the main UK law governing data protection. It applies to those who "process" personal data.
What is "processing" of personal data?
"Processing" is very widely defined under the Data Protection Act 1998. It covers doing almost anything in relation to data including organisation, retrieval, use or disclosure.
What are the main features of the Data Protection Act 1998?
There are eight Data Protection Principles which are at the heart of the 1998 Data Protection Act. These principles state that data processing must be fair and lawful. Amongst other things:
- You must process personal data "fairly and lawfully".
- You will often need 'consent' for lawful processing of personal data. In the case of sensitive personal data, such as racial origin, political or religious beliefs, health and criminal offences this must be 'explicit consent'.
- You mustn't use personal data for anything other than the lawful purpose for which it's being processed.
- You must keep personal data accurate and up to date.
- You mustn't keep personal data longer than is necessary for the specified purpose
- You have to take appropriate security precautions to protect personal data.
- You must ensure that personal data transferred outside of the EEA (European Economic Areas) is given an adequate level of protection.
Is there any jargon I should be aware of relating to data protection?
The Data Protection Act includes the following terminology:
- Data controllers - those who determine the purposes for which data is processed
- Data processors - third parties who process data for data controllers
- Data subjects - individuals whose data is recorded
- Notification - registration (see below)
- Information Commissioner - the official authority responsible for protection of personal data and enforcement of the Data Protection Act (renamed by the Freedom of Information Act)
Do I need to register to process personal data?
Yes, although there are certain exemptions. In fact registration is now termed 'notification'. The register of Data Controllers is held and maintained by the Office of the Information Commissioner. Processing data without notification (where required) is a criminal offence.
What kinds of rights do individuals have in relation to their personal data?
Amongst other things, individuals have the right to prevent significant decisions from being made based solely on data processing which is automated, to request that their personal data is not to be processed, or ceases to be processed, for direct marketing purposes and to be given access to their personal data (in certain circumstances).
How Adlex Solicitors can assist with advice on web privacy and internet data protection ...
... for a free initial chat and more information, contact web lawyer Adam Taylor on +44 (0) 207 317 8404 or email.