Not content with its shiny new 2009 Privacy Notices Code of Practice, the Information Commissioner’s Office is now consulting on a wide-ranging “Personal Information Online Code of Practice.” Comments are invited by 5 March 2010, but Mark Smith jumps the gun.
Topic: Privacy
Who: Information Commissioner's Office
When: 9 December 2009
Where: Personal information online conference in Manchester
Law stated as at: 21 December 2009
What happened:
The Information Commissioner’s Office (ICO) has launched a consultation on a new draft code of practice, which provides organisations with practical and common sense guidance on how to protect individuals’ privacy online.
The code explains how the law applies and gives clear and comprehensive guidance both for handling personal data properly on the web and for giving individuals the right degree of choice and control over it.
What is covered by the code?
The code provides good practice advice for all organisations that collect information about people online. It applies to obvious identifiers, such as individuals’ names or e-mail addresses, but also covers the collection and use of less obvious identifiers, such as information indicating individuals’ online activity generated through the use of cookies.
The code applies to activities such as collecting a person’s details through an online application form, creating a personal profile of a website visitor by analysing his or her online activity and collecting and using personal data for the purposes of marketing goods and services online.
Status of the code
The code has been issued under section 51 of the Data Protection Act 1998 (DPA), which requires the Information Commissioner to promote good practice, and aims to help organisations handling personal data to comply with the legal requirements of the DPA. Organisations may of course find other ways of meeting DPA requirements and the ICO will not therefore be able to take action over a failure to comply with the code of itself.
Content of the code
The code provides some useful general guidance on data protection online, but also includes specific sections on marketing goods and services online, giving individuals privacy choices and issues surrounding operating internationally.
Behavioural advertising section
A particularly useful section examines the methods used in online behavioural marketing, which is becoming increasing popular. It stresses that the processes used by behavioural marketers to create profiles or allocate a “score” to an individual indicating their interests should be explained to them clearly and simply. They should be told what happens when they visit the website in question, how information about their visit is collected and analysed and the consequences of this – e.g. being targeted with an advertisement for a particular product. The explanation should be expressed in terms that most visitors to the site could understand and should be given due prominence.
It is also suggested that individuals should be given a simple means of disabling the targeting and profiling process, but conspicuously absent from this section is any clear indication as to whether the deployment of this technology should occur on an "opt-out" or prior "opt-in" basis.
List of don'ts
The draft code concludes with the following list of headline points which must be avoided by organisations if they are to minimise the risk to individuals whose personal data they collect:
- do not be secretive or deceptive in the way you handle people’s personal data;
- do not try to gain an advantage by using personal data in a way that people wouldn’t expect or might object to;
- do not collect personal data you don’t need – this involves extra storage costs and additional risk – for example if there is a data loss;
- don't skimp on data security – a big data loss or a loss of sensitive personal data could undermine public confidence in your company and cause great commercial damage; and
- do not assume that because you are based in the UK you can ignore other countries’ laws. If you use equipment in another country or collect personal data about people outside the UK, you may need to comply with other countries’ laws.
Why this matters:
Given that the ICO’s powers are expected to increase in 2010, it is likely that organisations will start to give a higher priority to looking after personal data they hold. The draft code of practice provides useful guidance on a difficult area of data protection law, and should therefore be welcomed.
The consultation began on 9 December 2009 and ends on 5 March 2009.
The draft guidance can be found here.
The consultation itself can be accessed here.