If your website is simply a brochure website that just advertises your products or services, it is unlikely to be covered by data protection legislation. However, if your website is interactive and gathers information on individuals, chances are you will need to comply with data protection legislation.
Data protection legislation exists to protect individuals where a third party is processing that individual’s personal data. In general, personal data may only be processed if the individual has given his consent or if the processing is necessary to perform the contract (such as using the name and address to deliver ordered goods to the individual).
If you have a website that gathers personal information on individuals, you are what is known as a “data controller”, as it is you who controls how and when the data is processed. If you are a data controller you must comply with eight data protection principles set out below.
- Personal data shall be processed fairly and lawfully (see below).
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of the data subject under the Data Protection Act 1998.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
If you contravene any of the eight data protection principles, the Commissioner can serve you with an ‘information notice’ requiring you to provide certain information within set time limits. Failure to comply with such notice, or providing deliberately false information, is a criminal offence. If the Commissioner concludes that you have breached the Act, you may then be served with an ‘enforcement notice’. This could force you to cease processing personal data, or cease processing data in a particular way. Failure to comply with an enforcement notice is a criminal offence which will result in fines which, depending on the circumstances, may be of an unlimited amount.
The Information Commissioner will soon be able to impose Civil Monetary Penalties of up to £500,000 on data controllers who seriously contravene data protection principles. Subject to Parliamentary approval, this will come into force on 6 April 2010.
Fair and lawful processing
There are 2 main elements to ensuring that any processing is performed fairly and lawfully; (i) providing information and (ii) obtaining consent.
Data should be obtained and processed fairly and lawfully. Hence you should not deceive or mislead any person from whom you obtain information as to the purpose or purposes for which it is to be held, used or disclosed. You should provide the following information when collecting the information:
- Your identity
- the purposes for which you are collecting the data
- to whom the data will be disclosed and their purposes
- a description of the methods used for contacting the person for marketing purposes
- any other information that is necessary to make the processing fair (eg which information it is mandatory to provide and which it is not)
You should ideally provide this information at the beginning of any form you are asking the user to complete (or at least a link to the relevant section in the website terms and conditions) and the user can then decide whether to continue with completing the information. By using an appropriately worded data protection notice, you can ensure that there is consent from website visitors to allow you to build a valuable contacts database and market your services to the visitors.
If you then go on to use the data for any purpose other than that specified you will need to obtain that person’s consent for the new purpose.
Processing will be fair and lawful if it is:
- carried out with the data subject’s consent; or
- necessary for the performance of a contract to which the data subject is a party; or
- necessary for compliance with any legal obligation (other than a contractual obligation).
The consent of the data subject is an important part of ensuring data processing is fair and lawful. There must be some communication of the consent and reliance on it. It is generally considered that an “opt out” box is sufficient (that is, a tick box on a web page that gives the user the option of opting out of the data processing). For the processing of sensitive personal data however (ie data concerning racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual life, physical or mental health or condition, or criminal offences or record) an “opt in” box will be required.
You must take appropriate security measures relating to the personal data you hold, considering the nature of the data and the purposes for which the data will be processed. You should of course always use a secure server when taking payments online and take all necessary steps to prevent hacking. It is considered that unencrypted information transmitted over the internet is inherently insecure. Therefore, you should arrange for encryption of personal data wherever possible.
If you use a third party data processor, such as a hosting company, you must take steps to ensure that the data processor has adequate security measures in place to prevent data accidentally being disclosed to third parties. The processing must be governed by a written contract between both parties to ensure that the data processor is aware of the importance of security, will implement that security and that they will be liable for breach of contract in the event of a failure on their part.
As a data controller you must (unless exempt, see below) notify certain details (such as your name and address, a description of personal data being processed and a description of the purpose for which the data is being processed) to the Information Commissioner. If you process personal data without notification (or outside the scope of your notification) you are committing a criminal offence. This offence carries a maximum penalty of a £5,000 fine in the magistrates’ court and an unlimited fine in the Crown Court. Failure to notify is a strict liability offence which means that notifying is mandatory (if you don’t fall within an exemption) and being unaware of the law is not an excuse.
The main exemption for a small private business is the ‘core business purpose’ exemption, that is, you are exempt if the only reasons you are processing personal data are for:
- Staff administration; and/or
- Advertising, marketing and public relations; and/or
- Accounts and records.
The period of notification is one year. There is an annual fee of £35. Changes to a notification entry must be made within 28 days. Changes are made free of charge.
Beware of bogus agencies sending out official looking warning letters about notification and charging inflated fees to notify on your behalf. Always deal directly with the Information Commissioner’s Office – it is cheaper and better to do so. You can notify on the ICO website (https://www.ico.gov.uk/cgi-bin//dprproc?page=7.html) or by phone on 01625 545740.
Even if you are exempt from notification you must still comply with other provisions in the Data Protection Act 1998, including the eight data protection principles.
Data protection checklist
This checklist will help you to comply with the Data Protection Act. Being able to answer ‘yes’ to every question does not guarantee compliance, and you may need more advice in particular areas, but it should mean that you are heading in the right direction.
- Do I really need this information about an individual?
- Is this information all accurate and up to date?
- Do I know what I’m going to use it for?
- Do the people whose information I hold know that I’ve got it, and are they likely to understand what it will be used for?
- If I’m asked to pass on personal information, would the people about whom I hold information expect me to do this?
- Am I satisfied that the information is being held securely, whether it’s on paper or on computer? And what about my website? Is it secure?
- Do I have consent for all sensitive personal data that I hold?
- If I am transferring data outside of the EEA (ie the European Union plus Norway, Iceland and Liechtenstein), have I either ensure adequate protection or obtained consent from the data subject?
About the Author
This article was written by Suzanne Dibble of Lawyers4mumpreneurs.
Lawyers4mumpreneurs is a new legal practice established to focus on mumpreneurs’ needs. We cover the full range of business law services, so if for example you need standard terms and conditions drafting, advice on contracts with suppliers or trademark protection, we can help you. Our aim is to provide mumpreneurs with a top quality, approachable and flexible service that most importantly is affordable. See details of our experience, clients and testimonials on Suzannes website.