Data Protection Principle

1st Data Protection Principle

‘Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless

* at least one of the conditions in Schedule 2 is met, and
* In the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.’

‘Processing’ includes the collection of information. In order to collect information fairly the data subject should be informed of the identity of the data controller and of the purposes of processing (unless they already have the information) together with ‘any further information that is necessary ... to enable the processing ... to be fair’. Among the other information that it may be necessary to provide may be details of any disclosures of data, rights to object to particular uses of data, and information as to which information requested on an electronic form is mandatory and which optional.

If personal data gathered by one department is to be passed to another, the fact that there is an intention to disclose should be made clear before the disclosure takes place, and any necessary consent for the disclosure should be obtained at that point. There may well be individuals who are willing to provide certain information to one department but not to another. Departments disclosing information to another department should be mindful of issues such as duties of confidentiality owed to the data subject, purpose limitation, further disclosure, etc, i.e. the discloser should make it clear to the ‘disclosee’ why the disclosure is taking place and how the disclosed personal data may be processed. It should be remembered that how personal data obtained by one organisation may be subsequently processed by another essentially depends on how the data was obtained originally.

Controllers should not assume that those from whom they are seeking information would under understand how personal data is used. Fair obtaining notices should be designed with the intended audience in mind. For example, a website aimed specifically at members of a particular ethnic group should be intelligible to that group through the use of the appropriate language or terminology. Special safeguards should be introduced when requesting information from a child or a person who is not mentally competent, eg, request the intervention of a parent/guardian of carer. It is always worthwhile piloting a fair obtaining notice with a group of typical users.

Where there is a link to another site operated by another data controller, people should be clearly advised as to who may be collecting any information they provide on electronic forms.

Care should be taken to ensure that information is not collected of which the subject is unaware, for instance through use of cookies or the capture of ‘clickstream’ data. In particular, contracts should specify that ISPs/hosting services are not permitted to collect or make independent use of such data.

When people are invited to leave their email addresses the uses that will be made of these should be explained if there is any room for doubt. It should be a condition of membership of a chat room that members do not make use of others' email addresses for unrelated purposes. Consideration should be given as to whether it is necessary to monitor compliance with this condition, for instance through ‘seeding’ email address lists.

Fair obtaining notices should be clearly worded and positioned. While it is acceptable for privacy statements or codes of practice to be accessed via a link, fair obtaining notices should have sufficient prominence on the relevant forms.

Web managers should be mindful of the restriction that the Data Protection Act 1998 places on the processing of sensitive personal data. In some cases, this means that the individual’s explicit consent for the processing may need to be obtained.

The Office of the Information Commissioner is of the view that when there is an intention to develop a chat room the system should be designed in such a way that participation may take place anonymously. Alternatively in a manner where individuals are given a clear choice as to whether their email addresses will be made available to other participants or to observers of the chat room.

2nd Data Protection Principle

'Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.'

The effect of this principle is to reinforce the first principle by restricting the further processing of personal data, including processing by any recipient of that data, to purposes which are compatible with those for which the data was first obtained.

3rd Data Protection Principle

'Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.'

Forms should be designed so that only the necessary amount of information is collected. Care should be taken not to seek information, for instance dates of birth, where there is no operational need for this information. At the same time it is important to collect sufficient information. It should be possible to design forms that have a mandatory area into which certain information must be entered and a clearly marked voluntary area into which other information can be entered. When individuals are being asked to provide information for reasons other than operational necessity, it should be explained to them what the extra information will be used for, eg, research, profiling.

4th Data Protection Principle

‘Personal data shall be accurate and, where necessary, kept up-to-date.’

Controllers can normally assume that the information provided by data subjects is accurate. Some sites, however, may attract ‘nuisance’ visitors who leave information relating to other people. If controllers become aware of such problems then they may have to take steps to verify the identity of visitors and to validate the accuracy of data. In some cases the most appropriate course of action might be to delete the problematic data and to request that other do the same in cases where this data have been disclosed.

5th Data Protection Principle

‘Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.’

The Act does not specify particular retention periods. Data collected on electronic forms should be retained for the same period as similar data collected by traditional means. Web managers are encouraged to keep information that is in a personally identifiable form for as short a period as is operationally necessary. For example, personal data that is collected in the course of the visit to a site, for instance temporary chat rooms, should be deleted once the session has ended.

6th Data Protection Principle

‘Personal data shall be processed in accordance with the rights of data subjects under this Act.’

The rights of data subjects are:

* to request a copy of personal data (subject access);
* to prevent processing likely to cause substantial damage or distress;
* to prevent processing for direct marketing purposes;
* not to be subject to automated decision taking.

Subject access requests must be made in writing. Before responding, controllers should be satisfied as to the identity of the person making the request. Responses should not be made to requests made via email unless the controller is able to verify identity, for instance through an electronic signature.

Data subjects have an absolute right to request that their data is not used for direct marketing purposes. There is unlikely to be any issue with advertisements that are displayed to all visitors to a site. It has been suggested that it may be possible to make use of a user profile in order to decide which advertisement to display to which visitor. Use of such techniques should be described to data subjects (1st principle) and there must be a mechanism to suppress the display of advertisements on request.

The Office of the Information Commissioner is of the view that in the future web developers should be able to build features that allow individuals to gain subject access online. This would enable individuals to call up records relating to themselves, without having to make a formal subject access request. Such online subject access will certainly be advantageous to both individuals and data controllers. However, this must be subject to the appropriate security and identify verification procedures.

7th Data Protection Principle

‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’

The Act directs controllers to adopt a risk-based approach to security matters. The need to use encryption, electronic signatures and other security features thus increases with the sensitivity of the data that it is proposed to transmit electronically.

Reasonable steps should be taken to monitor the use of any personal data which may be downloaded from websites, for instance by ‘seeding lists of email addressed and checking for instances of use for unauthorised purposes.

8th Data Protection Principle

‘Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.’

The recording of personal data on a website or its publication on a site is tantamount to allowing the worldwide transfer of data. Although the principle suggests that data may never be transferred to countries without an adequate level of protection, in fact there are exceptions, which are set out in Schedule 4 of the Act. In many cases the issue will be whether or not it is necessary to have the consent of the data subject to transfer their data outside the European Economic Area. As a general rule, if the personal data in question would in any event be placed in the public domain, for instance data relating to Ministers or senior civil servants, then it would be hard to argue that there was an increased risk to the privacy of those individuals by placing their details on a website. In other cases, it may be appropriate to seek consent.