Guidance notes relate to on a website’s standard policy regarding the collection,
template. Our template is for use on a website which collects data in an online
application form for the purpose of supplying goods or services to users of the site, or
for contacting users with direct marketing information such as a newsletter.
GENERAL DOCUMENT NOTES
use of personal data. The standard document should be used on a website collecting
only basic personal information which is non-sensitive in nature, in an online
application form (e.g. name, contact and credit card details). Information collected
for the purposes of supplying goods or services for users of the site and for contacting
users with direct marketing information.
Within the UK the collection and use of personal data by e-businesses must comply
with UK data protection laws. Such laws are contained in the Data Protection Act
1998 (DPA) and the Privacy and Electronic Communications (EC Directive)
Regulations 2003 (the Regulations).
Although it is not a specific requirement to have privacy policies under the DPA it is
good practice as it may help with compliance to some of its provisions. Any failure to
comply may lead to criminal sanctions and in some cases personal liability, liability
for damages and negative publicity. Such policies aid the data controller to comply
with specific obligations. Obligations include:
• That data must only be processed for “specified” purposes (Para 2, part 1, Sch
• To provide information regarding processing at the time when it collects the
data. (para 2(3), part 2, sch 1, DPA)
• The processing of personal data will require the consent of the data subject
(Sch 1, 2 and 4, DPA) “Processing” is widely defined. It includes disclosing,
as well as obtaining, holding and using data. (S1 DPA) “Personal Data”
includes a wide range of information.
Although data controllers may, in certain circumstances process data without consent,
it is considered the safest approach, especially with the web as transfers of
information are likely to occur outside the jurisdictions of the European Economic
Area (EEA). Such consent must be freely given, specific and informed. It is not a
requirement that consent should be in writing and implied consent can occur within
the UK. This has caused some difficulties in cases where it is not practical to obtain
clear consent from the individual. Data controllers may not infer consent from nonresponse to a general communication.
may be included on the website which visitors can view before agreeing to send their data to the site. It should be made clear that by submitting their data, they consent to
it being used in accordance with the policy. The link should be placed in a prominent
position and located above the agree or submit button.
• Be worded in such a way which implies the data subjects consent to the
processing of such data.
• Have an ‘opt in’ box in order to ensure that consent was given expressly. This
must be provided by an appropriately worded tick box.
their personal data will be kept secure and used responsibly.
The DPA applies to all data controllers that are established within the UK under
section 5(1) (a). These include; UK registered companies, those who maintain an
office, branch or agency within the UK and individuals who reside in the UK. It also
stretches to apply to data controllers who are established outside of the EEA but use
equipment within the UK for processing data.
If a website operator has establishments that hold data in several countries, they need
to ensure that they comply with the data protection laws in each jurisdiction.
Although the standard document ensures compliance with the DPA based on the EC
Data Protection Directive, considerations must be given to the laws of each state. The
Data Protection Directive may not be implemented in the same way in each member
state therefore any obligations on the data controller may be more onerous than those
imposed by the DPA.
Data controllers are under an obligation not to collect data which is excessive in
relation to the purpose of collection; therefore there must be an indication on the form
whether any information is optional. This can be found in para 3, part I, Sch 1, DPA.
It would not be necessary to collect an individuals name and address in providing an
to be used then it may not be necessary to mark the data as optional. It may help to
ensure a data controller is complying with his obligations by marking particular
information as optional. This is particularly useful where a website owner may find
information useful but not necessarily essential to the business. It also serves to
reassure customers that the owner of the website has a sensible approach to privacy. DRAFTING ISSUES
Our template document is drafted to include square brackets [ ] around terms where
information that is not relevant and then remove the square brackets. The standard
document is appropriate for use on sites which sells books or groceries, or those who
provide travel or news information services, also brochure sites as these generally are
only intended to provide information about the website owner’s offline services. The
policy is not suitable for a situation where sensitive personal data is collected.
Sensitive personal data includes data relating to racial or ethnic origin and religious
beliefs. If such data is collected “explicit consent” is required, (S2 and Sch 3, Data
its contents into a click-wrap consent form in which the user can then indicate their
wishes with respect to the processing.
position by means of a hyperlink accessible at all points of the site where data is
requested. The data subject must have seen the terms on which his or her data is to be
used before submitting personal data if it is to be said that consent to processing was
given “freely, specific and informed”. The Information Commissioner has indicated
that although the use of privacy policies is important, the basic information and
choices available should be displayed in an intelligible and prominent form wherever
personal data is collected. The commissioner favours a layered notice as the most
effective way of raising awareness of how information will be used. This consists of
three linked notices:
• The longest one being the full notice including all legal provisions.
• The condensed notice containing the main information, and
• The short notice drawing attention to how the information will be used.
This notice should be clear and easy to read and displayed wherever personal
information is collected.
The general website terms and conditions must not contradict the terms of the privacy
that the data controllers cannot fulfil.
provided. It does not require data controllers to appoint a representative but if one is
appointed the details must be given to the data subject.
INFORMATION WE MAY COLLECT ABOUT YOU
To ensure that an obligation that consent to processing is “informed”, information
should be provided regarding the types of data which the site will process. The policy
should also refer to less obvious data such as email addresses and times and dates of
visits to the site. Also to data which is not collected directly from the data subject.
IP ADDRESSES AND COOKIES
Since the regulations were adopted, regulation 6 expressly requires a website operator
to provide his users with clear information about the use, storage of and access to
cookies in which he places on the user’s computer. Cookies are small data files
placed on the hard drive of the user’s computer. They serve to gather information
about the user’s use of the website or to allow the website to recognise the user when
he or she visits again. Most browsers automatically accept cookies although they can
be set to request acceptance. The Information Commissioner has always been of the
opinion that cookies store personal data therefore their use has always had to comply
with the DPA.
The regulations do not specify when or how the information should be provided but
the Information Commissioner guides that if the information is included in the privacy
policy then it should be clearly signposted on the pages where a user may enter the
Commissioner suggests that the mechanism used for such a task should be made
simple and easy to understand and to use.
As the regulations allow website operators to refuse access to certain parts of the site
if the option of cookies is rejected, it is a requirement that the user is made aware of
clear as to whether cookies are served to non-registered users and whether third
parties will place cookies on visitor’s computers.
WHERE WE STORE YOUR PERSONAL DATA
The transfer of any data outside the EEA is only permitted where the receiving
country has adequate protection (para 1, sch 4, DPA) or if the data subject consents to
such a transfer. It should be stated in the policy together with details of the
processing involved if data will, or may be transferred outside of the EEA. Wherever
possible the website owner should specify the countries to which data is to be
The act of posting information to a website which can be accessed overseas may
constitute a “transfer” of data but not necessarily according to the Lindqvist Case (C-
101/01). This can cause problems for website owners who publish personal data on
their sites, particularly where they cannot be sure where the information will be accessed. Such sites include those which enable users to contact one another, such as
auction sites and those providing instant messaging facilities. Rules of conduct
should be imposed on such sites to ensure that privacy is still protected and these may
There are security obligations imposed on the data controller by the DPA (para 7, part
I, sch1). This helps to promote confidence in the users of the website. The assurance
must be qualified by a statement informing the user that the transmission of data via
the internet is never completely secure. The policy must also exclude the website
owners liability for any personal data lost in transmission to the website.
USES MADE OF THE INFORMATION
Under Paragraph 2, Part 1, Sch 1 and Para 2(3)(c), part 2, sch 1, DPA, information
must be provided about the purposes for which the data will be processed. Although
this can be general, the data controller must ensure that any non-obvious uses are
specified. It should be made clear whether the data will be used for direct marketing
purposes and whether they will be published on the site. As individuals tend to refuse
to their data being passed onto third parties the data controller must consider the issue
In order to meet the requirements of the regulations, users must be provided with
appropriate opt-in and opt-out tick boxes which users can complete before they
submit their personal data.
services which might be subject to future direct marketing. Although it is not a legal
requirement, it is included to ensure that any opt-in or opt-out consents are given on
an informed basis. It also allows the website owner to specify any different types of
communication which may be used for direct marketing purposes, it also serves to
ensure that informed consent is given.
There are specific requirements that apply to the provision of direct marketing by
electronic means. Since the regulations were adopted, sending unsolicited
commercial communications on an opt-out basis has been limited. Regulation 22
allows this by electronic means but only on an opt-in basis. This is unless the
recipient’s contact details were obtained in the course of a previous sale or in
negotiations for a sale; and the communication was in respect of the sender’s goods or
services that are similar to the ones purchased in the previous sale. The sender is still
required, even if the conditions are met, to provide the option to opt-out of receiving
future communications, they must also provide information on how this can easily be
with this requirement. The use of opt-in and opt-out boxes must be provided in
relation to receiving direct marketing information by electronic means.
If there is a change in the purpose for data collection then the policy will need to be
amended and the data subjects to be notified. It would be good practice for a website
owner to give careful consideration to any future uses of the data they collect so as to
avoid the need to gain further consents. DISCLOSURE OF YOUR INFORMATION
Users of the website should be provided with information regarding whether their data
will be accessed by, disclosed or sold to third parties, and for what purpose, (para
2(3)(d), Part 2, sch 1, DPA). In the event of the sale of the business it is crucial that
the data controller has the right to transfer data.
The legislation does not prevent consent being withdrawn at any time. It is also not
an obligation to include a provision reminding customers of their right to withdraw
consent, with the exemption of cookies or of direct marketing by electronic means.
To include such a provision would help instil confidence in the site.
contained in third party websites before submitting their data as they may not realise
ACCESS TO INFORMATION
Under section 7 of the DPA, users have the right to make written request:
• “To be informed by any data controller whether personal data of which that
individual is the data subject are being processed by or on behalf of that data
• Where that is the case, to be given by the data controller a description of the
personal data, the purposes for which they are processed and the recipients to
whom they may be disclosed.” (Subject access request)
legal requirement it may help to instil confidence in the site. The individual is in most
cases entitled to receive a copy of the data held by the data controller and to be told
the source of that data. The data controller may charge a fee of up to £10 and the
information must usually be provided within 40 days.
made will be notified to users. Any changes made to the policy will only affect how
data controllers use the information collected after the changes. Users who provided
information before the changes will have done so under the old policy and data
controllers are obliged to honour the assurances contained within that statement.
Website controllers looking to change the way they use personal data should gain
individuals opt-in consent. This ideally will be done by notifying them and gaining
their agreement. If an email is sent explaining the new changes, consent is not
implied if that individual does not reply. If however, the changes are for a new use
and not a new purpose, it will be enough to advise the individuals of the changes
giving them the chance to object. This is also the case if the nature and purpose of the
use is close to the terms of the original statement. CONTACT
Ideally the geographical address of the website operator should be given to allow
users to withdraw their consent to certain types of processing, wherever the law
permits them to do so. You can provide just a contact email address unless you are
selling goods or services in which case the law requires a geographical address be