web design Ireland :: enhanced web design :: online communication

What is the difference between a Privacy Statement and a Privacy Policy?

A website Privacy Statement is not a Privacy Policy. A Privacy Policy documents an organisation’ s application of the eight data protection principles to the manner in which it processes data organisation-wide. The policy applies to all personal data processed by the organisation, including customer data, third party data and employee data. A Privacy Policy can, in some instances, be a very complex document, having to apply the data protection principles to its own experience. These principles are:


1. Obtain and process information fairly.
2. Keep it only for one or more specified, explicit and
    lawful purposes.
3. Use and disclose it only in ways compatible with
    these purposes,
4. Keep it safe and secure.
5. Keep it accurate, complete and up-to-date.
6. Ensure that it is adequate, relevant and not excessive.
7. Retain it for no longer than is necessary for the
    purpose or purposes.
8. Give a copy of his/her personal data to than
    individual, on request.


A Privacy Policy can go into great detail on how the organisation applies these principles, what procedures it should follow, assigning individual/departmental responsibilities, etc. A Privacy Policy is fundamentally a document for internal reference.


A Privacy Statement is a public declaration of how the organisation applies the data protection principles to data processed on its website. It is a more narrowly focused document and by its public nature should be both concise and clear.




Why do websites need Privacy Statements?

The simple answer is that it is a legal requirement. Two distinct pieces of legislation apply: The Data Protection Acts 1988 & 2003 (“The Acts”) and Statutory Instrument Number 535 of 2003 European Communities (Electronic Communications Networks and Services)(Data Protection and Privacy) Regulations 2003 (“SI 535/2003”).


Section 2(1)(a) of the Acts requires that


“The data or, as the case may be, the information constituting the data shall have been
obtained, and the data shall be processed fairly”.


This fair obtaining principle generally requires that a person whose data are processed is aware of at least the following? The identity of the person processing the data.

The purpose or purposes for which the data are processed.
Any third party to whom the data may be disclosed.
The existence of a right of access and a right of rectification.

In addition, Regulation 5 of SI 535/2003 imposes certain obligations with respect to internet activity.


“(1) No person shall use an electronic communications network to store information or to gain access to information stored in the terminal equipment of a subscriber or user unless -


(a) the subscriber or user concerned is provided with clear and comprehensive information in accordance with the Acts, which is prominently displayed and easily accessible and which, without limitation, includes the purpose of the processing


(b) the subscriber or user is offered the right to refuse such processing by the data controller.


(2) Paragraph 1 does not prevent any technical storage of or access to information for the sole purpose of carrying out or facilitating t he transmission of a communication over an electronic communications network or which is strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.”


This Regulation refers to the use of cookies, web beacons, the collection of IP addresses and other technical matters.


Meeting a legal obligation is not the only reason for having a Privacy Statement. Such statements, and adherence to their principles, will promote public confidence and should make such compliant sites more popular with users. Being customer friendly makes good business sense.


What if my website doesn’t have a Privacy Statement?


A contravention of the provisions of the Acts can result in investigation and enforcement action by the Data Protection Commissioner. If the Commissioner issues an enforcement notice requesting that you either place a Privacy Statement on your site, or cease processing data, failure to comply could result in prosecution with a possible penalty of up to €100,000 and/or deletion of any/all data collected via the website.


Additionally, section 7 of the Acts gives a person a right to take Civil Action against you if that person has been damaged by the manner in which you have processed his/her data.


How do I know if my website requires a Privacy Statement?

If your site does any of the following, a Privacy Statement is required

Collects personal data (visitors filling in web forms, feedback forms, etc).
Uses cookies or web beacons.
Covertly collects personal data (IP addresses, e- mail addresses.)



What information should be contained within a Privacy Statement?

Information should be specific to the processing of personal data on the website. Such information should be sufficiently detailed so as to be useful to the visitor to the site in deciding whether to progress. Statements such as “all data collected on this site shall be processed in compliance with the Data Protection Act” are of no value on their own. They need to be accompanied/replaced by an explanation of how, in practical terms, the site complies with its obligations.


Information should include the following:


Identity
Whilst who you are may be obvious to some visitors to your site, you should make sure that you are clearly identifiable. An organisation’s name on its own is of little value in this context. Identification should ideally include complete and useful contact details. Useful details would include an e- mail address and postal address that a visitor may use if he/she wishes to discuss any matters relating to the processing of personal data on your website.


Purpose
There can be many overt purposes for which visitors should reasonably expect their data to be used. These may include data necessary in the context of a transaction. However, it is possible that data may be processed for non-obvious purposes such as profiling or future marketing. All these purposes must be clearly referred to in the Privacy Statement. Data volunteered on that understanding are fairly obtained. If a purpose is not obvious and not referred to, then it will be difficult for you to lawfully process data for that purpose.


Disclosure
If you plan to release personal data to a third party (other than a person acting as your agent) this is a disclosure and must be referred to in your Privacy Statement. A general exception to this rule is where the disclosure is required by Law.


Right of Access
Under section 4 of the Acts a person has a right to be given a copy of his/her personal data. If you are retaining personal data, you should refer to this Right of Access in your Privacy Statement. You should include reference to procedures to be followed. Under the Acts, a Subject Access Request should be in writing, you may charge a fee not exceeding €6.35 and you must reply within 40 calendar days. Accordingly, you should identify whether you will accept an e- mailed or written request, to whom such a request should be directed and with what it should be accompanied ( fee; identification).


Right of rectification or erasure.
Under section 6 of the Acts, a person has a right to have his/her personal data corrected, if inaccurate, or erased, if you do not have a legitimate reason for retaining the data. You cannot charge for complying with such a request and shall comply within 40 calendar days of the receipt of such a request. Your Privacy Statement should make reference to this, if you retain personal data, as well as detailing the procedures a person should follow when making such a request.


Extent of data being processed.
If different data are used for different purposes, this should be clearly referred to in the Privacy Statement, rather than a person assuming that all data shall be used for all purposes. This is even more important in relation to the covert processing of data, such as the collection of IP addresses, use of cookies or web beacons.


Right to refuse cookies.
If it is not necessary to use cookies in the context of a transaction, the user should be informed of this and given an opportunity to refuse to have cookies placed on his/her computers. The use of cookies might also be explained to the user.


Is there other information that would be recommended to be included?

Section 5 details the information that must be included in a Privacy Statement in order to be compliant with the provisions of the Acts. However, if you intend that your Privacy Statement is a comprehensive description of your on-line data processing, you can also include the following information:


Security.
Whilst you are required to have adequate security measures in place to prevent the unauthorised access to, or alteration or destruction of personal data in your possession, any detailed reference to such measures in a publicly available Privacy Statement would be unwise.


Rather, you should confine yourself to stating that you take your security responsibilities seriously, employing the most appropriate physical and technical measures, including staff training and awareness and that you review these measures regularly.


Accurate, complete and up-to-date.
This is largely a reactive policy, as problems are often only discovered when dealing with the data subject. However, you may make reference to the need to hold only accurate, complete and up-to-date data, suggesting means by which data subjects may update their details or actions you may take to ensure accuracy, such as contacting customers by e- mail.


Adequate, relevant, not excessive.
You are obliged not to hold more data than is necessary for the purpose for which you collect them. Any data in excess of this requirement should either not be requested or, if volunteered, deleted. In a Privacy Statement, you may make reference to a policy to review all data supplied/obtained and delete that which is not necessary, or which is no longer necessary.


Retention.
Data should not be held for longer than is necessary for the purpose(s) for which they were obtained. Your Privacy Statement could refer to a policy to delete credit card details once a transaction had been finalised, unless you obtain the consent of customers to retain details to ease further transactions. If you hold different types of data for different time periods, this can also be referred to in the Privacy Statement.


Complaint resolution mechanism.
Though not required under Data Protection Legislation, some means of dealing with complaints received from the website’s users about data processing would be a customer friendly measure.


Where should I place the Privacy Statement?

A Privacy Statement should be placed in an obvious position and not contained within another document. As a minimum, a Privacy Statement should be placed in the upper half of the entry page to a website. As some web browsers will only display part of a page, the upper page requirement means that a visitor need not scroll down to look for the Privacy Statement.


Placing a statement only on a Home Page may not be sufficient, as links from other web sites or through search engines may bring a visitor into the site via a page other than the Home Page. The ideal solution to this problem is to place a link to the Privacy Statement on each page. Alternatively, a link could be placed on any page on which data are collected, though if the website uses cookies, effectively this could mean all pages.


Can I place the Privacy Statement within a “terms & conditions” document?

A Privacy Statement is a legal requirement and is distinct from terms and conditions, copyright or disclaimer notices. It should stand alone and be clearly identifiable. In order for a Privacy Statement to be of value, it must be readily accessible to the user, quickly read and easily understood. If it is buried within a lengthy document covering a variety of legal issues, it will be difficult for you to demonstrate that you have fulfilled your obligations under the Acts and SI 535/2003.


How often should I review the Privacy Statement?

It should only be necessary to conduct a review if there is some change to on-line processes. However, some mechanism should be in place to notify the appropriate staff member to initiate a review if


There is a change to data processing on the website
There is a planned/actual redevelopment of the website
There is a new web hosting arrangement
There are suggestions / comments received from site users.

In any case, the Privacy Statement should be reviewed in the context of an internal audit procedure, which also should review the organisational Privacy Policy, at least on an annual basis.


I am not an IT person, what are cookies?

A cookie is a block of data that a web server places on a user’s PC. Typically, it is used to ease navigation through the site. However, it is also a useful means of the website identifying the user, tracking the user’s path through the site, and identifying repeat visits to the site by the same user (or same user’s machine). This can then lead to a website owner being able to profile an individual user’s browsing habits - and all potentially done without the knowledge, or consent, of the user.


How do I know if my web site uses cookies?

This should be a question you address to the person who has developed your website, or to whomever maintains it for you. Most browsers can be set to prevent cookies being downloaded onto a PC. If you set your browser to block cookies, then visit your own site, you may get an error message displayed if your site is attempting to download a cookie. Alternatively, you can look into the “cookie” or “Temporary Internet” folder of your PC and see if you can identify a cookie placed by your site. Cookies often, but not always, contain site names.


Do I need to submit my Privacy Statement to the Data Protection Commissioner for approval?

No, this is not a requirement.



Other matters of interest to on-line processing.


Use of web hosting services.
Any person using a third party to host a website should be aware of a number of issues.


A. Data Processor
A person who provides space on a server to host a website is a Data Processor, processing data on your behalf.


B. Registration.
All Data Processors processing personal data are obliged to have a current entry in the register maintained by the Data Protection Commissioner. Processing data whilst not having such an entry is an offence.

C. Location of server.
If the web hosting service hosts your site on a server outside the European Economic Area, they are obliged to meet at least one of the conditions set out in Section 11 of the Acts. You, as Data Controller, should be aware of such transborder data flows.


D. Contract.
As Data Controller, you ultimately are responsible to the Data Protection Commissioner (& the Courts) should the web hosting company unlawfully process data. Section 2C of the Acts obliges you to have a contract in writing (or equivalent) with the Data Processor specifying


What the Data Processor may do with the data on your behalf
What security measures the Data Processor must have in place.

You must also take reasonable steps to ensure that the Data Processor complies with these instructions.



more articles...