The Information Commissioner has published a new Code of Practice explaining how the DPA applies in an online world, and offering ‘good practice’ advice for the collection and use of personal data through the internet.
The Code covers (among other things) application and payment forms, social networking sites, cookies and other personally-targeted marketing. It considers the difficulties of ‘non-obvious identifiers’ (such as IP addresses linked to devices rather than to individuals), cross-border data transfers by multinational or non-domestic organisations, and the practice of outsourcing the storage of databases to other web-based companies.
With the aid of examples from such contexts, the Code turns established principles into specific recommendations for internet businesses, including: avoid collecting personal data too early in the relationship or transaction with the user; only collect personal as far as is necessary; provide a clear explanation of how users’ personal data will be processed; ensure that employees only have access to customers’ personal data where necessary, and that this access withdrawn as soon as their employment ends.
Certain suggestions will be particularly welcomed by privacy campaigners: alert users to the security risks associated with ‘autocomplete’ forms; give users a simple option of declining to have their personal data stored and of disabling cookies or other trackers of their online behaviour, and make it easy for them to contact the data controller about how their personal data is being used.
Organisations that process personal data must notify the Information Commissioner’s Office, and pay an annual fee. Up to now the fee has been £35, for all data controllers. With effect from 1st October 2009, some large data controllers will instead pay a fee of £500.
The changes are made by the Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 (SI 2009 No 1677). These divide data controllers into two groups: tier 1 organisations, which pay £35, and tier 2 organisations, which pay £500. All data controllers not in tier 2 are in tier 1.
A data controller will be in tier 2 if it satisfies the following three conditions: (i) it is not a charity or a small occupational pension scheme; (ii) it has been in existence for more than a month; and (iii) it has a turnover of £25.9 million or more for the data controller’s financial year and 250 or more members of staff, or it is a public authority with 250 or more members of staff. There are detailed provisions as to how turnover and staff numbers should be calculated for these purposes.
An explanatory memorandum issued by the Ministry of Justice gives the policy background to the change. Essentially it argues that large organisations cost more for the ICO to regulate, and so should pay a higher fee. The memorandum suggests that about 4% of data controllers will pay the higher fee, and that the extra annual income to the ICO will be about £4.7 million.
A more interesting question perhaps – and one that the new Regulations do not affect at all – is who is obliged to notify the Information Commissioner. Anyone who uses a computer to process personal data is a data controller and obliged to notify, unless they are subject to an exemption. Under section 36 of the Data Protection Act 1998, personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the duty to notify (and indeed from most of the rest of the Act as well). This is sometimes referred to as the “domestic use”, or “Christmas card list” exemption: if you keep your family’s Christmas card list on a computer, you do not have to notify the ICO that you are processing personal data, and you can spend the £35 on something else instead.
But what if you put personal data on to the internet? The Lindqvist case in the European Court of Justice suggests that the domestic exemption would not apply here, because information posted on the internet is available to all the world. Since Lindqvist was decided, there has been an explosion of blogging, and social networking, all internet-based. How much of this activity would come within the domestic use exemption remains unclear.
There’s an employment law supplement in the latest Legal Week, and I have an article about employment vetting.
At the end of the article there’s a short discussion of something I’ve written about previously on this blog; the amount of personal information that’s now put on the internet, and its implications for recruitment. Looking at the way the article is presented, it’s clear that the editorial team thought that this was the interesting bit of the article.
I’ll be speaking about employment vetting again next week, at the Local Government Group conference on 29th April. This event is a wide-ranging legal update for local authority lawyers – it’s a joint event between LGG and 11KBW. If you’re coming to the conference, do come and introduce yourself and let me know what you think of the blog.
In an article in today’s Financial Times, Benjamin Akande of Webster University talks about the “iPoders” – the generation born between 1982 and 2000. He describes a generation of technology addicts, using the internet as its first resort for information-gathering, and nurturing personal relationships through social networking and twittering. According to Akande, as it enters the workforce this cohort will be looking for organisations that share its appetite for technological innovation.
One issue that Akande doesn’t discuss is how iPoders view their personal privacy. How will they react if their technology-aware future employers treat Facebook and MySpace as a legitimate part of pre-recruitment due diligence? It’s often suggested that today’s 20-somethings are deeply relaxed about information privacy. A more realistic view may be that, as early adopters of social networking technology, they are learning the hard way about the implications of putting personal information online. In 2007, Oxford University students were outraged when photographs on Facebook were used in order to crack down on post-exam celebrations.
At the same time, employers need to be cautious about googling their job applicants. For instance, interview panels know not to ask questions about any plans for starting a family. But what if one of the interviewers finds out information of this kind, from his online researches into the candidates? Unless the information is wholly disregarded, there is an obvious risk of a discrimination claim if the candidate is rejected.
I’m a great admirer of Pinsent Mason’s “Out-Law” website. It’s a fascinating source of information law material.
Today, there’s an opinion piece about the use of social networking sites by employees. It argues that in some circumstances employers are entitled to control the use that employees make of sites such as Facebook, even outside working hours. There is a risk of reputational damage: for instance, a newspaper that aims for politically impartial journalism could be damaged if its writers reveal their own personal political views online.
Personal use of the internet during working time is a legitimate concern to employers – just as they may rightly be concerned about the use of the phone system for long private calls. But what about curtailing employees’ freedom of expression and social interaction in their own time? It is suggested that any employer who went down this route would need both a very strong justification, and a tightly-drawn policy that was clearly communicated to their employees.
In considering any specific case, careful consideration would need to be given by employers to how widely any objectionable material posted by an employee could be viewed – was it visible to a small group of friends, for instance, or to a network of millions of people?
There’s a much broader issue here. Social networking is very widespread indeed among today’s student generation. When they begin their working lives, will they find that their online activity impedes their search for a job? Or that it comes back to haunt them later in their working lives?
The reference for the opinion piece discussed above is at:
For discussion of the issues that arise when an employer considers that an employee’s online activities are damaging to its reputation, see Pay v Lancashire Probation Service, available online at: