Page 112 - Law and the Media
P. 112

New Media
             The Information Commissioner, who oversees the DPA, has given guidance in relation to the
             collection and processing of data on web sites. 4

             In addition to compliance with the general principles of data protection, the DPA places an
             obligation on web-site operators, including the publishers of online newspapers and
             magazines, to take ‘appropriate technical and organizational measures’ to prevent the
             unauthorized or unlawful processing of personal data stored in their software systems,
             whether by employees or ‘hackers’.


             ‘Personal data’ refers to data kept on or in connection with a web site, including the
             collection of visitors’ email addresses and forums for the exchange of information by
             visitors, as well as workplace computer systems and manual records. Data about companies
             are not subject to the DPA unless named individuals are referred to as points of contact. The
             appropriate level of security depends on the type of information stored – for example,
             financial information will require greater security than information relating to visitors’
             favourite football players.


             The DPA also applies if personal information is held for the purposes of marketing, either
             manually or on a computer system. The use of cookies, software that records a visitor’s
             preferences and page choices, does not fall within the remit of the DPA as such. However,
             as cookies usually collect personal data about each visitor to the web site, the principles of
             the DPA will most likely apply. The Information Commissioner is of the view that, in some
             circumstances, cookies are subject to the provisions of the DPA. In order to avoid any
             possible breach information obtained by cookies should be regarded as subject to the
             provisions.

             Under the provisions of the DPA personal data must not be transferred out of the European
             Economic  Area (which is the European Union Member States, Norway, Iceland and
             Liechtenstein) unless the country or territory to which it is transferred ensures an adequate
             level of protection for rights of the ‘data subject’ – in other words the person to whom the
             personal data relates, or the data subject, has consented. This can be problematic because of
             the global nature of the Internet. Many countries outside the European Economic Area,
             including the United States, do not have equivalent data protection. However, the United
             States Government has encouraged companies processing data in the United States to
             comply with the voluntary data protection provisions of the International Safe Harbor
             Privacy Principles.

             Although it is not a requirement of data protection law to include a privacy statement on a
             web site that collects personal data, it is regarded by the Information Commissioner as best
             practice. The privacy statement should be positioned where visitors to the web site are most
             likely to read it.



             4
              The Information Commissioner’s web site is at www.dataprotection.gov.uk.
                                                                                            75
   107   108   109   110   111   112   113   114   115   116   117