NR
Privacy Policies – Do I Need One?
The First Data Protection Principle – Fair and Lawful Processing
Data controllers (those people who decide the purpose for which personal data will be used – 'processed' in data protection speak) must process personal data fairly and lawfully. If a data subject (an individual whose personal data are being processed) complains that his personal data have not been processed fairly, the Information Commissioner's Office (the ICO) will look at how the personal data were obtained, and whether anyone has been misled about the purposes of the processing.
In most cases the processing will not be fair unless the data controller has informed the data subject about:
A website owner can use its privacy policy to give data subjects this information.
Processing personal data is unlawful unless the data controller meets one of the conditions in Schedule 2 (or in the case of sensitive personal data, Schedule 3) of the DPA. In some cases, but by no means all, that may mean obtaining the data subject’s consent.
Consent need not be in writing, but it must be active – you can’t infer consent from a lack of response, but you can infer it from an action. So, if:
The Eighth Data Protection Principle – Transferring Personal Data outside the EEA
A data controller may the data subject's consent to transfer personal data outside the EEA. (Please refer to our article Data Protection – Transferring Personal Data Overseas.) If you include information about transfers outside the EEA in your privacy policy, you can set up a process which gives you that consent when the data subject provides the personal data.
The Fourth Data Protection Principle – Keeping Personal Data Accurate and Up-to-Date
The Sixth Data Protection Principle – Processing in accordance with the Rights of Data Subjects
All data subjects have the right to insist on their personal data not being used for direct marketing purposes. A privacy policy gives you an opportunity to put in place a procedure for data subjects making requests that their data are not used for this purpose. If you act on those requests you can avoid being the subject of one of the most common complaints to the ICO - that this sort of request has been repeatedly ignored.
Warnings
Contact Details
If you would like further advice about any of the issues considered above please contact
Christine Reid on 01865 864195 or email her at christine.reid@northwoodreid.com.
Terms of Use
This article is not intended to be, and should not be taken as being, legal advice. The law often changes and it varies from jurisdiction to jurisdiction; the information in this article is generic in nature and specific legal advice should be taken before acting on any of it.
© Northwood Reid 2009. The use, copying and dissemination of this article are subject to our