Privacy Policies – Do I Need One?

Most websites include a privacy policy, but few people are sure why they need one.  The reasons for having a privacy policy are twofold:
  • it helps give members of the public confidence about how the owner of the website will use their personal data; and
  • it helps website owners to comply with the Data Protection Act (the DPA).


The First Data Protection Principle – Fair and Lawful Processing

Data controllers (those people who decide the purpose for which personal data will be used – 'processed' in data protection speak) must process personal data fairly and lawfully. If a data subject (an individual whose personal data are being processed) complains that his personal data have not been processed fairly, the Information Commissioner's Office (the ICO) will look at how the personal data were obtained, and whether anyone has been misled about the purposes of the processing. 

In most cases the processing will not be fair unless the data controller has informed the data subject about:

  • the identity of the data controller;
  • the purpose(s) for which the personal data are to be processed; and
  • any other information which is necessary to enable processing to be fair.  (To all intents and purposes this means telling the data subject about any likely disclosures.) 


A website owner can use its privacy policy to give data subjects this information.

Processing personal data is unlawful unless the data controller meets one of the conditions in Schedule 2 (or in the case of sensitive personal data, Schedule 3) of the DPA. In some cases, but by no means all, that may mean obtaining the data subject’s consent.

Consent need not be in writing, but it must be active – you can’t infer consent from a lack of response, but you can infer it from an action.  So, if:

  • before a data subject inputs personal data into a form on a website, the website makes it clear that, by doing so, he is consenting to its use in accordance with the privacy policy; and
  • the data subject has a real opportunity to read the privacy policy; and
  • the policy sets out clearly how the personal data will be used
    by inputting his personal data and pressing 'SEND', the data subject is actively consenting to his data being used in accordance with that policy.


The Eighth Data Protection Principle – Transferring Personal Data outside the EEA


A data controller may the data subject's consent to transfer personal data outside the EEA. (Please refer to our article Data Protection – Transferring Personal Data Overseas.) If you include information about transfers outside the EEA in your privacy policy, you can set up a process which gives you that consent when the data subject provides the personal data.

The Fourth Data Protection Principle – Keeping Personal Data Accurate and Up-to-Date

Data controllers are obliged to keep personal data accurate and, where necessary, up to date. You can use a privacy policy to invite visitors to your website to update their personal data.  With the right procedures in place, you can save time and money and have a better and more useful customer and contact database.

The Sixth Data Protection Principle – Processing in accordance with the Rights of Data Subjects


All data subjects have the right to insist on their personal data not being used for direct marketing purposes.  A privacy policy gives you an opportunity to put in place a procedure for data subjects making requests that their data are not used for this purpose.  If you act on those requests you can avoid being the subject of one of the most common complaints to the ICO - that this sort of request has been repeatedly ignored.



  • Actively direct data subjects to the privacy policy. It's not enough to dismiss the policy as the small print, or just to have a link to it at the foot of the webpage. Most visitors to the site will not click on that link and will not understand the policy’s relevance to them.
  • Do not make unrealistic promises in your privacy policy – for instance that you will never give any personal data to a third party.
  • Make sure that the purposes for which you process personal data stated in the privacy policy are consistent with the purposes that appear in your entry on the Register of Data Controllers kept by the ICO (http://www.ico.gov.uk  ).

Contact Details


If you would like further advice about any of the issues considered above please contact

 Christine Reid on 01865 864195 or email her at christine.reid@northwoodreid.com.


Terms of Use


This article is not intended to be, and should not be taken as being, legal advice. The law often changes and it varies from jurisdiction to jurisdiction; the information in this article is generic in nature and specific legal advice should be taken before acting on any of it.


© Northwood Reid 2009. The use, copying and dissemination of this article are subject to our

 Terms of Use.