Privacy watchdog the Information Commissioner's Office (ICO) has published a draft of a new Code of Practice for companies that gather personal information online. The Code seeks to guide them on how best to treat individuals' information.
The ICO is conducting a public, online consultation on the proposed Code, which it hopes will encourage companies to give internet users more control over the information gathered about them.
"The internet plays a huge role in our everyday lives as we do more of our business online than ever before," said Information Commissioner Christopher Graham at the draft Code's launch. "Customers can always vote with their feet and punish organisations that they feel have let them down – which serves as a very real reminder that getting privacy online wrong is a risky game to play. People should have control over what happens to their personal information online whether it’s correcting inaccuracies, deleting profiles or choosing the privacy settings that suit them.”
"The draft Code of Practice explains a difficult area of the law and provides practical advice on a range of online privacy issues," said ICO head of data protection projects Iain Bourne. "It urges organisations to do more to explain what they do with the information they collect about people and to make sure they use it in line with individuals’ wishes."
The draft Code does not, though, answer some of the difficult questions which companies might seek guidance on. The Code says that it applies to 'personal data' but there is still debate in privacy circles about whether and when certain kinds of information, such as a user's internet protocol (IP) address, counts as 'personal data'.
On the vexed question of behavioural advertising and what activity is and is not legal, the guidance says: "In some cases a group of organisations may work together to deliver content through a single portal. They may each collect and use personal data for their own purposes. In cases like this, each organisation retains its own responsibility for the personal data it handles. Where there is doubt about the responsibilities of the organisations involved, it may be necessary to obtain legal advice in order to clarify this".
Even at the Code's launch there was some indication that business will require more concrete advice from the regulator.
"One of the participants at the launch said that it would be helpful if the ICO provided more concrete guidance on online privacy about what a company could and couldn't do, that there were a lot of 'maybe they could' and 'maybe they couldn't' do this or that," said Louise Townsend, a privacy law expert at Pinsent Masons, the law firm behind OUT-LAW.COM.
"I think companies should bear in mind that this is a consultation, so if they want more clarity then this is the time to say that, rather than in a few months' time," said Townsend.
Townsend said, though, that the Code may not be designed to answer every question that companies have, and could be a useful start for firms new to collecting personal data.
"I think it is a high level view and addresses a lot of the frequently asked questions that the ICO gets asked," she said. "It gives an overview and has a lot of links to some of the more technical guidance."
The guidance urges companies to be honest and upfront with users of their services about how much data is collected on them and what it is used for. It gives some broad guidelines for companies to follow:
"There are several things that must be avoided by organisations if they are to minimise the risk to the individuals whose personal data they collect. These are:
Do not be secretive or deceptive in the way you handle people’s personal data.
Do not try to gain an advantage by using personal data in a way that people wouldn’t expect or might object to.
Do not collect personal data you don’t need – this involves extra storage costs and additional risk – for example if there is a data loss.
Do get the best security you can afford – a big data loss or a loss of sensitive personal data could undermine public confidence in your company and cause great commercial damage.
Do not assume that because you are based in the UK you can ignore other countries’ laws. If you use equipment in another country or collect personal data about people outside the UK, you may need to comply with other countries’ laws.
The consultation is now live and runs until 5th March 2010.