ICO Guidance On Collecting Personal Information On Websites

The Information Commissioner's Office (ICO) recently published a 'Good Practice Note' on the collection of personal information using websites1. This provides some practical guidance which will be relevant to any business that collects or processes personal data via its website.

What information should website operators give to individuals who submit their personal data to a website?

In the context of a website the Data Protection Act 1998 (DPA) requirement of fair processing means that the website operator must supply fair processing information at any point on the website at which personal data is collected from users. The fair processing information will usually be given in a privacy statement or policy.

Such information should include details of who is collecting the data, for what purpose, how the data will be used and any other relevant information required to make the processing fair in the circumstances, such as whether the information will be disclosed to third parties and in what circumstances. Website users should also be told what their rights are in relation to their data and how to exercise them.

If more than one organisation collects personal information through the website, for example if a third party provides a secure payment system, then each organisation that collects the data should be identified and their use of the data explained.

Active steps must be taken to bring the fair processing information to the attention of the website user. The ICO's view is that simply providing a link to a privacy statement is not sufficient. Instead, wherever personal data is collected on the site there should be some basic description of how the data will be used, with a link on from this to the full privacy policy which contains the detailed fair processing information. This accords with the ICO's view that a 'layered' privacy policy is the most effective way of communicating the information. The ICO refers data processors to the Organisation for Economic Co-operation and Development (OECD) website's privacy policy generator2 which can help to generate a basic tailored privacy statement based on the answers from a questionnaire.

Scope of use of personal data

Website operators may only process personal data for the purposes for which it was originally collected, as set out in the privacy policy that was in force when the website user provided the data. Unilaterally changing the terms of the privacy policy does not give the website...