Data Protection Commissioner
Data Protection Commissioner

 Guidelines for the contents and use of Privacy Statements on Websites

 

1. What is the difference between a Privacy Statement and a Privacy Policy?


A website Privacy Statement is not a Privacy Policy. A Privacy Policy documents an organisation' s application of the eight data protection principles to the manner in which it processes data organisation-wide. The policy applies to all personal data processed by the organisation, including customer data, third party data and employee data. A Privacy Policy can, in some instances, be a very complex document, having to apply the data protection principles to its own experience. These principles are:
 
1. Obtain and process information fairly.
2. Keep it only for one or more specified, explicit and lawful purposes.
3. Use and disclose it only in ways compatible with these purposes,
4. Keep it safe and secure.
5. Keep it accurate, complete and up-to-date.
6. Ensure that it is adequate, relevant and not excessive.
7. Retain it for no longer than is necessary for the purpose or purposes.
8. Give a copy of his/her personal data to than individual, on request.
 
A Privacy Policy can go into great detail on how the organisation applies these principles, what procedures it should follow, assigning individual/departmental responsibilities, etc. A Privacy Policy is fundamentally a document for internal reference.
 
A Privacy Statement is a public declaration of how the organisation applies the data protection principles to data processed on its website. It is a more narrowly focused document and by its public nature should be both concise and clear.
 

2. Why do websites need Privacy Statements?

 
The simple answer is that it is a legal requirement. Two distinct pieces of legislation apply: The Data Protection Acts 1988 & 2003 ("The Acts") and Statutory Instrument Number 336 of 2011 European Communities (Electronic Communications Networks and Services)(Privacy and Electronic Communications) Regulations 2011 ("SI 336/2011")
 
Section 2(1)(a) of the Acts requires that
 
"The data or, as the case may be, the information constituting the data shall have been
obtained, and the data shall be processed fairly".

This fair obtaining principle generally requires that a person whose data are processed is aware of at least the following:
  • The identity of the person processing the data.
  • The purpose or purposes for which the data are processed.
  • Any third party to whom the data may be disclosed.
  • The existence of a right of access and a right of rectification.
     

In addition, Regulation 5 of SI 336/2011 imposes certain obligations with respect to internet activity.

 
Information – not just personal data - may not be stored on or retrieved from a person's terminal equipment (computer, smartphone, mobile phone or other equipment used by an individual to access electronic communications networks) unless the individual: (a) has been given clear and comprehensive information about why this is being done and (b) has given her/his consent. This Regulation covers the use of "cookies"(a small file that can be downloaded to a PC or other device when the user accesses certain websites. A cookie allows a website to "recognise" the user's device).
 
The Regulations do not prescribe how the information is to be provided or consent is to be obtained, other than this should be done.
The obligation to meet the requirements for providing comprehensive information to users and obtaining their consent for the placement of cookies rests with the service providers who place cookies on users' equipment. The settings currently available on the main browsers do not appear to be sufficient in themselves to meet the obligation.
 
The Policy should also cover other situations where information is placed on, or retrieved from, terminal equipment. An example of this may be via an "app." Information that is necessary to facilitate the transmission of a communication, or information that is strictly necessary to provide an information society service explicitly requested by the user, is not subject to this requirement. If a cookie is strictly necessary to facilitate a transaction requested by the user - for example, storage of items in a shopping cart on an online website - advance consent will not be required.
 
This will be the case where the cookie is stored only for as long as the "session" is live and will be deleted at the end of the session. Information on such use should be readily available to the user of a website. Clear and comprehensive information that is prominently displayed and easily accessible will apply, as well as the requirement for user consent.. They envisage that, where it is technically possible and effective, such consent could be given by the use of appropriate browser settings.
 
In order to meet the legal requirements, such settings would require, as a minimum, clear communication to the user as to what s/he was being asked to consent to and a means of giving or refusing consent to any information being stored or retrieved. It is particularly important that the requirements are met where so called "third party" or "tracking" cookies are involved – such as when advertising networks collect information about websites visited by users in order to better target advertising ("behavioural advertising"). The Article 29 Working Party in its Opinion 2/2010 has provided advice on how the requirements might be met.
 
Meeting a legal obligation is not the only reason for having a Privacy Statement. Such statements, and adherence to their principles, will promote public confidence and should make such compliant sites more popular with users. Being customer friendly makes good business sense.
 

3. What if my website doesn't have a Privacy Statement?

 
A contravention of the provisions of the Acts can result in investigation and enforcement action by the Data Protection Commissioner. If the Commissioner issues an enforcement notice requesting that you either place a Privacy Statement on your site, or cease processing data, failure to comply could result in prosecution with a possible penalty of up to €100,000 and/or deletion of any/all data collected via the website.
 
Additionally, section 7 of the Acts gives a person a right to take Civil Action against you if that person has been damaged by the manner in which you have processed his/her data.
 

4. How do I know if my website requires a Privacy Statement?


If your site does any of the following, a Privacy Statement is required:
 
  • Collects personal data (visitors filling in web forms, feedback forms, etc).
  • Uses cookies or web beacons.
  • Covertly collects personal data (IP addresses, e- mail addresses.)
     

5. What information should be contained within a Privacy Statement?

 
Information should be specific to the processing of personal data on the website. Such information should be sufficiently detailed so as to be useful to the visitor to the site in deciding whether to progress. Statements such as "all data collected on this site shall be processed in compliance with the Data Protection Act" are of no value on their own. They need to be accompanied/replaced by an explanation of how, in practical terms, the site complies with its obligations.
 
Information should include the following:
 
Identity

Whilst who you are may be obvious to some visitors to your site, you should make sure that you are clearly identifiable. An organisation's name on its own is of little value in this context. Identification should ideally include complete and useful contact details. Useful details would include an e- mail address and postal address that a visitor may use if he/she wishes to discuss any matters relating to the processing of personal data on your website.
 
Purpose

There can be many overt purposes for which visitors should reasonably expect their data to be used. These may include data necessary in the context of a transaction. However, it is possible that data may be processed for non-obvious purposes such as profiling or future marketing. All these purposes must be clearly referred to in the Privacy Statement. Data volunteered on that understanding are fairly obtained. If a purpose is not obvious and not referred to, then it will be difficult for you to lawfully process data for that purpose.
 
Disclosure

If you plan to release personal data to a third party (other than a person acting as your agent) this is a disclosure and must be referred to in your Privacy Statement. A general exception to this rule is where the disclosure is required by Law.
 
Right of Access

Under section 4 of the Acts a person has a right to be given a copy of his/her personal data. If you are retaining personal data, you should refer to this Right of Access in your Privacy Statement. You should include reference to procedures to be followed. Under the Acts, a Subject Access Request should be in writing, you may charge a fee not exceeding €6.35 and you must reply within 40 calendar days. Accordingly, you should identify whether you will accept an e- mailed or written request, to whom such a request should be directed and with what it should be accompanied ( fee; identification).
 
Right of rectification or erasure.

Under section 6 of the Acts, a person has a right to have his/her personal data corrected, if inaccurate, or erased, if you do not have a legitimate reason for retaining the data. You cannot charge for complying with such a request and shall comply within 40 calendar days of the receipt of such a request. Your Privacy Statement should make reference to this, if you retain personal data, as well as detailing the procedures a person should follow when making such a request.
 
Extent of data being processed.

If different data are used for different purposes, this should be clearly referred to in the Privacy Statement, rather than a person assuming that all data shall be used for all purposes. This is even more important in relation to the covert processing of data, such as the collection of IP addresses, use of cookies or web beacons.
 
Cookies.

See Section 2 above.
Is there other information that would be recommended to be included?

Section 5 details the information that must be included in a Privacy Statement in order to be compliant with the provisions of the Acts. However, if you intend that your Privacy Statement is a comprehensive description of your on-line data processing, you can also include the following information:
 
Security.

Whilst you are required to have adequate security measures in place to prevent the unauthorised access to, or alteration or destruction of personal data in your possession, any detailed reference to such measures in a publicly available Privacy Statement would be unwise.
 
Rather, you should confine yourself to stating that you take your security responsibilities seriously, employing the most appropriate physical and technical measures, including staff training and awareness and that you review these measures regularly.
 
Accurate, complete and up-to-date.

This is largely a reactive policy, as problems are often only discovered when dealing with the data subject. However, you may make reference to the need to hold only accurate, complete and up-to-date data, suggesting means by which data subjects may update their details or actions you may take to ensure accuracy, such as contacting customers by e- mail.
 
Adequate, relevant, not excessive.

You are obliged not to hold more data than is necessary for the purpose for which you collect them. Any data in excess of this requirement should either not be requested or, if volunteered, deleted. In a Privacy Statement, you may make reference to a policy to review all data supplied/obtained and delete that which is not necessary, or which is no longer necessary.
 
Retention.

Data should not be held for longer than is necessary for the purpose(s) for which they were obtained. Your Privacy Statement could refer to a policy to delete credit card details once a transaction had been finalised, unless you obtain the consent of customers to retain details to ease further transactions. If you hold different types of data for different time periods, this can also be referred to in the Privacy Statement.
 
Complaint resolution mechanism.

Though not required under Data Protection Legislation, some means of dealing with complaints received from the website's users about data processing would be a customer friendly measure.
 
Where should I place the Privacy Statement?

A Privacy Statement should be placed in a reasonably obvious position on the homepage. Typically, privacy statements can be found in the sub navigation menu which is normally situated in a bottom centre position on the homepage alongside other menu items such as Security Statement, Disclaimer, Terms & Conditions etc.
 
Placing a statement only on a Home Page may not be sufficient, as links from other web sites or through search engines may bring a visitor into the site via a page other than the Home Page. The ideal solution to this problem is to place a link to the Privacy Statement on each page. Alternatively, a link could be placed on any page on which data are collected, though if the website uses cookies, effectively this could mean all pages.
 
Can I place the Privacy Statement within a "terms & conditions" document?

A Privacy Statement is a legal requirement and is distinct from terms and conditions, copyright or disclaimer notices. It should stand alone and be clearly identifiable. In order for a Privacy Statement to be of value, it must be readily accessible to the user, quickly read and easily understood. If it is buried within a lengthy document covering a variety of legal issues, it will be difficult for you to demonstrate that you have fulfilled your obligations under the Acts and SI 336/2011.
 
How often should I review the Privacy Statement?

It should only be necessary to conduct a review if there is some change to on-line processes.
 
However, some mechanism should be in place to notify the appropriate staff member to initiate a review if:
 
  • There is a change to data processing on the website
  • There is a planned/actual redevelopment of the website
  • There is a new web hosting arrangement
There are suggestions / comments received from site users.
 
In any case, the Privacy Statement should be reviewed in the context of an internal audit procedure, which also should review the organisational Privacy Policy, at least on an annual basis.
 
I am not an IT person, what are cookies?

A cookie is a block of data that a web server places on a user's PC. Typically, it is used to ease navigation through the site. However, it is also a useful means of the website identifying the user, tracking the user's path through the site, and identifying repeat visits to the site by the same user (or same user's machine). This can then lead to a website owner being able to profile an individual user's browsing habits - and all potentially done without the knowledge, or consent, of the user.
 
How do I know if my web site uses cookies?

This should be a question you address to the person who has developed your website, or to whomever maintains it for you. Most browsers can be set to prevent cookies being downloaded onto a PC. If you set your browser to block cookies, then visit your own site, you may get an error message displayed if your site is attempting to download a cookie. Alternatively, you can look into the "cookie" or "Temporary Internet" folder of your PC and see if you can identify a cookie placed by your site. Cookies often, but not always, contain site names.
 
Do I need to submit my Privacy Statement to the Data Protection Commissioner for approval?

No, this is not a requirement.
 

Other matters of interest to on-line processing.
 
Use of web hosting services.

Any person using a third party to host a website should be aware of a number of issues.
 
A. Data Processor
A person who provides space on a server to host a website is a Data Processor, processing data on your behalf.
 
B. Location of server.
If the web hosting service hosts your site on a server outside the European Economic Area, they are obliged to meet at least one of the conditions set out in Section 11 of the Acts. You, as Data Controller, should be aware of such transborder data flows.
 
C. Contract.
As Data Controller, you ultimately are responsible to the Data Protection Commissioner (& the Courts) should the web hosting company unlawfully process data. Section 2C of the Acts obliges you to have a contract in writing (or equivalent) with the Data Processor specifying
 
What the Data Processor may do with the data on your behalf
 What security measures the Data Processor must have in place.
 
You must also take reasonable steps to ensure that the Data Processor complies with these instructions.
 
More information.
If you wish to discuss these issues or require additional information, please contact
 
The Office of the Data Protection Commissioner
Canal House
Station Road
Portarlington
Co. Laois

Phone: 057 868 4800
 
Fax: 057 868 4757