Of all of the priorities that a director may have for corporate governance, ensuring that data protection laws are not breached by their company’s online privacy policy may not be the highest. However, that looks likely to change with the news that the Information Commissioners’ Office (ICO) is to begin examining company websites.
Although the ICO has the responsibility of enforcing the UK’s data protection laws, few of its activities thus far have been centred on the Internet. Now, however, the Global Privacy Enforcement Network is coordinating a worldwide initiative that has prompted the ICO to cast a keener glance on companies’ online privacy policies, checking for potential breaches of the Data Protection Act 1998 (DPA).
There have been claims that a great numbers of companies breaching the DPA, with company online privacy policies designed protect companies from legal liability, as well as failing to properly inform visitors about how their personal data is being processed. The ICO has therefore signalled an intention to look “closely at how easy these policies are to read and how clearly they explain how personal information is being handled.”
The ICO warned that any offending companies would be named and shamed without hesitation. With the initial test exercise involving just 250 companies, the current chances of any one director having this aspect of their firm’s corporate governance exposed are remote. Nonetheless, even with the ICO not stating which companies it would investigate, it makes sense for many directors to review their online privacy policies now.
Website privacy policies are required by the DPA to explain to visitors in clear terms exactly what their personal data is to be used for, in addition to identifying the company’s data controller and stating how they can be contacted. To avoid breaching the DPA, an online privacy policy must also name any third parties like service providers or related firms that may be given access to a visitor’s personal data.
Finally, any further information that is ‘necessary’ for ensuring the fair processing of personal data – such as security arrangements and how privacy concerns can be raised – must also be provided. An easy-to-read three-page checklist has been provided to small companies by the ICO to assist them in achieving legal compliance with this aspect of their corporate governance.
Steps recommended by the ICO include ensuring that the website’s privacy policy can be easily understood by those people to whom it is aimed. Plain English is therefore advised over legal and technical words or jargon. Companies may also wish to avoid confusing mixtures of ‘opt-in’ and ‘opt-out’ consent boxes where visitors are required to provide personal information, keeping the style of box consistent throughout the site and also not pre-ticking them, given that this would not constitute consent.
As unlikely as the worst-case scenario of being named and shamed may currently seem for any given company, it is nonetheless a good moment for a director to review and/or update their website privacy policy, referring to the ICO’s checklist.