Privacy Policy Template.co.uk

> Free Privacy Policy Template
> Free Website Terms & Conditions
> Privacy Policy Legislation
> Free Legal Disclaimer

Banner

 PRIVACY POLICY LEGAL ISSUES
 

Within the UK the collection and use of personal data by e-businesses must comply with UK data protection laws. Such laws are contained in the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the Regulations).

Although it is not a specific requirement to have privacy policies under the DPA it is good practice as it may help with compliance to some of its provisions. Any failure to comply may lead to criminal sanctions and in some cases personal liability, liability for damages and negative publicity. Such policies aid the data controller to comply with specific obligations. Obligations include:

• That data must only be processed for “specified” purposes (Para 2, part 1, Sch 1, DPA).

• To provide information regarding processing at the time when it collects the data. (para 2(3), part 2, sch 1, DPA)

• The processing of personal data will require the consent of the data subject (Sch 1, 2 and 4, DPA) “Processing” is widely defined. It includes disclosing, as well as obtaining, holding and using data. (S1 DPA) “Personal Data” includes a wide range of information.

Although data controllers may, in certain circumstances process data without consent, it is considered the safest approach, especially with the web as transfers of information are likely to occur outside the jurisdictions of the European Economic Area (EEA). Such consent must be freely given, specific and informed. It is not a requirement that consent should be in writing and implied consent can occur within the UK. This has caused some difficulties in cases where it is not practical to obtain clear consent from the individual. Data controllers may not infer consent from non-response to a general communication.

In order to comply with the fair processing requirement a link to the privacy policy may be included on the website which visitors can view before agreeing to send their data to the site. It should be made clear that by submitting their data, they consent to it being used in accordance with the policy. The link should be placed in a prominent position and located above the agree or submit button.

Wording of the Privacy Policy

Where permitted under the DPA and Regulations a privacy policy should:

• Be worded in such a way which implies the data subjects consent to the processing of such data.

• Have an ‘opt in’ box in order to ensure that consent was given expressly. This must be provided by an appropriately worded tick box.

• Obtain consent for the use of cookies.

A privacy policy is also a useful marketing function in re-assuring customers that their personal data will be kept secure and used responsibly.

INTERNATIONAL CONSIDERATIONS

The DPA applies to all data controllers that are established within the UK under section 5(1) (a). These include; UK registered companies, those who maintain an office, branch or agency within the UK and individuals who reside in the UK. It also stretches to apply to data controllers who are established outside of the EEA but use equipment within the UK for processing data.

If a website operator has establishments that hold data in several countries, they need to ensure that they comply with the data protection laws in each jurisdiction. Although the standard document ensures compliance with the DPA based on the EC Data Protection Directive, considerations must be given to the laws of each state. The Data Protection Directive may not be implemented in the same way in each member state therefore any obligations on the data controller may be more onerous than those imposed by the DPA.

OPTIONAL DATA

Data controllers are under an obligation not to collect data which is excessive in relation to the purpose of collection; therefore there must be an indication on the form whether any information is optional. This can be found in para 3, part I, Sch 1, DPA. It would not be necessary to collect an individuals name and address in providing an online quote for example. If the privacy policy covers the purpose for which data is to be used then it may not be necessary to mark the data as optional. It may help to ensure a data controller is complying with his obligations by marking particular information as optional. This is particularly useful where a website owner may find information useful but not necessarily essential to the business. It also serves to reassure customers that the owner of the website has a sensible approach to privacy.

Our privacy policy template download is drafted to comply with all aspects of the DPA.