Website Project Management

website project managementNeed a website? Not sure where to start? Get independent advice that will save you time, money and costly mistakes!

How do I get a Website in Ireland?

website irelandWebmentor is your independent guide to legal issues, budget, costs, domain name, web design, web hosting and getting a quote!

See Webmentor's How to Guides...

Looking for Web Hosting in Ireland?

web hosting irelandWebmentor's Web Hosting Table compares webhosting packages suitable for business in Ireland. All in an easy to read table.

See Compare Irish Web Hosts

Home arrow How to Guides arrow Web and Internet Law arrow Website Privacy Statement - 10 point checklist
Website Privacy Statement - 10 point checklist Print E-mail

A Privacy Statement (or Privacy Policy) is a document explaining to your website users:

  1. What types of data you collect,
  2. How you collect it, and
  3. What you use the data for.

Should you require specific advice on matters of Data Protection or Privacy law, you should always seek professional legal advice. This article is designed to be an aid to understanding the principles generally and should not be construed as legal advice.

 

This article is a 10 point checklist covering data protection as it applies to websites in Ireland.



1. The legal responsibilities are all yours

As a website owner, the legal responsibility to carry a Privacy Statement on your web site rests with you.

A Privacy Statement (or Privacy Policy) is a document explaining to your website users what types of data you collect, how you collect it and what you use the data for.

You are legally obliged to carry a Privacy Statement if you –

  • collect Personal Data from your website [What is Personal Data?] , or
  • collect any type of data from your website as a result of technology(s) that you store on your users equipment for the purposes of collecting data (e.g. cookies, web bugs/beacons, clear gif, pixel tag, pattyMail, etc)

Since you are legally responsible, it is always advisable to have your Privacy Statement examined by a solicitor.

Back to top

2. Where should you put a Privacy Statement on your website?

  • A Privacy Statement should be clearly accessible to website users.
  • A Privacy Statement cannot be part of any other document, it must be stand-alone.

In practice, the best policy is to have a link to your Privacy Statement web page from every other web page on your website. It is recommended that the link be in the top half of all web pages and clearly visible to the user at all times. You should advise users that if they do not read and agree to the Privacy Statement that they should not use the website.

Back to top

3. Have you obtained consent to the Privacy Statement?

Obtaining consent to the Privacy Statement requires a statement to the effect that "use of this website implies consent to this Privacy Statement".

Users should be reminded that your Privacy Statement may change from time to time and that the onus is on the user to read your Privacy Statement whenever they visit your website.

Back to top

4. Do you understand your legal responsibilities as a Data Controller?

If you collect Personal Data you fall within the definition of a Data Controller within the meaning of the Data Protection Acts 1988 and 2003. [What is a Data Controller?]

Data Controllers have the following obligations under Section 2 of the Data Protection Acts 1988 and 2003:

To collect information fairly, to use it only for the purpose for which it was collected, to retain it only as long as is necessary for the purpose collected, to keep it safe and secure, to keep it accurate and up-to-date, to ensure appropriate security measures are in place where the information is transported over a public network, to inform users and get consent for new or secondary purposes that the data may be used for, to provide users with the identity of the Data Controller and anyone else to whom their data will be disclosed, not to process in a manner incompatible with the original purpose and ensure that information is adequate, relevant and not excessive in relation to the purpose it was obtained.


For the purposes of a Privacy Statement, you should therefore:

  1. Identify yourself or your company as the Data Controller
  2. Acknowledge your responsibilities by briefly summarising the contents of Section 2 of the Acts, paying particular attention to security, consent and the right to privacy of the user.
  3. Provide users with a company contact name and address (email address, phone or physical address) for queries/rectifications/erasures to be made regarding the Personal Data that you hold about them. You are obliged to perform these requests at no charge.
  4. Outline to the users your procedures should they request a copy of the Personal Data kept by you. You are entitled to charge no more than €6.35 to provide a copy of Personal Data and you must supply the copy within 40 calendar days of receiving the communication.

Back to top

5. Do you collect any type of data from your website as a result of technology(s) that you store on your users equipment – e.g. cookies?

If you are not sure, then check this with your web company and be sure you get all the facts as you are required by law to explain how and why you use this type of technology to website users in your Privacy Statement.

Websites frequently use cookies and session cookies which are stored, sometimes even only temporarily, on user’s computers. Information is stored inside the cookie for retrieval at a later time, say perhaps when the user revisits the web page at a future date. The cookie can only contain information that it is pre-programmed to contain. It cannot travel round the user’s machine and gather data. It is entirely passive. Web bugs and beacons are similar to cookies but track user behaviour across a number of web sites – they are often used in banner advertising. Other technologies such as clear gif, pixel tag and pattyMail are used to track your responses to email. [What is a cookie - indepth]

Where the law objects to these technologies is not because these technologies are 'bad', but how and why they are used. Should such a technology be stored on a user’s equipment without the user’s prior knowledge/consent and should they be used in order to track user behaviour, then these technologies are clearly breaching an individual’s right to privacy.

Therefore, a Privacy Statement must disclose:

  • Any technology(s) that is stored on your users equipment for the purpose of collecting data (e.g. cookies, session cookies, web bugs/beacons, clear gif, pixel tag, pattyMail, spyware),
  • What this data is used for,
  • How long the data is kept for and details of its erasure,
  • That any such data collected is anonymous,
  • That no attempt is ever made to identify a living individual from this data
  • That this data is never used for the purposes of direct/indirect marketing without the express and prior consent of users
  • You must also offer users a RIGHT TO REFUSE the storage of such technology on their equipment

With regard to the last point, the user's right to refuse, some websites will not function correctly without the use of cookies (e.g. banking online websites, and many, many other legitimate web sites). In this case, you must explain to users that if they refuse cookies, they will either not be able to use your website or, if appropriate, that the website will not function as expected.

Back to top

6. Does your website collect Traffic Data?

Strictly speaking this type of non-personal data ("Traffic Data") does not need to be covered in the Privacy Statement so long as the data collected is anonymous, no attempt is ever made to identify a living individual and it is never used for the purposes of direct/indirect marketing. In practice, most websites make a voluntary statement covering:

  • What type of Traffic Data they collect,
  • What this data is used for,
  • How long it is kept for, and details of its erasure,
  • That all Traffic Data collected is anonymous,
  • That no attempt is ever made to identify a living individual from this data
  • That Traffic data is never used for the purposes of direct/indirect marketing without the express and prior consent of users

For the purposes of a website, Traffic Data is data generated by the user when using your website. This type of Traffic Data could include search terms used in Google, links clicked on a website, files downloaded, content of submitted forms etc. Typically, website owners receive statistics from their web hosts in the form of Traffic Data also. This type of data – e.g. IP addresses (a series of numbers identifying the users computer or, more likely, the Internet Service Providers computer on the network), referrers (last website address before getting to this one), etc is anonymous and non-personal. [More about Traffic Data - indepth]

However there are grey areas. Traffic Data in the form of email addresses could conceivably be received by you as an email enquiry from your website or indeed stored in your website’s database when someone creates a membership account on your website using their email address as a username. If information obtained is capable of identifying an individual it should be treated as Personal Data and the process of how you deal with such information should be set out in the Privacy Statement. This is a grey area since an email address, even if unwittingly collected as part of Traffic Data, is defined by law as Personal Data and should be treated as such. If you are in any doubt as to any of your obligations then you should consult a solicitor with expertise in web and internet law.

Back to top

7. Have you put into place a legal contract with your web host regarding data processing?

If your website collects Personal Data then you are defined by law as a Data Controller and as such you are required to put into place a contract with your web host to cover the following -

  • conditions under which data may be processed,
  • the security measures used to protect the data and
  • a mechanism to ensure compliance with the security measures.

This is a proactive burden of duty that is placed on the Data Controller NOT the web host.

Back to top

8. Is the data collected from your website used to market directly or indirectly to users?

The purpose of a Privacy Statement on a website is to explain to users how you collect data, what type of data you collect and what you do with that data.

For the purpose of a Privacy Statement, you must:

  1. Disclose to users whether you use or collect data for the purposes of
    1. Direct Marketing, or
    2. Disclosure to Third Parties (e.g. for Indirect Marketing)
  2. Point out to users how they can at any stage refuse Direct and Indirect Marketing as a result of their consent to providing you with such data. This must be offered to users free of charge.

Whilst the provisions of the Acts apply to all forms of direct marketing, there is special legislation which applies to direct marketing in the telecommunication and electronic communications sector. The European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003, SI 535/2003, also regulates this area.

As a general rule, people should not receive unsolicited direct marketing of any nature unless they have indicated explicitly that they consent to such uses of their Personal Data.

[Direct and indirect marketing - indepth]

Back to top

9. Does personal data that you collect on your website ever cross the Irish border?

If your website is hosted outside the European Economic Area then you, as an Irish Data Controller, need to fulfil at least one of the conditions outlined by Section 11 of the Data Protection Acts 1988 and 2003. The rules regarding transfers to third countries outside the European Economic Area are as follows:

  1. Personal Data cannot be transferred to third countries unless the country in question ensures an adequate level of data protection.
  2. If the country does not provide for an adequate standard of data protection, then you, as an Irish Data Controller, must rely on use of approved contractual provisions or the individual’s consent.

In practice, therefore, you need to put into place a contract with the web host (as outlined in point 7 above) and you must point out to users in the Privacy Statement that you have fulfilled your legal obligations in this regard.

The Data Protection Commissioner has the power to prohibit transfers of Personal Data to places outside Ireland, if he considers that the data protection rules and principles are likely to be contravened and an individual is likely to suffer damage or distress as a result.

Back to top

10. Do you, as a Data Controller, need to register with the Data Protection Commissioner?

While most websites that collect Personal Data will NOT have to register, certain types of Data Controller are obliged to register with the Data Protection Commissioner as a matter of public record. These are:

  • Government persons and bodies including bodies appointed, or financed by government;
  • Financial Institutions;
  • Insurance Companies;
  • Data Controllers involved in direct marketing, providing credit references or collecting debts;
  • Data Controllers who keep sensitive Personal Data such as racial origin, political opinion, religious belief, physical/mental health (other than that kept in the normal course of personnel administration with regard to employees), sexual life, criminal convictions;
  • Internet Access Providers who hold Personal Data, and
  • Telecommunications Service Providers who hold Personal Data.

If you are in any doubt, you can contact the offices of the Data Protection Commissioner and make an enquiry.

Back to top

This article is accompanied by the following 2 articles related to website Privacy Statements:

 

 

 

Last Updated ( Friday, 23 November 2007 )