Webmentor Ireland

1. What is Personal Data?
2. What is a Data Controller?
3. What is a Data Processor?
4. What is Direct and Indirect Marketing?
5. What is a Cookie?
6. What is Traffic Data?
7. Where can I find the Laws regarding Website Privacy Statement?

What is Personal Data?

Personal Data is any information that can identify a living human being by direct or indirect means.

• Direct means would include information like a person’s name or RSI number.
• Indirect means would include information like a person’s phone number or an email address.

The significance of indirect data is that it could potentially identify someone when read in conjunction with other data. Therefore indirect data such as an email address can be Personal Data since it could potentially be used, in conjunction with other information in our possession, to identify a living individual.

The official definition of Personal Data from the web site of the Data Protection Commissioner is as follows:

Personal Data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.

Back to top

What is a Data Controller?

Broadly speaking a Data Controller is anyone who collects and stores Personal Data in a manual or digital filing system.

The official definition of Data Controller from the web site of the Data Protection Commissioner is as follows:

A Data Controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files.

Back to top

What is a Data Processor?

Data Controller: If your website collects Personal Data, you are a Data Controller and you make the decisions about what you do with the data.

Data Processor: On the other hand, if you hold or process Personal Data on behalf of a Data Controller and you do not exercise responsibility for or control over the Personal Data, then you are a Data Processor.

For example your Web Hosting Company provides the means for you to collect data from your website and as such, they are a Data Processor on your behalf. Telcos and ISPs are also examples of Data Processors. Anyone who holds or processes Personal Data on behalf of someone else is a Data Processor.

It is possible to be both a Data Processor and a Data Controller.

Back to top

What is Direct and Indirect Marketing?

Direct marketing: is any marketing or advertising material that is directed at an individual.

Indirect marketing: is the disclosure of personal data to a third party so that the third party can market to an individual.

The question of direct and indirect marketing contains many important legal issues for website owners and is dealt with here only in relation to 'best practice' as regards a website Privacy Statement.

The law governing direct/indirect marketing is set out mainly in the following legislative provisions:

1. The Data Protection Acts 1988 and 2003, and
2. European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations, 2003 [SI 535/2003]

Direct/Indirect Marketing and the website Privacy Statement

If you collect Personal Data from your web site, you are required to disclose what you intend to use the data for. If you use Personal Data for the purposes of Direct or Indirect Marketing then you should state the following in your Privacy Statement:

1. That Personal Data may be used for the purposes of direct and/or indirect marketing,
2. That you will lawfully obtain consent from users for the purposes of direct and/or indirect marketing, and
3. That you describe to users a means to opt-out from direct and/or indirect marketing that is free of charge.

The law governing this area of unsolicited communications is set out in SI 535/2003 in particular Section 13 which states as follows:

13.(1)(b) A person shall not use or cause to be used any publicly available electronic communications service to send an unsolicited communication for the purpose of direct marketing by means of electronic mail, to a subscriber, who is a natural person, unless the person has been notified by that subscriber that for the time being he or she consents to the receipt of such a communication.

Note: – this also applies to SMS, Fax and Phone calls

Law relevant to Privacy Statements re Direct and Indirect Marketing

The main provisions from The Data Protection Acts 1988 and 2003 in relation to this area are set out in Section 2 (7) which states:

Where

1. Personal Data are kept for the purpose of direct marketing, and
2. the data subject concerned requests the data controller in writing
   1. not to process the data for that purpose, or
   2. to cease processing the data for that purpose,
      

then

1. if the request is under paragraph (b)(i) of this subsection, the data controller
   
   1. shall, where the data are kept only for the purpose aforesaid, as soon as may be and in any event not more than 40 days after the request has been given or sent to him or her, erase the data, and
      
   2. shall not, where the data are kept for that purpose and other purposes, process the data for that purpose after the expiration of the period aforesaid,
2. if the request is under paragraph (b)(ii) of this subsection, as soon as may be and in any event not more than 40 days after the request has been given or sent to the Data Controller, he or she
   
   1. shall, where the data are kept only for the purpose aforesaid, erase the data, and
      
   2. shall, where the data are kept for that purpose and other purposes, cease processing the data for that purpose, and
3. the Data Controller shall notify the data subject in writing accordingly and, where appropriate, inform him or her of those other purposes.

(8) Where a Data Controller anticipates that Personal Data, including Personal Data that is required by law to be made available to the public, kept by him or her will be processed for the purposes of direct marketing, the Data Controller shall inform the persons to whom the data relates that they may object, by means of a request in writing to the Data Controller and free of charge, to such processing.

It is important to bear these provisions in mind when drafting your Privacy Statement.

Back to top

What is a Cookie?

Back to top

What is Traffic Data?

Traffic Data is by far the most difficult of the information concepts to get to grips with. Essentially Traffic Data is the information (data) that is routinely generated as a result of a user using the internet, emailing or making a mobile/landline call. For instance, when making a mobile phone call, Traffic Data such as the number dialled, duration of call and so on, is generated. Traffic Data is also generated when you use email, or you're on the internet. As an example, if you look up something in Google, the search terms you use form part of the Traffic Data generated.

Traffic Data means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof as set out in SI 535/2003 at Section 2.

Here is a very useful explanantion of Traffic Data from the web site of the Data Protection Commissioner:

…Traffic Data reveals huge amounts about ones private life. They are your electronic footprints but unlike the physical fingerprints you leave around you in the real world, they are recorded. For land line phone calls it can reveal the number you dialed, the duration of the call and the time of the call. Traffic Data also includes a record of the location of the cell phone in question as it moves about from cell to cell. For this reason, traffic data generated by mobile calls is far more personal and revealing. In relation to the Internet, Traffic Data would encompass the e-mail addresses on all correspondence to and from the subscriber, a record of date, time, and size of message as well as other transmission details but hopefully excluding message subject and content. It would also encompass a record of every login session, every web page visited and read, every search term entered, every file downloaded, every purchase made, and so forth - in short, virtually the entirety of one's online "session" but hopefully excluding the content of e-mail messages.

Traffic Data in relation to a Website Privacy Statement

In terms of an individual's right to privacy, Traffic Data is a very serious issue because it can include data that could potentially identify a living human being. Once a living human being can be identified, Traffic Data becomes Personal Data. There is an interesting question regarding this anomaly in the article: Website Privacy Statements - Q&A

The bottom line with Traffic Data is that as long as it remains anonymous, is never used to identify a living human being or to direct/indirect market, and that there is a stated policy regarding erasure of any data inadvertently collected that could potentially lead to identifying a living human being, then your obligations on a web site should be well covered.

Traffic Data and the Law

Traffic Data is the subject of Section 6 of SI 535/2003 and is primarily aimed at Telecoms companies (Telcos), Internet Service Providers (ISPs) and Web Hosting companies who routinely collect traffic data from their known users/subscribers. When collected this way, Traffic Data is a part of Personal Data and the laws (see below) are that traffic data should be erased, or made anonymous when no longer needed and that consent must be obtained from users in order to process Traffic Data for marketing or the provision of services, as well as a means whereby users can withdraw their consent. How the data is processed, and for how long must be explained to users. The law also governs who can lawfully process such data.

The relevant provisions are set out in SI 535/2003, Section 6 of which state:

1. Subject to paragraphs (2), (3) and (4), an undertaking shall ensure that Traffic Data relating to subscribers and users processed and stored for the purpose of the transmission of a communication shall be erased or made anonymous when it is no longer needed for that purpose.
2. 
   
   1. An undertaking may process traffic data necessary for the purpose of subscriber billing and interconnection payments only up to the end of the period in which the bill may be lawfully challenged and payment pursued, or where such proceedings are brought during that period, until those proceedings are finally determined. An undertaking that has not already done so shall within a period of no more than three months after the making of these Regulations inform its subscribers, of the types of Traffic Data that are processed and of the duration of such processing.
   2. Legal proceedings shall be deemed, for the purposes of this paragraph, to be finally determined –
      1. if no appeal is brought within the ordinary time for an appeal by either party to the proceedings, upon the expiry of that time,
      2. if an appeal is brought within that time or such extended time as the court to which the appeal is brought may allow, upon the date of the determination of the appeal or any further appeal therefrom or the ordinary time for instituting any further appeal has expired or such other date as may be determined by the court hearing any such appeal, whichever is the latest, or
      3. if an appeal has been brought and is withdrawn, upon the date of the withdrawal of the appeal.
3. 
   
   1. An undertaking may process traffic data referred to in paragraph (1) for the purposes of marketing electronic communications services or for the provision of value added services to the extent and for the duration necessary for such service or marketing, provided the subscriber or user to whom the data relates has given his or her consent. Prior to obtaining consent, the undertaking shall inform the subscriber or user of the types of Traffic Data which are processed and of the duration of such processing.
   2. An undertaking that has not already done so shall within a period of no more than three months after the making of these Regulations inform their subscribers or users of processing already under way on the making of these Regulations of any data relating to the subscriber or user and of the provisions of sub-paragraph (c).
   3. If the subscriber or user concerned does not object to such processing within a period of 2 months of being informed thereof, the subscriber is deemed to have consented to such processing.
4. An undertaking shall ensure that the processing of Traffic Data in accordance with paragraphs (1), (2) and (3) is restricted to persons acting under its authority handling billing or traffic management, customer enquiries, fraud detection, the marketing of electronic communication services or providing a value added service and such processing is restricted to what is necessary for the purpose of such activities.
5. An undertaking shall ensure that users or subscribers are given the possibility to withdraw their consent for processing of Traffic Data for the purposes of paragraph (3) at any time.

Nothing in these Regulations precludes a court or any other body involved in the settlement of disputes (whether by way of legal proceedings or otherwise) pursuant to any enactment from being informed of Traffic Data for the purpose of settling such disputes, in particular, disputes relating to billing or interconnection.

Back to top

Where can I find the Laws regarding Website Privacy Statement?

The 2 main bodies of law regarding Privacy Statements as they impact on websites are:

• The Data Protection Acts 1988 and 2003 (link to Compendium of Acts - dataprotection.ie)
• European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations, 2003 [SI 535/2003] (link to Irish Statute Book - irishstatutebook.ie)

Back to top