Website Project Management

website project managementNeed a website? Not sure where to start? Get independent advice that will save you time, money and costly mistakes!

How do I get a Website in Ireland?

website irelandWebmentor is your independent guide to legal issues, budget, costs, domain name, web design, web hosting and getting a quote!

See Webmentor's How to Guides...

Looking for Web Hosting in Ireland?

web hosting irelandWebmentor's Web Hosting Table compares webhosting packages suitable for business in Ireland. All in an easy to read table.

See Compare Irish Web Hosts

Home arrow How to Guides arrow Web and Internet Law arrow Website Privacy Statement - Q&A
Website Privacy Statement - Q&A Print E-mail

This is a contrived Question Answer (Q&A) session which examines certain aspects of Privacy Statements from the website owners point of view. The questions are not from 'real people'. If you have a real question regarding a website Privacy Statement, Webmentor recommends that you seek the advice of an internet law specialist.


Should you require specific advice on matters of Data Protection or Privacy law, you should always seek professional legal advice. The Q&As contained herein are designed to be an aid to understanding the principles generally and should not be construed as legal advice.

 

Questions:

  1. Is a Privacy Statement required if no Personal Data is collected from my web site?
  2. Should Website statistical data be mentioned in the Privacy Statement?
  3. How much do I need to say about Cookies in the Privacy Statement?
  4. I'm not satisfied if I have the right agreement in place with my Webhosting company
  5. Banner advertising and the worry of children accessing gambling sites from my website
  6. US citizen operating american website from Ireland - cross border data issue?
  7. Inadvertent collection of email addresses - a privacy issue or not?

Question 1 - Is a Privacy Statement required if no Personal Data is collected from my web site?

My website does not collect Personal Data, but I do get some emails from customers and/or potential customers as a result of having the website’s email address printed on the website. These emails are stored in an email program on the company computer which only myself and 2 other employees have access to. Am I a Data Controller? Should I say something about this in my website’s Privacy Statement?

Answer:

Yes, you fall within the definition of a Data Controller if you have information in your control which is Personal Data of the customer or data which when read with other data could identify the person. It is important to note the obligations of a Data Controller as set out above. A Privacy Statement is a public declaration of how the organisation applies the data protection principles to data processed on its website and is required where your website collects Personal Data, uses cookies, web beacons or covertly collects Personal Data. The Privacy Statement should refer to how Personal Data is collected and processed.

Back to top

Question 2 - Should Website statistical data be mentioned in the Privacy Statement?

My website does not collect Traffic Data, but my Web Hosting Company does, and they provide me with that data in the form of statistics once a month. I get a report which sets out IP addresses of the users, the number of visitors to my website, most visited web pages and so forth. Since we do not share that information with anyone else and since it’s all anonymous – I mean we can not identify anyone from this information; do I have any obligations to disclose that we get statistics in our Privacy Statement?

Answer:

Strictly speaking the answer is no since the data collected is anonymous. In practice, however, most websites do make a voluntary statement covering the collection of such non-personal data. (See Traffic Data). Please note that you do have an obligation to have a contract in writing with your web hosting company ("the Data Processor") outlining the security measures the Data Processor should have in place. You should take reasonable steps to ensure that the Data Processor complies with these instructions. Indeed, there is an obligation on all Data Processors to register with the office of the Data Protection Commissioner.

Back to top

Question 3 - How much do I need to say about Cookies in the Privacy Statement?

I have just found out that the company’s public website uses "cookies". I don't really understand the ins and outs but I am reliably informed that the website won’t function correctly if users "turn off cookies". I think I may need to review our website’s Privacy Policy. Is it enough to say that we use cookies, or should we be more specific?

Answer:

A "cookie" is a block of data that a web server places on a user’s PC which can aid in various functions such as navigation. (You can find a more detailed definition of a cookie here.) If in doubt as to how your site uses cookies, you should consult the person who developed your site. You will have to review your Privacy Statement if you cannot turn cookies off. The Privacy Statement should contain specific information and be sufficiently detailed to inform the user of the process. There should also be detailed explanations of the site’s compliance with its obligations.

Back to top

Question 4 - I'm not sure if I have the right agreement in place with my Webhosting company

When I asked about an agreement from my Web Hosting Company under the Acts, they reassured me that it was covered in the Terms and Conditions when I signed up with them. Here is the only relevant extract that I can find in the Terms and Conditions:

We offer no guarantees… including loss of data resulting from any cause, including any caused by us. In effect we make you no guarantees and you agree to indemnify us and hold us harmless from any claims by you or third parties for damages arising from any services that we offer.
My Web hosting company seems to think that this is good enough. In your opinion, have I covered my obligations by agreeing to the Terms and Conditions? Have I taken "reasonable steps" or should I do more?

Answer:

You have not fulfilled your obligations as a Data Controller and are ultimately responsible for any unlawful processing by the Data Processor. You are required that you have a contract in writing in place with the web hosting company outlining what they can do on your behalf and the security measures they have in place. There is a proactive duty on you to take reasonable steps to ensure compliance. These reasonable steps include employing all adequate physical and technical measures including staff training and awareness.

Back to top

Question 5 - Banner advertising and the worry of children accessing gambling sites from my website

I signed up for banner advertising on my website to increase revenue. I have noticed the occasional banner that promotes gambling. I am concerned on 2 counts. The advertising company uses "web bugs" to track user behaviour from client sites such as my own and I have stated this in my Privacy Statement but am I liable if an underage person visits my website and ends up on a gambling website as a result? Should I somehow cover this in a Privacy Statement?

Answer:

This situation is covered by the Acts and therefore there is an obligation to comply with the Data Protection Acts 1988 and 2003 ("the Acts"). The Web bug collates Traffic Data within the meaning of the European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003, SI 535/2003. The law states that you must disclose both the use and purpose of such devices, and you must also offer the user the right to refuse. Such a notice can be placed in a Privacy Statement which "is prominently displayed and easily accessible". The Privacy Statement should sufficiently explain the nature of the web bug. There could possibly be consequences if there is underage gambling with potential liability. The Privacy Statement should set out detailed measures in this regard.

Back to top

Question 6 - US citizen operating american website from Ireland - cross border data issue?

I am a US citizen, resident in Ireland. I do all the updates for my websites and basically run my entire business from Dublin. My website is hosted in California. We sell Irish Holiday packages online to US and Canadian citizens. If a European wanted to buy a holiday we wouldn’t refuse, it’s just never happened before. We accept payments in dollars only. My income is declared to both the IRS in the US and the Revenue here. In any case, does this mean there is a cross border flow of data? As a matter of fact we don’t carry a Privacy Statement- do you think we need one?

Answer:

There is a cross border flow of information within the meaning of the Acts and this may necessitate the need reference to this in the Privacy Statement.

Section (3B)(a) of the Acts, as inserted by the 2003 Act, provides that the Acts apply only in respect of Data Controllers that process Personal Data if:

  1. the Data Controller is established in Ireland and the data is processed in the context of that establishment; or
  2. the Data Controller is established neither in Ireland nor in any other State that is a contracting party to the EEA Agreement but makes use of equipment in Ireland for the processing the data otherwise than for the purpose of transit through the territory of the State.

It appears that the Acts are limited in scope to the Data Controllers that are established in the State or to those who are based outside the EEA and who actively process data in the State as opposed to merely conduiting data through the State. This situation would seem to come under the auspices of the Acts.

A best practice approach would be for a Data Controller planning an international data transfer is to consider whether there is an adequate level of protection in place to satisfy themselves that the exported data can be safeguarded. In the case of transfers to the US, the Data Controller may wish to ensure that the other party has subscribed to the Safe Harbor principles.

In this case, a Privacy Statement should cover the arrangements in relation to the cross border flow of data.

Back to top

Question 7 - Inadvertent collection of email addresses - a privacy issue or not?

One part of Traffic Data that poses problems for website owners is email addresses. Unfortunately email addresses fall into both camps of Personal Data and Traffic Data and are a particularly difficult issue to resolve. If someone contacts you via your website, and supplies you with their actual real name inside the email, then you have undoubtedly collected Personal Data – an email address and a name that can be connected to a living individual. But suppose the same email you received inadvertently included a reference (via the use of CC/BCC) to ? The fact of the matter is that you are now in possession of spiderwoman13's email address as a result of Traffic Data. An email address, however, is Personal Data. So what are your obligations?

Answer:

Traffic Data is regulated by the Acts and the main concern for web site owners is that non-personal Traffic Data collected is done so 'anonymously', is NEVER used to identify a living individual, nor used for the purposes of direct/indirect marketing. In the case of the spiderwoman example, you have an additional obligation is to ERASE her email address since you should not store Personal Data beyond its intended use.

Back to top

 

Last Updated ( Friday, 23 November 2007 )