Monday, 14 June 2010

Digital privacy - ICO personal information online Code of Practice - ICO summary of responses, & Code due out July

A few months ago the UK Information Commissioner consulted on a draft Personal Information Online Code of Practice.

The ICO have recently released a summary of the main consultation issues and the responses they received to the consultation (over 200 responses). It seems the changes are considerable, but they don't seem to have provided the text of the redraft following the consultation, perhaps because it seems the changes are mainly explanatory rather than substantive.

The final Code is to be issued, presumably effective immediately, quite soon - in July 2010 - and will be available online including in PDF format.

Key points at a glance -

  1. Scope - the Code applies to anyone processing personal information online - ISPs, websites, businesses, consumers too. There will be additional material aimed specifically at SMEs and individual users of online services.
  2. Law vs. best practice - the draft Code will be revised to provide a better explanation of the relationship between the code and the Data Protection Act (DPA).
  3. Key terms - there'll now be a glossary plus explanatory material showing the various roles of the organisations that collect personal data online and deliver content to service users. They've revised the section on internet-based computing and more clearly defined the terms used.
  4. Personal data - the Code now states clearly the ICO view that in many cases IP addresses will be personal data, and that the DPA will therefore apply. "We continue to recognise the practical difficulties in complying with all aspects of the DPA with
    respect to non-obvious identifiers."
  5. Vulnerable users, children - meaning of "vulnerable" clarified, and specific reference to non-English speakers deleted. They've also expanded and clarified the section dealing with children, making it clearer when parental consent for collection of information about children is needed and in what form.
  6. Online marketing - revised extensively following further consultation with industry experts. "Online marketing and advertising is now explained clearly, and will be supplemented with a series of visual demonstrations of the processes involved."
  7. Security - the ICO is revising its security guidance and advice on securing personal data, but that work won't be finished till after the Code is published. However, the Code will now have a section on Privacy Enhancing Technologies and a simple security checklist.
  8. Example scenarios - examples will be added to illustrate both good and bad practice, and additional material too to help organisations with compliance issues.
  9. Data protection kitemark scheme - was suggested by some respondents; the ICO said they can't commit to introducing such a logistically complex scheme, but "will give it serious consideration".

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.