• UK Updates Guidance for Data-Protection Legislation with Online Code of Practice for Personal Information
  • July 26, 2010 | Author: Jonathan P. Armstrong
  • Law Firm: Duane Morris - London Office
  • On July 7, 2010, the UK's Information Commissioner's Office (ICO) issued its new Code of Practice on handling personal information online. The Personal Information Online Code of Practice aims to update guidance on UK data-protection legislation reflecting the new online world, including social networking, cloud computing, cookies and online advertising.

    Highlights of the Code include:

    • The Code addresses issues around cloud computing and incorporates a checklist-based approach for moving data into the cloud.

    • The ICO recognizes that with the increased number of alternatives to Microsoft's Internet Explorer as an Internet browser, individuals are likely to have more control over their privacy preferences. The ICO contends that providers of browser software "have a key data protection role to play" and encourages browser providers to develop easy ways for individuals to manage their privacy settings.

    • The ICO maintains that IP addresses should not necessarily be treated as personal data. This contrasts with the position adopted by regulators in some other European jurisdictions and recognizes that shared household PCs could have multiple users.

    • A reminder that data-processing agreements must be in writing with appropriate security measures in place.

    • A reminder that every organization must have a plan in place for dealing with security breaches.

    • The recommendation that "special effort" be made to explain behind-the-scenes information analysis, such as where websites have differential pricing based on previous online behavior. As an illustration, some airlines change the price of a flight based on information about previous visits to their website. The ICO would like to see this type of activity fully disclosed to consumers.

    • The ICO recognizes that the use of cookies could be necessary for some sites, but considers it good practice where cookies are not necessary to provide "a simple means of disabling the targeting of advertising using behavioural data."

    • The ICO recommends that privacy policies also state what will happen to a user's data when they close their account; for example, will it be archived or deleted?

    While the Code does not have the force of law, it may be a good indication of how data-protection law will be applied by the regulator in the UK.

    The Code comes at a time of great change to data-protection law across Europe. A new European Union directive is likely to signify changes across the EU within the next two years. There are also moves at harmonization, both within Europe and with the United States, with EU data-privacy regulators holding a meeting with the FTC in Brussels today. A number of countries are also looking at their own legislation. In the UK, the Office of Fair Trading recently announced the result of its own consultation (discussed in the June 8, 2010, Duane Morris Alert, "UK to Focus Efforts on Regulating Online Advertising") and the Ministry of Justice announced a review of the primary legislation earlier this month.