No account yet?
Home Trade News Articles Website Data Protection Compliance
Website Data Protection Compliance E-mail
User Rating: / 0
PoorBest 
Monday, 03 August 2009 07:34
Paul Lambert, eBSI Specialist Advisor takes us through some key points to ensure our website's data protection policy complies with legislation.

Exporters the world over should anticipate future data protection legislation in their countries as more governments get tough on improper uses of internet users personal data.

In this article I will be focusing on the Irish perspective and legislation, but many of these principles will also be relevant to other countries, as Irish legislation reflects what is considered to be best practice in the field.

Firstly, What is Data Protection?
The Data Protection regime operates to protect the rights of individuals when their personal information is collected and processed by organisations. All organisations, whether controlling personal data themselves or when processing data on behalf of third parties, must comply with the obligations imposed by the Data Protection Act 1988, as recently amended and extended by the Data Protection (Amendment) Act 2003 (collectively the “DPA”).

All organisations must be aware of and comply with their obligations and responsibilities under the new Data Protection regime. Emphasizing this point, the Data Protection Commissioner intends to carry out compliance audits in a range of commercial sectors. He has also recently began to take legal actions against non-compliant organizations, and will continue to do so.

The Guidelines
The Guidelines distinguish between website Privacy Statements and Privacy Policies, and makes clear that a Privacy Statement is not a Privacy Policy. A Privacy Policy documents the organisation’s compliance with the Data Protection Principles across the organisation as a whole. It applies to all personal data processed by the organisation, including customer data, third party data and employee data. A Privacy Policy can be a very complex document, often requiring specialist legal advise.

Organisations must also comply with the 8 Data Protection Principles, namely:-
* Obtain and process data fairly;
* Keep it only for one or more specified, explicit and lawful purpose(s);
* Use and disclose it only in ways compatible with these purposes;
* Keep it safe and secure;
* Keep it accurate, complete and up-to-date;
* Ensure that it is adequate, relevant and not excessive;
* Retain it for no longer than is necessary for the purpose(s);
* Comply with individual access requests.

A Privacy Policy is an internal organizational document. Therefore it can detail internal procedures, assigning individual/departmental responsibilities, etc.

Privacy Statements on the other hand are public facing documents, declaring how the organisation complies with the Data Protection regime in terms of the data processed on its website. It is as such a much more narrowly focused document.

Websites Need Privacy Statements
This is a legal requirement pursuant to both the DPA and SI No. 535 of 2003 European Communities (Electronic Communications Networks and Services)(Data Protection and Privacy) Regulations 2003 (the “Regulations”). Section 2(l)(a) DPA requires that “data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed fairly.” This fair obtaining principle generally requires that a person whose data are processed is aware of at least the following:-

* The identity of the person processing the data;
* The purpose or purposes for which the data are processed;
* Any third party to whom the data may be disclosed;
* The existence of a right of access and a right of rectification.

Regulation 5 imposes certain obligations with respect to Internet activity:-

“(1) No person shall use an electronic communications network to store information or to gain access to information stored in the terminal equipment of a subscriber or user unless
(a) the subscriber or user concerned is provided with clear and comprehensive information in accordance with the DPA, which is prominently displayed and easily accessible and which, without limitation, includes the purpose of the processing
(b) the subscriber or user is offered the right to refuse such processing by the data controller.

(2) Paragraph 1 does not prevent any technical storage of or access to information for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network or which is strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.”

This Regulation refers to the use of cookies, web beacons, the collection of IP addresses and other technical matters.

Failure to Have a Privacy Statement
In Ireland, contravention of the DPA, such as failing to have a website Privacy Statement, can result in investigation and enforcement action by the Data Protection Commissioner. The Commissioner can issue an enforcement notice requiring a Privacy Statement, or the cessation of data processing. Prosecution can also result in a penalty of up to €l00,000 and/or a data deletion order. Section 7 DPA also gives individuals a civil right of action if they suffer damage from the manner in which their data is processed.

When a Privacy Statement is Required
A Privacy Statement is required when a website does any of the following, namely:-
* Collects personal data (visitors filling in web forms, feedback forms, etc);
* Uses cookies or web beacons;
* Covertly collects personal data (IP addresses, e-mail addresses).

What Information Privacy Statements Must Contain
Information should be specific to the processing of personal data on the website. Such information should be sufficiently detailed so as to be useful to the visitor to the website in deciding whether to progress. Statements such as “all data collected on this site shall be processed in compliance with the DPA” are no longer sufficient (on their own), according to the Data Protection Commissioner. They need to be amended/replaced by an explanation of how, in practical terms, the website complies with its obligations.

The information should include the following:-

* Identity
Details of the organisation should be clearly identifiable. An organisation’s name on its own is insufficient. Identification should include complete and useful contact details. Useful details would include an e-mail address and postal address that a visitor may use if they wish to discuss any matters relating to the processing of personal data on the website.

* Purpose
There can be many overt purposes for which visitors should reasonably expect their data to be used. These may include data necessary in the context of a transaction. However, it is possible that data may be processed for non-obvious purposes such as profiling or future marketing. All these purposes must be clearly referred to in the Privacy Statement. Data volunteered on that understanding are fairly obtained. If a purpose is not obvious and not referred to, then it will be difficult for the organisation to lawfully process data for that purpose.

If an organisation plan to release personal data to a third party (other than a person acting as the organisation’s agent) this is a disclosure and must be referred to in the Privacy Statement. A general exception to this rule is where the disclosure is required by Law.

* Right of Access
Under Section 4 DPA a person has a right to be given a copy of their personal data. If an organisation is retaining personal data, the organisation should refer to this Right of Access in the Privacy Statement. The organisation should include reference to procedures to be followed. Under the DPA, a subject access request should be in writing, organisations may charge a fee not exceeding €6.35 and must reply within 40 calendar days. Organisations should identify to whom such a request should be directed.

* Right of Rectification or Erasure
Under Section 6 DPA, a person has a right to have his/her personal data corrected, if inaccurate, or erased, if you do not have a legitimate reason for retaining the data. Organisations cannot charge for complying with such a request and shall comply within 40 calendar days of the receipt of such a request. An organization’s Privacy Statement should make reference to this, if it retain personal data, as well as detailing the procedures a person should follow when making such a request.

* Extent of Data Being Processed

If different data are used for different purposes, this should be clearly referred to in the Privacy Statement, rather than a person assuming that all data shall be used for all purposes. This is even more important in relation to the covert processing of data, such as the collection of IP addresses, use of cookies or web beacons.

* Right to Refuse Cookies
If it is not necessary to use cookies in the context of a transaction, the user should be informed of this and given an opportunity to refuse to have cookies placed on their computers. The use of cookies might also be explained to the user.

Other Recommended Information

Detailed above is the information that must be included in a Privacy Statement. However, if an organisation intends its Privacy Statement as a comprehensive description of its on-line data processing, it can also include the following information:-

* Security
Whilst an organisation is required to have adequate security measures in place to prevent the unauthorised access to, or alteration or destruction of personal data in its possession, any detailed reference to such measures in a publicly available Privacy Statement would be unwise. Rather, it should confine itself to stating that it takes security responsibilities seriously, employing the most appropriate physical and technical measures, including staff training and awareness and that you review these measures regularly.

* Accurate, Complete and Up-to-date
This is largely a reactive policy, as problems are often only discovered when dealing with the data subject. However, an organisation may make reference to the need to hold only accurate, complete and up-to-date data, suggesting means by which data subjects may update their details or actions the organisation may take to ensure accuracy, such as contacting customers by email.

* Adequate, Relevant, Not Excessive
Organisations are obliged not to hold more data than is necessary for the purpose for which they collect them. Any data in excess of this requirement should either not be requested or, if volunteered, deleted. In a Privacy Statement, organisations may make reference to a policy to review all data supplied/obtained and delete that which is not necessary, or which is no longer necessary.

* Retention
Data should not be held for longer than is necessary for the purpose(s) for which they were obtained. The Privacy Statement could refer to a policy to delete credit card details once a transaction had been finalised, unless the organisation obtains the consent of customers to retain details to ease further transactions. If an organisation holds different types of data for different time periods, this can also be referred to in the Privacy Statement.

* Complaint Resolution Mechanism
Some means of dealing with complaints received from the website’s users about data processing is recommended by the Data Protection Commissioner.

Location of Privacy Statement

A Privacy Statement should be placed in an obvious position and not contained within another document. As a minimum, a Privacy Statement should be placed in the upper half of the entry page to a website. As some web browsers will only display part of a page, the upper page requirement means that a visitor need not scroll down to look for the Privacy Statement.

Placing a statement only on a Home Page may not be sufficient, as links from other web sites or through search engines may bring a visitor into the site via a page other than the Home Page. One solution is to place a link to the Privacy Statement on each page. Alternatively, a link could be placed on any page on which data are collected, though if the website uses cookies, effectively this could mean all pages.

Privacy Statement and “Terms & Conditions”

A Privacy Statement is a legal requirement and is distinct from terms and conditions, copyright or disclaimer notices. It should stand alone and be clearly identifiable. In order for a Privacy Statement to be of value, it must be readily accessible to the user, quickly read and easily understood. If it is buried within a lengthy document covering a variety of legal issues, it will be difficult for the organisation to demonstrate that it has fulfilled its obligations under the DPA and the Regulations.

Reviewing Privacy Statement

It should only be necessary to conduct a review if there is some change to the online processes. However, some mechanism should be in place to notify the appropriate staff member to initiate a review if:-

* There is a change to data processing on the website;
* There is a planned/actual redevelopment of the website;
* There is a new web hosting arrangement;
* There are suggestions/received from site users.

In any case, the Privacy Statement should be reviewed in the context of an internal audit procedure, which also should review the organisational Privacy Policy, at least on an annual basis.

Other Issues

Any person using a third party Data Processor to host a website should be aware of a number of issues. All Data Processors processing personal data are obliged to have a current entry in the register maintained by the Data Protection Commissioner. Processing data whilst not having such an entry is an offence.

If the web hosting service hosts your site on a server outside the EEA, they are obliged to meet at least one of the conditions set out in Section 11 DPA. The organisation is ultimately responsible should the web hosting company unlawfully process data. Section 2C DPA obliges organisations to have a contract in writing (or equivalent) with the Data Processor specifying:-

* What the Data Processor may do with the data on your behalf;
* What security measures the Data Processor must have in place.

Organisations must also take reasonable steps to ensure that the Data Processor complies with these instructions.

Paul Lambert

This e-mail address is being protected from spambots. You need JavaScript enabled to view it
MERRION LEGAL
Solicitors & Community Trade Mark Attorneys
Clifton House
Lower Fitzwilliam Street
Dublin 2
Ireland
T: + 353-1-6690523
E: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
< Prev   next >
 

Info request and newsletter sign-up!

Request More Information
First name:
Last name:
Age in years:
Your email:
City:
Country:
Mobile:
Home:
Select a course/program:
Preferred field of study:
Highest Level of Education:
Question / Comments
Write the characters in the image


eBSI TradeBrief Sign-up

Sign up for our FREE newsletter now!

We have 55635 guests and 37 members online

As featured on...

International Trade courses

Testimonials

  • review3The ITS is excellent for anyone working, or thinking of working, in International Trade. Feedback from eBSI on the Open Exercises and the industry trade study was very clear with supportive direction provided.

    China Systems Best project Award Winner 2002

    ireland Pauline Clery, Customs Advisor, BDO Simpson Xavier, Dublin, Ireland.
    ITS Graduate 2002

  • testgattohI think the ITS Accreditation programme is a must for all international trade practitioners. For me, taking the ITS Accreditation course immediately after my LLM (International Trade Law) at the University of East Anglia,,Norwich, UK was a pure delight. The e-commerce module of the course was particularly complimentary and useful. The course content was very well developed, informative and innovative. The tutors were very friendly and supportive. In fact going through the ITS Accreditation was very beneficial to me both as a lawyer and a customs officer, and I do not hesitate to recommend it to all involved in the various aspects of international trade: custom officials, forwarding agents, bankers, etc.

    ghana Godwin Attoh, Customs Officer, Accra, Ghana
    ITS Graduate 2004

  • testmariadvorkovaThere is always a lot to learn does not matter how many years of practical experience one has. eBSI International Trade Specialist Accreditation program fits in any busy working schedule and provides a great deal of very practical knowledge of international trade and finance. I graduated in 2004. For me knowledge from ITS is invaluable, I benefited from it both as a trade finance banker and adviser to my customers on multiple trade-related issues. Besides, it is a good preparation for CDCS exam. I highly recommend the program, it is very flexible and useful for anyone pursuing career in international trade.

    russia2 Mariya Dvorkova, Regional Manager/Representative for CIS, GSTS Group, Moscow, Russia
    ITS Graduate 2007

  • “I really enjoyed and benefited from communicating with Thomas during my studies at ITS Accreditation Programme. Thomas is a highly experienced trade practitioner and a great tutor with outstanding communication skills. The online sessions he carried out were great, with simple explanations of the material and the relevant examples. Feedback from Thomas on the Open Exercises was very clear with supporting direction provided. I do not hesitate to highly recommend Thomas to anyone interested in the area of International Trade.”

    Irina Bogomolova, Head of International Payments Dept. at Rosdorbank

    		 logo














  • The ITS Programme has been a fantastic training course. That time I didn’t need it for my work, however, it will be of an immense benefit for me in the The online semincalross ea nfdu tcuorem munications with tutors were very useful as well as the materials and CDs for studying. Thanks a lot for your great engagement and knowledge.
    switzerland Nadja Maricova, Winterthur, Switzerland    		 nadja










  • stkachenkotestI think this was a very useful experience for me and I found a lot of useful materials on CD and also during online sessions so it helped me a lot to summarize and develop my knowledge in the international trade. Your CD materials are very detailed and valuable.
    I should like also to thank you for nice time I had with EBSI. Please be so kind to say my thanks to Vincent O'Brien as he brought this opportunity to Moldova.

    moldova Serghey Tkachenko, Consultant, Moldovan Export Promotion Organisation, Moldova.
    ITS Graduate 2004

  • I recommend Thomas and the work he has developed on the ITS program. I took the program about two years ago and it is a very well designed program which will give a sound knowledge on Export Market, E-commerce, Finance. It is very flexible and with a lot of support and a virtual campus where you can bring comments into it or enter the forum and read other users comments and discussions.
    It is a home-based program which you can follow on your own time.
    I really recommend the program to anybody interested in Export and the different issues around it.
    Regards,
    Juan Carlos Venegas” August 3, 2007

    flags_of_United-Kingdom Accountant, Forensic Consultant, Fraud Examiner and Counter Fraud Specialist, UK

    		 Jaun


















  • dfinnertyrevMy experiences with the team from eBSI in 2003 were second to none, I found the ITS Accreditation extremely informative & interesting with a very high level of professionalism maintained throughout duration of course. The online sessions proved that a ‘class room’ environment can be achieved at your work desk or home study, while the occasional group meetings provided fantastic Q&A opportunities with the eBSI tutors.(and fellow students)
    A very worth while and enjoyable experience.

    ireland Damien Finnerty, Traffic Supervisor, AVID Technology, Dublin, Ireland
    ITS Graduate 2003

  • testnmeumieichievaI looked at traditional learning but with my busy work schedule it didn't suit me. With the eBSI course, I could study when I wanted. Some days I didn't study much, then other times I would sit down and do a lot all together - and there was always guidance and encouragement from the eBSI team... as well as deadlines for assessment submission!!! This helped me to keep a good study rhythm and to get the best out of the course. At the very least, the ITS qualification I have gained will be a very useful compliment to my banking experience on my CV!

    ukraine Natalia Meumeicheva - TAS Com Bank, Ukraine
    ITS Graduate 2005

  • review1The great results achieved in the 'ITS Accreditation' are a reflection of the high standard of tuition provided by eBSI and I greatly appreciate the practical assistance I have received in the course of my studies.

    HSBC Best Student Award Winner 2002




    ireland Diarmaid Kelleher, Shipping Officer, AIBP, Cork, Ireland.
    ITS Graduate 2002

Copyright © 2012. eBSI Export Academy - how to export - international trade course - export import - import export course - trade course - export training - how to import.