ICO issues draft guidelines for personal information online

As more companies gather personal information online as part of their every day work, the Information Commissioner's Office has created guidelines to help organizations protect their sensitive data.

More than a decade since the current version of the Data Protection Act came into force, organisations still struggle with compliance. And as more companies gather personal information online as part of their everyday work, the requirements of the DPA can seem even harder to follow.

More help for Data Protection Act compliance

Learn about a privacy template that can used for DPA compliance purporses.

For this reason, the Information Commissioner's Office (ICO) has issued new guidelines to help organisations with their treatment of personal information online. The ICO guidelines, which are complete and ready for use, are being published as part of a consultation exercise that ends on March 5. Organisations and individuals can comment on them, and the recommendations will be further refined if necessary.

"The Internet offers great possibilities for convenience and for new experiences, but it can also present risks. A record of our online activity can reveal our most personal interests. This code explains the privacy risks that can arise, and suggests ways of dealing with them by adopting good practice," the ICO said in the introduction of its Personal Information Online Code of Practice.

"This code sets out clear, comprehensive recommendations for handling personal data properly and for giving individuals the right degree of choice and control over it. It should also help all organisations with an online presence to negotiate areas of legal uncertainty by adopting good practice."

According to the ICO, companies that follow the code, will not only generate greater trust among customers, but they will also reduce the risk of queries, complaints and disputes about their use of personal data.

Personal Information Online Code of Practice

For more information, view the guidelines: Personal Information Online Code of Practice.

The code can be used as a checklist to evaluate and improve current procedures, or to make sure a new online service is delivered in a privacy-friendly way.

The code aims to clarify a range of areas of confusion, for instance, who is the data controller where information is collected online, special responsibilities when collecting data from vulnerable people, and the rules governing personal information that is transferred outside the U.K.

But there are still some areas of confusion that will need to be clarified, according to Louise Townsend, a privacy law expert at the London-based law firm Pinsent Masons LLP.

"I think it is a high-level view and addresses a lot of the frequently asked questions that the ICO gets asked," she said in statement. "It gives an overview and has a lot of links to some of the more technical guidance."

In particular, she identified the area of behavioural advertising and what activity is and is not legal, and suggested that organisations might need to receive more concrete advice.

"I think companies should bear in mind that this is a consultation, so if they want more clarity, then this is the time to say that, rather than in a few months' time," she said.

Read more on IT risk management