Privacy Policy

The Information Commissioner notes the importance of privacy policies, but also states that a layered notice can be even more effective at making Web site users aware of how their data will be collected, stored, and used. A layered notice usually involves several notices of increasing specificity that are all linked to each other. The first notice is the shortest and uses broad terms to describe how information will be used. The condensed notice contains major pieces of information that can be organized into sections for ease of reading. The longest notice contains all information about data collection, storage, and use and should also contain all required legal information. When using a privacy policy on a Web site, the terms of service of the site should not conflict with any of the privacy policy’s terms.

Clause Notes & Our Privacy Policy

We have set out below information to assist you in completing a privacy policy.

The information below relates to the terms of the standard privacy policy and is organised under headings that correspond to the headings used in our standard policy.

Privacy Policy Drafting Notes:

One of the requirements is that the full name of the person responsible for data control is provided. This information can be given at the beginning of the policy.

The Data Protection Act does not require that persons in charge of data control provide a representative. However, if a representative is named, these details must be given in the policy.

Collected Information

To ensure that the data subject’s consent to data processing is considered informed, the type of data that the site will process should be listed. For many sites, this information is obvious, but policies should refer to data that are collected automatically or that are collected from forums and discussion groups. The policy should also refer to data that is collected from other means than directly through the data subject.

Cookies and IP Addresses

Data files that are placed on computer hard drives are known as cookies. These data files allow Web sites to determine if a user is a return customer whenever the user visits the Web site again. These data files may also be used to review how a user uses a Web site. Browsers usually accept cookies automatically, but users may change their browser settings so that cookies can only be accepted by clicking on an accept button.

The Information Commissioner classifies the use of cookies as the storage of personal data. Therefore, the use of cookies always had to comply with the Data Protection Act. Since the Regulations were published, Web site operators have been required to provide comprehensive data about how the cookies will be stored and used. This compliance falls under regulation 6. There is no specific requirement for how the information must be provided, but the Commissioner states that the information should be given on any doorway page to a site. If a site allows a third party to use cookies for Web tracking purposes, users must be informed.

Web site users must also be given the opportunity to refuse to allow the storage of or access to cookies on their hard drives. There is no specific regulation governing how users should be able to deny access, but the Commissioner recommends that the instructions for denying access should be easy to understand and freely available. Cookies can be turned off through browser settings, or a site operator may provide a way to deny cookies specifically from their site. Some site pages may be restricted if a user chooses to refuse cookies, but the consequences of refusing storage of or access to cookies must be clearly displayed. Site operators should also make it clear if third parties will be adding cookies to user hard drives.

Personal Data Storage

The data protection principles help to govern how data is stored. Under the eighth principle, any data transfer that is going outside of the EEA is only allowable if the receiving country offers adequate data protection or the data subject consents to the transfer. Consent is most often used to authorize a transfer of data to a country that is outside of the EEA. If data will be transferred outside of the EEA, this should be disclosed in a site privacy policy, along with information about how the data will be processed. Web site operators should also list all of the countries to which personal data may be sent.

Data transfer can include posting information on a site that offers overseas access. Web site operators who publish personal data are most affected by this, as it makes it difficult to list which countries data will be transferred to. Examples of this type of site include forums and discussion groups, where users can contact each other. Auction sites and instant messaging programs are also problematic. Anyone who owns one of these sites should implement a code of conduct for all users so that the privacy of all site users can be protected. This code of conduct can be outlined in the site privacy policy.

Because users want to know that their data will be kept secure, the privacy policy also includes information on the security of data. The Data Protection Act requires data controllers to maintain data security. This information is accompanied by a statement to the effect that data transfers are never completely secure. The standard policy excludes the site operator from liability arising from personal data that is lost during transmission to the site.

Data Usage

Site users must be informed about the purpose of data collection and processing. This information can be general in nature, but data controllers need to outline any obscure uses of data in detail. The privacy policy should also outline whether any data collected will be used for marketing and let users know if the data will be published on the site. Data controllers should consider data transfer when creating a privacy policy, as many users do not want their data shared with third parties.

Any online form that is used to collect data should contain tick boxes that allow users to opt in or opt out. Users may be asked to mark these boxes before their data is submitted so that the Regulations requirements are met. The privacy policy is also an area where data controllers can let users know about the types of products and services that will be marketed in the future using the collected data. This is not required under the law, but should be included so that users can give informed consent for data collection.

The rules for consenting to data collection and processing for the purpose of direct marketing vary based on how communication occurs. The privacy policy allows a Web site operator to list the types of communication that might be used for marketing. These communication methods include e-mail and telephone. If marketing is being done electrically, via e-mail or SMS, there are special requirements that must be followed. Prior to the issue of the Regulations, advertisers could send marketing communications until the recipient expressly requested that they stop sending the communications under section 11 of the Data Protection Act. The Regulations have limited this practice; Regulation 22 makes it a requirement that all electronic marketing be done on an opt-in basis only. The only exceptions are if the recipient’s information was obtained through prior sales or if the communication is related to other goods and services that the recipient has purchased.

Even if these conditions exist, the Web site operator has to give the recipient a way to opt out of future marketing messages, and the user must be provided with information on opting out. The privacy policy was developed to make sure that the site operator is in compliance with this requirement. Any online form that is used to collect personal data should include tick boxes that allow the user to opt in or out of getting marketing information electronically. If the purpose of the data collection changes, the policy must be amended to reflect that change. The amended policy must then be given to data subjects. Web site operators should carefully consider how they might use information in the future so that the risk of having to obtain further consent is minimized. A statement regarding aggregate information on how the site is used is not necessary, but can help in gaining customer trust.

Information Disclosure

Users should be informed if a Web site operator plans to give access to data or sell data to third parties, and the purpose of this disclosure must be given to users. One example of disclosure is selling a customer list to marketing companies or advertisers. Data controllers need to have the ability and authorization to transfer data if a business is being sold.

Your Rights

No information in the data protection laws and regulations prevent consent being withdrawn. However, site operators are not required to remind users that they may object to any type of data processing at any time, unless the site is collecting cookies or marketing using e-mail or SMS. Including this information may help build consumer trust, although a site operator may prefer not to let users know that they have the right to withdraw their consents. If a site has links to third-party Web sites, users may give their data to the third party site’s owners without realizing that the original site privacy policy does not govern this data processing. The privacy policy was developed to inform users that they need to check third party privacy policies when submitting any personal data.

Information Access

Under section 7 of the Data Protection Act, an individual may make a request in writing to be informed if personal data is subject to processing or to be informed of the purposes of such data collection. These requests must be made to data controllers.

In many cases, the person making the request may also ask to receive a copy of any data that is being stored by the data controller, and to be informed about where the data came from. The data controller typically has 40 days to provide this data, and a fee of up to 10.00 pounds may be charged for each request. The privacy policy reminds users that they have the right to request access to their data. This is not legally required, but consumer confidence may be improved if such a statement is included.

Privacy Policy Changes

To ensure that the privacy policy can be continually enforced, it contains a notice that informs users that any changes will be disclosed to them. The Web site operator may not be able to make changes and enforce them retroactively unless the user is informed and gives consent. The Commissioner stated that any changes made will affect how controllers will respect the assurance contained in the change statement. Users who give information prior to a policy change will have done so under a previous version of the privacy policy, so data controllers must be careful to honour any assurances made in that original statement. If a Web site controller wishes to change how personal data is used, the ideal situation would be to get opt-in consent from data subjects by sending them a notice of the new uses and getting their agreement. If someone does not respond to a notification of the change, their consent should not be assumed. It is accepted that it may be enough to inform people about the planned changes and give them the opportunity to disagree. If the new use is not for a new purpose, or if the new use is very similar to the use outlined in the original statement, this will be the case.


Policies must contain contact information so that users are able to withdraw consents, whenever the law allows them to withdraw consents that were previously given. The physical address of the site operator should be given specifically in addition to other contact details.