Although the ICO has the responsibility of enforcing the UK’s data protection laws, few of its activities thus far have been centred on the Internet. Now, however, the Global Privacy Enforcement Network is coordinating a worldwide initiative that has prompted the ICO to cast a keener glance on companies’ online privacy policies, checking for potential breaches of the Data Protection Act 1998 (DPA).
There have been claims that a great numbers of companies breaching the DPA, with company online privacy policies designed protect companies from legal liability, as well as failing to properly inform visitors about how their personal data is being processed. The ICO has therefore signalled an intention to look “closely at how easy these policies are to read and how clearly they explain how personal information is being handled.”
The ICO warned that any offending companies would be named and shamed without hesitation. With the initial test exercise involving just 250 companies, the current chances of any one director having this aspect of their firm’s corporate governance exposed are remote. Nonetheless, even with the ICO not stating which companies it would investigate, it makes sense for many directors to review their online privacy policies now.
Finally, any further information that is ‘necessary’ for ensuring the fair processing of personal data – such as security arrangements and how privacy concerns can be raised – must also be provided. An easy-to-read three-page checklist has been provided to small companies by the ICO to assist them in achieving legal compliance with this aspect of their corporate governance.