ICO issues draft guidelines for personal information online

By Ron Condon, U.K. Bureau Chief 14 Dec 2009 | SearchSecurity.co.UK

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

More than a decade since the current version of the Data Protection Act came into force, organisations still struggle with compliance. And as more companies gather personal information online as part of their everyday work, the requirements of the DPA can seem even harder to follow.

More help for Data Protection Act compliance Learn about a privacy template that can used for DPA compliance purporses.

For this reason, the Information Commissioner's Office (ICO) has issued new guidelines to help organisations with their treatment of personal information online. The ICO guidelines, which are complete and ready for use, are being published as part of a consultation exercise that ends on March 5. Organisations and individuals can comment on them, and the recommendations will be further refined if necessary.

"The Internet offers great possibilities for convenience and for new experiences, but it can also present risks. A record of our online activity can reveal our most personal interests. This code explains the privacy risks that can arise, and suggests ways of dealing with them by adopting good practice," the ICO said in the introduction of its Personal Information Online Code of Practice.

"This code sets out clear, comprehensive recommendations for handling personal data properly and for giving individuals the right degree of choice and control over it. It should also help all organisations with an online presence to negotiate areas of legal uncertainty by adopting good practice."

According to the ICO, companies that follow the code, will not only generate greater trust among customers, but they will also reduce the risk of queries, complaints and disputes about their use of personal data.

Personal Information Online Code of Practice For more information, view the guidelines: Personal Information Online Code of Practice.

The code can be used as a checklist to evaluate and improve current procedures, or to make sure a new online service is delivered in a privacy-friendly way.

The code aims to clarify a range of areas of confusion, for instance, who is the data controller where information is collected online, special responsibilities when collecting data from vulnerable people, and the rules governing personal information that is transferred outside the U.K.

But there are still some areas of confusion that will need to be clarified, according to Louise Townsend, a privacy law expert at the London-based law firm Pinsent Masons LLP.

"I think it is a high-level view and addresses a lot of the frequently asked questions that the ICO gets asked," she said in statement. "It gives an overview and has a lot of links to some of the more technical guidance."

In particular, she identified the area of behavioural advertising and what activity is and is not legal, and suggested that organisations might need to receive more concrete advice.

"I think companies should bear in mind that this is a consultation, so if they want more clarity, then this is the time to say that, rather than in a few months' time," she said.

Tags: Compliance Regulation and Standard Requirements,  IT Security Frameworks and Standards,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds IT Security Frameworks and Standards How to develop a culture of security in the enterprise Using a privacy impact assessment template for DPA compliance Benefits of ISO 27001 and ISO 27002 certification for your enterprise How to write an information security policy The elements of a compliance-oriented architecture New products aim to streamline compliance efforts A helpful BSI data protection standard for DPA compliance How project management maturity models can reveal security strength Consider a compliance-driven security framework CSA, Jericho Forum unite on cloud computing security message

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) Code of Connection (CoCo)  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) IFRS (International Financial Reporting Standards)  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary