Did you know that the UK Data Protection Act 1998 requires every data controller who is processing personal data to notify unless they are exempt? More importantly did you realise that failure to notify is a criminal offence? Could you be breaking the law?

Data protection is an increasingly big issue. This is driven in part by consumers who want to know that their personal data is being handled in the proper manner, in part by the industry which wants to be seen as professional and credible and in part by government bodies eager to bring some law and order to the Wild West of the internet. All this means that where perhaps a blind eye was turned in the past (maybe there wasn’t even a blind eye to turn…), you cannot afford to ignore privacy and data protection issues any longer.

I am not a solicitor but below is brief layman’s guide and some resources to get you on your way to data compliance and having the necessary privacy policy on your site.

If you are UK based then you can find most of what is below and more at the Data Protection web site at http://www.dataprotection.gov.uk

The Principles of Data Protection are that anyone processing personal data must comply with the eight enforceable principles of good practice. They say that data must be:
1. fairly and lawfully processed;
2. processed for limited purposes;
3. adequate, relevant and not excessive;
4. accurate;
5. not kept longer than necessary;
6. processed in accordance with the data subject's rights;
7. secure;
8. not transferred to countries without adequate protection.

For a full explanation of the principles go to http://wood.ccta.gov.uk/dpr/dpdoc.nsf

1. So who needs to register?

- Every data controller who is processing personal data must notify unless they are exempt.
- A data controller is a person who determines the purposes for which and the manner in which any personal data are, or are to be processed.
- Personal data means data which relates to a living individual who can be identified from those data or from those data and other information which is in the possession of the data controller.

Find out more on the above at http://www.dpr.gov.uk/notify/2.html

2. How do you notify?

- By Internet. You can complete the notification form on-line (http://www.dpr.gov.uk/notify/4.html ), print it and send it in.
- By Telephone. You can telephone the notification help line (01625 545 740) and a draft notification form will be sent to you based on the information you will be asked to provide on the telephone.

3. How much does it cost?

Every notification must be accompanied by a fee of £35.00 (VAT nil) The period of notification is one year. The Data Protection registry does not send invoices but will acknowledge receipt of payment. After this time a continuation fee of £35.00 must be paid.

4. How long does it take?

There’s probably no standard length of time but in my case the whole process took 2 weeks.

5. What if my site gets rejected?

Interestingly the law only states that you must be open and honest about what you are doing and that this must be available on the register for anyone to see. You also have a responsibility to keep this information up to date and accurate. There aren’t any actual stipulations as to what you do with the data – that is governed by the Privacy Policy (see below). So your site will not be rejected, but you must be honest about how you are using the data. The likelihood that anyone will check the data registrar is, let’s be honest, small, but it is there for all to see if they wish. Have a look at what Microsoft are doing, for example, at http://www.dpr.gov.uk/cgi-bin/dpr98-fetch.pl?source=DPR&docid=238074

5. How about Privacy Policies / Statements?

One way to help you create a privacy policy is to go to sites that are similar to yours and see what they have that you can combine and adapt. There are also third party organisations that verify sites are adhering to certain standards of privacy. These services are becoming increasingly popular and consumers are beginning to expect some external seal of approval on a site to feel secure.

One of the best known of these third party organisations is TRUSTe. They provide resources and a model Privacy Policy on their site at http://www.truste.com/webpublishers/pub_resourceguide.html

The 7 key questions that you have to answer to the satisfaction of TRUSTe are:
1. What personally identifiable information of yours or third party personally identification is collected from you through the web site
2. The organization collecting the information
3. How the information is used
4. With whom the information may be shared
5. What choices are available to you regarding collection, use and distribution of the information
6. The kind of security procedures that are in place to protect the loss, misuse or alteration of information under your control
7. How you can correct any inaccuracies in the information.

For information on how to join the TRUSTe scheme go to http://www.truste.com/webpublishers/pub_join.html

The cost of joining:
Company's Annual Revenue / Annual Licensee Fee:
$0 - $1 million / $299
$1 - $5 million / $399
$5 - $10 million / $599
$10 - $25 million / $1,999
$25 - $50 million / $2,999
$50 - $75 million / $3,999
$75 million and over / $6,999