ICO publishes new guidance on social networking and online forums

Practical Law Legal Update 1-531-4245 (Approx. 5 pages)

ICO publishes new guidance on social networking and online forums

by Practical Law IPIT & Communications

Background

Social networking sites (SNSs) such as Facebook, Google+ and Twitter, which allow users to share personal profiles and other information such as photographs, as well as to exchange messages, have become increasingly popular. User-generated content services, where online content is produced and submitted by users of the service, have given rise to the development of a number of new online business models. In particular, SNSs, which give users the opportunity to upload a profile containing information about themselves and to share that information online with other users, have enjoyed increasing popularity. There have been a number of recent reports and studies raising concerns about privacy and safety issues, particularly with regard to the use of such sites by children and young people. They may be unwittingly making their personal data available to strangers and there is potential for that data to be misused.

In November 2007, the Information Commissioner's Office (ICO) published the results of a survey on young people's use of social-networking sites which, among other things, revealed that many are unaware of the privacy policies of such sites and post personal details which could be used for the purposes of fraud, such as their dates of birth or home addresses (see Legal update, ICO publishes guidance on using social-networking sites).

There have been various UK government initiatives in this area (see Practice note, Privacy implications of social-networking sites: Children and young people.

In its 2009 opinion on social networking, the EU's Article 29 Working Party confirmed that SNS providers and third parties processing the personal information accessible on SNSs must comply with the EU data protection regime, including, in particular, the EU Data Protection Directive (95/46/EC) (Directive), implemented in the UK through the Data Protection Act 1998 (DPA) (see Legal update, EC Working Party publishes opinion on online social networking). The Working Party clarified that both SNS providers and providers of individual applications on SNSs are data controllers under the Directive. The Working Party's opinion was that not all activities of an SNS user are necessarily covered by the household exemption under Article 3(2) of the Directive.

The DPA is based around eight principles of good information handling. These give people specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it. There is an exemption in section 36 of the DPA which means that when personal data is processed by an individual for their own personal purposes, the data protection principles do not apply (domestic purposes exemption). This was one of the key focus areas of the ICO's new guidance.

Facts

The ICO has published new guidance on social networking and online forums (SNOFs) that replaced its 2007 guidance on this topic. Issues covered include what the DPA says, determining whether an online forum is being used for non-domestic purposes, running an SNOF, ICO involvement in complaints against those running SNSs, organisations and individuals, and other considerations.

What the DPA says

Section 36 of the DPA cannot be used by organisations which process personal data. This means that organisations that use SNOFs have responsibilities under the DPA:

If they post personal data on their own or a third party's website.
If they download and use personal data from a third party website.
If they run a website which allows third parties to add comments or posts about living individuals, and they are a data controller for the website content.

Determining whether an online forum is being used for non-domestic purposes

The domestic purposes exemption is based on the purposes for which the personal data is being processed, not on the nature or content of the data itself. It applies whenever someone uses an online forum purely in a personal capacity for their own domestic or recreational purposes. It does not apply when an organisation or an individual uses an online forum for corporate, business or non-domestic purposes.

Sometimes online forums can be used or set up by a group of individuals and the question is then asked whether the domestic purposes exemption can apply in these circumstances. The ICO view is that the key issue remains the purpose behind the processing. If you are processing personal data for non-domestic purposes then you will be subject to the requirements of the DPA regardless of whether you are acting as a sole individual, part of a group of separate individuals or on behalf of a group (such as a club or society) with its own separate legal identity. In general, the more formal and the more distinct the group is from its individual members, the less likely it is that the domestic purposes exemption will apply. A non-exhaustive list of questions is set out in the guidance to help a group of individuals to decide whether the exemption applies to them or not.

The domestic purposes exemption does not necessarily apply whenever a personal view is expressed.

The ICO recognises that determining whether the exemption applies in the context of social media that is used for both domestic and non-domestic purposes is a difficult area. One solution for people in this situation is to keep their personal and non-personal affairs apart by having separate online profiles for their work and personal lives.

Running an SNOF

The first issue a person or organisation that runs an SNOF needs to consider is the extent to which they are a data controller.

In relation to any contact information or other personal data that the site operator processes about its own users or subscribers, it will clearly be a data controller and will need to comply with the DPA. In relation to any personal data that is posted on its site by third-party subscribers, the issue is less clear cut. However, even if the content is not moderated before posting, this does not necessarily mean that the person or organisation running the site is not a data controller. If the site only allows posts subject to terms and conditions which cover acceptable content, and if it can remove posts which breach its policies on such matters, then it will still, to some extent, be determining the purposes and manner in which personal data is processed. It will therefore be a data controller.

If the person or organisation running the site is a data controller for the content that it allows third parties to post, then it will need to comply with the DPA. For example, it must take reasonable steps to check the accuracy of any personal data that is posted on its site by third parties and is presented as a matter of fact.

The ICO would consider reasonable steps for a data controller running this type of social networking site to include the following:

Having clear and prominent policies for users about acceptable and non-acceptable posts.
Having clear and easy-to-find procedures in place for data subjects to dispute the accuracy of posts and ask for them to be removed.
Responding to disputes about accuracy quickly and having procedures to remove or suspend access to content, at least until such time as a dispute has been settled.

A person or organisation running such a site might wish to set up a mechanism which allows it to add a note to a post indicating that the data subject disputes its factual accuracy. In practice, however, it will probably be more practical for the site to simply remove or suspend access to the disputed post.

For more information on best practice in this area, see Checklist, Best practice for operating a social-networking service.

ICO involvement in complaints against those running SNOFs, organisations and individuals

The ICO would expect a person or organisation running an SNOF to have policies in place that are sufficient to deal with:

Complaints from people who believe that their personal data may have been processed unfairly or unlawfully because they have been the subject of derogatory, threatening or abusive online postings by third parties.

Disputes between individuals about the factual accuracy of posts.
Complaints about how the person or organisation running the site processes any personal data (such as contact details) given to it by its users or subscribers.

Other considerations

These include the exemption under section 32 of the DPA and other relevant legislation.

Comment

The ICO's new guidance on SNOFs is sensible and straightforward. It is replete with helpful examples to illustrate the relevant principles, particularly concerning the issue of determining whether an online forum is being used for non-domestic purposes. This is consistent with, but goes further than, the guidance given by the Article 29 Working Party in its 2009 opinion on online social networking. It also gives good guidance to data controllers running SNOFs on their responsibilities under the DPA. It is helpful for them to know that the ICO does not normally require the operator to check every individual post for accuracy. The ICO's stated expectations on complaint mechanisms and its own policy on handling complaints made to it about unfair or inaccurate postings are also useful.

Source

ICO guidance, 3 June 2013.

ICO publishes new guidance on social networking and online forums | Practical Law