Some elements are just an evolution of the current situation, but others are very disruptive.

Here I highlight those that stood out most to me. For a fuller picture see the European Commission’s data protection pages (or, better still, speak to your lawyers).

Pinsent Masons’ perspective

The European Commission’s website says:

Protecting your personal data – a fundamental right!

The free flow of personal data – a common good!

However, Pinsent Masons’ view is that there is too much focus on process and not enough on understanding different types and uses of data.

Although there is no opportunity now to oppose the regulation, apparently we can still feed in our thoughts on the practicalities of it.

Regulation, not directive

It’s a regulation not a directive, which means it will be the same in every member state (with some exceptions for national labour laws).

So, unlike with the cookie law, member states will not be drawing up their own regulations based on a directive.

The process will take until the end of 2013.

However, once agreed it will be enforceable immediately. If we’re given any time to comply it probably won’t be much.

Also, the ICO apparently says there’s no reason that some elements can’t be implemented earlier.

So, Pinsent Masons’ advice is to start doing what we can right now.

What data is covered?

All ‘personal data’.

There will no longer be the distinction of ‘sensitive data’: it will all be treated the same, regardless of sensitivity.

‘Personal data’ will include:

• Data related to a living individual who can be identified from it, or from a combination of it and other data;
• location data;
• online identifiers (eg avatars);
• genetic data;
• psychological data;
• economic data.

Who does it affect?

All of us. All organisations are treated the same.

Consent

We must get explicit consent to use people’s personal data.

But how often? Every time a user visits us? So, for example, would we need to gather someone’s details every time we want to send them a newsletter?

Breach notification

Every breach has to be reported, both officially and to the owner of the data.

Once a breach is reported, the ICO will investigate the whole organisation.

But what constitutes a breach? For example, will it include the loss of USB keyrings? And will we have to we report a breach if we don’t know whether or not personal data was affected?

This could lead to what lawyer Jon Bell referred to as ‘notification fatigue’, as people are inundated with notifications but unable to tell which are actually important.

Penalties

Breaches are ‘usually the result of human error’ and are ‘easily done’.

However, the fines for breaches will rise significantly:

• up to EUR 1m (public and third sector), or
• 2% of global turnover.

The legislative process (2012 – 2014)

1. Hearings
   May – November 2012
2. Draft report published
   November 2012
3. Parliamentary amendments to text
   December 2012
4. Committee stage
   January – April 2013
5. Lead committee vote
   April 2013

Pinsent Masons are running more seminars on this in Edinburgh, Glasgow, Leeds and Manchester.

• Possibly related posts

  1. Legal considerations for people responsible for websites
  2. Open Database License (ODbL) v1.0 Released
  3. Cookie Control: a painless solution to cookie opt-in

I’ve posted it here initially, but I may well move it in due course. If so I will leave a clear link and explanation in this post.

I appreciate that what follows might not embody an approach relevant to all organisations.

• breaking the law (copyright, for example);
• breaking a contract (a website’s terms of service, for example).

Accessibility

We have a legal duty to ensure our services are accessible to disabled users, which by implication includes websites. There are no specific requirements for websites; as far as I know there have been no significant test cases yet, but groups such as the RNIB have been active in trying to force such a case.

The important thing is to be mindful of accessibility issues when commissioning and managing websites, and to understand the implications of – and be able to justify – your site’s accessibility measures.

• Disabled access to websites under UK law (out-law.com)
• Web Accessibility And The Law (ictknowledgebase.org.uk)

Data protection

When collecting personal information from someone (eg for sending marketing emails) you must be able to show that they were made fully aware that they were giving consent and that they did so actively (as opposed to passively).

A common way to do this is to offer a box that the user ticks to say they are happy for you to send them emails (as opposed to a ready-ticked box that they must un-tick in order not to receive emails).

You must also provide an ‘unsubscribe’ option in every newsletter and marketing email.

Records of those who have unsubscribed should be kept so that they are not accidentally contacted again (unless they explicitly give their consent to be).

Whatever means you use to collect and store data must comply with the Data Protection Act.

• Email marketing – when to use opt-in and when to use opt-out (out-law.com)
• Best Practice For Sending Email Newsletters (ictknowledgebase.org.uk)
• Data Protection (out-law.com)

Intellectual Property

Don’t use anything you don’t have the right to use. Always check licences, copyright and terms of use for anything you re-use (eg text, photos) regardless of where you find them.

For example, images on Flickr are not free for anyone to re-use: by default the owner has copyright control of them, and in many cases the images will have been released under a Creative Commons licence.

• Intellectual property in websites: ownership and protection (out-law.com)

Moderation

This is somewhat counter-intuitive. If you hold comments in a moderation queue in order to vet them, you are deemed to be their creator: legal responsibility for their content is transferred from the original author to you.

Current popular advice is to allow all comments to be published, but operate a solid complaints procedure: include a ‘Report this’ link in each comment and respond swiftly (within 48 hours) when you receive a complaint.

You should check the comments regularly.

• Moderation, liability and terms of use (out-law.com)

Contracts

Whenever you accept terms and conditions for a website or service, you are entering into a contract. If you are using that service in any way for work, you are responsible for that contract on the organisation’s behalf.

Read before you sign up

It’s laborious, I know, but always read through the terms before you agree to them.

Record

Keep a record of those terms of service that you have agreed to, as well as the links to them. This makes it easier for us to remedy any situation that might arise.

Remember

Even if you don’t tick a box explicitly to accept terms and conditions, you are still bound by a website’s terms while visiting it or using content on it.

Terms of use

Use our Terms of Use [link], not someone else’s (such as the BBC’s), as the basis for your own. Ours were written for us, other people’s were not. Our Terms of Use are not set in stone, we can always amend and adapt them as necessary.

Our Terms of Use include rules for posting to our website [link].

Further information

• Moderation, liability and terms of use (out-law.com)
• Legal guides from law firm Pincent Masons (out-law.com)
• ‘Legal Issues’ on lasa’s Knowledgebase (ictknowledgebase.org.uk)
• Data Protection Act explained (ico.gov.uk)
• Disability Discrimination Act explained (direct.gov.uk)

• Possibly related posts

  1. Talk About Local unconference 2010: Legal issues discussion
  2. Crowdsourcing legal issues for website commissions
  3. Web management for beginners: how detailed should I be?

There is a lot of this information littered around the Internet, but I want a simple list of key points with links to further information that I can share with people; so I thought I’d try crowdsourcing it.

I’ll put this into a wiki eventually.

I’ll start it off:

• Post-moderated forums
  The act of moderating comments transfers legal responsbility for their content to the site host
  http://out-law.com/page-7841#Moderatedsites

• Possibly related posts

  1. Talk About Local unconference 2010: Legal issues discussion
  2. Legal considerations for people responsible for websites
  3. Web management for beginners: how detailed should I be?

“The Open Database License (ODbL) is an open license for data and databases which includes explicit attribution and share-alike requirements.

“This license, the first of its kind, is a major step forward for open data. There are currently very few licenses available suited to data and databases and none which provide for share-alike (existing share-alike licenses such as the GPL, GFDL and CC By-SA are all unsuitable for data).”

Visit Open Database License (ODbL) v1.0 Released

• Possibly related posts

  1. Arguments for open local data
  2. A council might publish open data, but how does it encourage good use of that data?
  3. Releasing local data: what are the challenges?