Privacy Policies

Most organisations that conduct their business online will collect data relating to individuals at some stage during their operations, whether in relation to customers, target clients, or even their own employees. Personal data can be collected on websites by a variety of means: registration pages, requests for details when goods or services are ordered, competitions and surveys, or by the use of various tracking devices such as cookies. Whenever personal data is collected, the organisation responsible for the use of such data (known as the ‘data controller’) will need to comply with various legal requirements, and may be advised to follow certain good practice guidelines, all of which are designed to protect the privacy of the individual whose data is being collected.

Compliance with these legal obligations and guidelines is greatly assisted by the use of a privacy policy, which is an increasingly common feature on commercial websites. A privacy policy is a statement of an organisation’s policy on the use of personal information. At a minimum, it explains how personal information may be collected, what may happen to this information following collection, and details the associated rights of the individuals. So, a privacy policy is also valuable in terms of increasing the confidence of the users in the trustworthiness of the data controller and its practices.

In a recent study carried out by the UK Information Commissioner in 2002, half of the sites surveyed contained carry either a privacy policy or a fair collection notice. There is also evidence from the Organisation for Economic Co-operation and Development (OECD) that the number of websites posting privacy policies is growing rapidly.

This paper looks at the legal origins of privacy policies and how they can be used to aid compliance with data protection requirements. It then examines the key considerations when designing a privacy policy.

View Briefing