Dot-coms come under data protection scrutiny

Web sites operating in the UK be will investigated by the information commissioner to check compliance with data protection law

The Office of the Information Commissioner has launched an investigation into the compliance of British Web sites with the Data Protection Act 1998.

With the passing of the deadline, last October, for companies to comply with the Act, the balance of rights fell back into the hands of the consumer. Information commissioner Elizabeth France is keen to establish the extent to which Internet companies are now adhering to her code of practice when compiling personal information on customers.

"With the developments in technology, Internet marketing is going to grow in the UK, and a responsible approach is something useful to identify," said David Clancy, strategic policy officer to the information commissioner.

Under the new Act, all UK-based Web sites are obliged to provide more information about their purposes for processing personal data on request, and must also reveal the source of their data. Consumers who are refused access to their records are now entitled, for the first time in the UK, to take the case before a magistrate's court.

The study will ask Web site operators about their policies for collecting customers' personal data. Questions will focus on the security of the site, the company's data protection notices and privacy policy, and direct marketing requirements. All organisations will also be asked if they have notified the information commissioner of their processing activities.

"We will be specifically looking into how companies are gathering users' information, and whether they are using fair processing methods for direct marketing," said Clancy. "This will be particularly relevant to children's Web sites regarding the types of notices that they are giving customers, looking at whether they are appropriate."

There are eight data protection principles in the Act. The information commissioner has the power to issue an enforcement notice to any organisation found to be in breach of any of the principles, which could result in a £5,000 fine in magistrate's court, or an unlimited fine in a crown court. Depending on the nature of the breach, the Commissioner may decide to offer "educational advice" instead.

The study will be conducted throughout January and February 2002. Companies participating in the study will be reassured that any information collected will be kept anonymous, and none will be used for taking action against a non-compliant Web sites at this stage.

"The study won't be used as evident to actively pursue companies," said Clancy. "Once completed, if it shows a disregard for data protection issues by Internet companies, the information commissioner's office will develop a strategy for addressing this, and will produce stronger guidance."

For everything Internet-related, from the latest legal and policy-related news, to domain name updates, see ZDNet UK's Internet News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Telecoms forum.

Let the editors know what you think in the Mailroom. And read other letters.