Sarah Gwyndaf-Roberts offers some practical advice on data protection for law firms operating Web sites following the publication of the Information Commissioner's report on Web site compliance

The Information Commissioner has published a report on a study which seeks to assess the degree to which the operation of UK Web sites are in compliance with the Data Protection Act 1998.

The report was commissioned by the outgoing commissioner, Elizabeth France, who was replaced last week by Richard Thomas, director of public policy at Clifford Chance.

The University of Manchester Institute of Science and Technology (UMIST) undertook the study.

Of particular concern to the commissioner was the lack of data security and systems relating to the retention of information.

Law firms which obtain personal information about users should take note of the concerns raised by the commissioner, and amend their Web sites and internal practices accordingly.

Personal information may be obtained directly, by way of 'contact us' or 'register here' mechanisms, or indirectly by the use of cookies, web bugs or similar devices.

A cookie is a string of computer text placed on your hard disk by a Web site so that the site operator can recall information about you at a later date.

Cookies are used to rotate banner adverts so that the user does not keep seeing the same one, but they can have a host of other marketing applications.

A Web bug is an image used for monitoring visitors to a site or readers of e-mails.

A computer's IP (Internet Protocol) address is broadcast when the user logs on to the Internet or sends an e-mail.

Law firms should liaise with their Web site designers to find out whether individuals can use their Web sites anonymously.

Ask, for example, whether a site builds up a personalised profile of the user from the IP address alone.

Set out here is some practical advice for solicitors' firms to try and overcome the issues raised in the report.

Law firms should ensure that (unless they are exempt) they have registered with the Information Commissioner.

There is a continuing obligation to ensure that the registration is up to date.

Internal procedures

The report highlights the need for law firms to have in place a policy or series of policies which deal with the following:

- Managing 'subject access requests' - requests from 'data subjects' (people about whom information is being held) to see the data held about them.

The report shows that only 18% of sites surveyed tell the user how they can access such data.

Law firms should consider implementing a procedure to record what personal data has been collected on a data subject.

- E-commerce policy.

Any changes to the Web site should be discussed with the nominated person within the organisation who is responsible for compliance with the Act.

This is to ensure that such changes do not breach the legislation.

- Managing a database.

When considering the management of the database, law firms should ensure that they have a comprehensive policy relating to the retention of information.

The report showed that at least 25% of Web site operators did not have such a policy in place.

An additional 13.5% said they only deleted customer data when the individual customer asked them to do so.

This is not satisfactory under the Act.

- Data processing procedures.

Law firms should ensure that they only process data that is 'adequate', 'relevant' and 'not excessive'.

For example, is there really a need to collect a home or mobile telephone number? Is it simply for direct marketing? If so, consent from the individual for this particular use is required.

- Data security policy.

The report states that only 45% of Web sites reviewed had a data security policy.

More worryingly, less than half of all Web site operators used some form of secure electronic link.

This is clearly in breach of the seventh data protection principle.

This requires that data is processed in a way that it is sufficiently secure and all appropriate technical and organisational measures against any unlawful processing or accidental loss or damage to personal data have been taken.

Some additional practical measures law firms could consider include password protection, swipe cards, firewalls, and encryption of stored data as well as actively protecting itself against hacking.

It is also worthwhile considering the physical location as to where the Web site server is based.

Is it outside the European Economic Area (EEA)? If so, then the movement of personal data will constitute trans-border flow of information.

This is potentially a breach of the Act unless safe harbour applies (this is a scheme operated by the European Commission whereby US organisations comply with the data protection principles of European law).

Alternatively, law firms should consider standard contractual clauses with the data-importing organisation to provide adequate safeguards with respect to protecting privacy.

Privacy policies

The report highlights the need for Web sites to contain a comprehensive and easy-to-read privacy policy, which would set out how and for what reasons data is to be used.

Not only should such a privacy policy be drafted in plain English and be easy to understand, but also it should be brought to the user's attention immediately before the data is being collected.

The key issues any privacy policy should contain are details as to:

- The identity of the law firm operating the Web site;

- The personal data being collected and why it is being kept;

- The use of cookies;

- The use of data for direct marketing (direct marketing can consist of e-mails, telephone calls as well as mailshots through the post);

- How the information is being held secure (in particular, where is the information being held? Is it off site? Do third parties have access to it?);

- Whether the data is being transferred outside the EEA.

For example, is the server based in the US? Do you send the data to an overseas office?

- Whether the information is being disclosed to third parties - if so, why and to whom (list them).

For example, credit reference agencies are third parties.

- How the firm deals with subject access requests;

- How the firm deals with changes to the privacy policy.

Any such changes will simply get the consent of new users to this use.

Law firms should ensure that they get existing users to opt in to this new usage of their data.

This list is by no means comprehensive, and law firms should carefully review how and why they process personal data.

There is much debate over whether or not opt-in or opt-out clauses are required for various forms of processing personal data.

Such clauses consist of a box or other mechanism that allows users to indicate, by way of a tick, that they do not wish their data to be used for a particular specified purpose (opt-out), or consent to such use of their data for the specified purpose (opt-in).

The Directive on Processing of Personal Data and the Protection of Privacy in the Electronic Communication Sector is scheduled to come into force late next year.

It provides that opt-in clauses are required for direct marketing and opt-out clauses are adequate for cookies.

Next steps

One of the aims of the study was to identify areas where there is failure to comply with the Act so that the Information Commissioner can target future efforts to seek compliance and accordingly improve standards of Web site operations.

Such a stance by the commissioner reiterates the desire to ensure the protection of consumers by ensuring that all Web site operators process personal data in compliance with the legislation.

Sarah Gwyndaf-Roberts is an intellectual property and IT law specialist solicitor at Manchester-based Wacks Caller

LINKS: www.dataprotection.gov.uk