Collecting of Data
Whilst who you are may be obvious to some visitors to your site, you should make sure that you are clearly identifiable. An organisation’s name on its own is of little value in this context. Identification should ideally include complete and useful contact details. Useful details would include an e- mail address and postal address that a visitor may use if he/she wishes to discuss any matters relating to the processing of personal data on your website.
There can be many overt purposes for which visitors should reasonably expect their data to be used. These may include data necessary in the context of a transaction. However, it is possible that data may be processed for non-obvious purposes such as profiling or future marketing. All these purposes must be clearly referred to in the Privacy Statement. Data volunteered on that understanding are fairly obtained. If a purpose is not obvious and not referred to, then it will be difficult for you to lawfully process data for that purpose.
If you plan to release personal data to a third party (other than a person acting as your agent) this is a disclosure and must be referred to in your Privacy Statement. A general exception to this rule is where the disclosure is required by Law.
Right of Access
Under section 4 of the Acts a person has a right to be given a copy of his/her personal data. If you are retaining personal data, you should refer to this Right of Access in your Privacy Statement. You should include reference to procedures to be followed. Under the Acts, a Subject Access Request should be in writing, you may charge a fee not exceeding €6.35 and you must reply within 40 calendar days. Accordingly, you should identify whether you will accept an e- mailed or written request, to whom such a request should be directed and with what it should be accompanied ( fee; identification).
Right of rectification or erasure.
Under section 6 of the Acts, a person has a right to have his/her personal data corrected, if inaccurate, or erased, if you do not have a legitimate reason for retaining the data. You cannot charge for complying with such a request and shall comply within 40 calendar days of the receipt of such a request. Your Privacy Statement should make reference to this, if you retain personal data, as well as detailing the procedures a person should follow when making such a request.
Extent of data being processed.
See Section 2 above.
Is there other information that would be recommended to be included?
Section 5 details the information that must be included in a Privacy Statement in order to be compliant with the provisions of the Acts. However, if you intend that your Privacy Statement is a comprehensive description of your on-line data processing, you can also include the following information:
Whilst you are required to have adequate security measures in place to prevent the unauthorised access to, or alteration or destruction of personal data in your possession, any detailed reference to such measures in a publicly available Privacy Statement would be unwise.
Rather, you should confine yourself to stating that you take your security responsibilities seriously, employing the most appropriate physical and technical measures, including staff training and awareness and that you review these measures regularly.
Accurate, complete and up-to-date.
This is largely a reactive policy, as problems are often only discovered when dealing with the data subject. However, you may make reference to the need to hold only accurate, complete and up-to-date data, suggesting means by which data subjects may update their details or actions you may take to ensure accuracy, such as contacting customers by e- mail.
Adequate, relevant, not excessive.
You are obliged not to hold more data than is necessary for the purpose for which you collect them. Any data in excess of this requirement should either not be requested or, if volunteered, deleted. In a Privacy Statement, you may make reference to a policy to review all data supplied/obtained and delete that which is not necessary, or which is no longer necessary.
Data should not be held for longer than is necessary for the purpose(s) for which they were obtained. Your Privacy Statement could refer to a policy to delete credit card details once a transaction had been finalised, unless you obtain the consent of customers to retain details to ease further transactions. If you hold different types of data for different time periods, this can also be referred to in the Privacy Statement.
Complaint resolution mechanism.
Though not required under Data Protection Legislation, some means of dealing with complaints received from the website’s users about data processing would be a customer friendly measure.