The UK Information Commissioner’s Office (ICO) recently published new guidance on the application of data protection laws to social networking and online forums that clarifies that organizations operating social networking sites or online forums may have responsibilities as data controllers under the UK Data Protection Act. For example, the ICO states that an organization operating a website that allows third parties to add comments or posts about living individuals will be a data controller for the content if the site only allows posts subject to terms and conditions which cover acceptable content and if the site operator can remove posts which breach its policies on such matters.
Such organizations have a responsibility to take reasonable steps to check the accuracy of any personal data posted on its site by third parties which is presented as a “matter of fact.” The ICO does not consider this obligation to require a site operator to check every individual post for accuracy where the vast majority of the site content is posted directly by third parties, the volume of third party posts is significant, site content is not moderated in advance, and the site relies on users to comply with user policies and report problems to the site operator. Reasonable steps in this situation would include:
- having clear and prominent policies for users about acceptable and non-acceptable posts;
- having clear and easy-to-find procedures for data subjects to dispute the accuracy of posts and ask for them to be removed; and
- responding to disputes about accuracy quickly and having procedures to remove or suspend access to content, at least until the dispute has been settled.
The guidance also specifies that organizations operating a social networking site or online forum should have policies sufficient to deal with:
- complaints that personal data may have been processed unfairly or unlawfully because of derogatory, threatening, or abusive postings by third parties;
- disputes between individuals about the factual accuracy of posts; and
- complaints about how the organization processes personal data given to it by its users.
The full guidance can be viewed here.