The Information Commissioner’s Office (ICO) has published guidance on when it considers that the Data Protection Act 1998 (the Act) will apply to the use of social networking and online forums. The guidance is clear that when an organisation posts personal data to, or collects personal data from, an online forum, the Act will apply. The guidance also sets out the steps the ICO would expect an organisation to take when it allows a third party to post personal data to its online forum.
The Act applies a principle-based approach to the protection of personal data, which is defined as data from which a living individual can be identified. The Act imposes obligations on the data controller. Given that "data controller" is defined broadly as "a person who determines the purposes for which and the manner in which any personal data are to be processed", and that "processing" has an equally broad definition, social networking activities will often fall within the scope of the Act. An individual or organisation that posts names or contact details on a social networking site would be a data controller processing personal data under the Act. The social network operator itself may also be considered a data controller.
The ICO has issued guidance on the obligations the Act imposes in respect of social networking as the activities described above are commonplace and, therefore, impose obligations on a large number of individuals and organisations.
The guidance addresses what the ICO sees as the main issues raised by social networking. These are, broadly, personal use of social networking, use by organisations where personal data may be uploaded or downloaded by the organisation and the extent to which obligations are imposed on the operator of a social networking platform.
The ICO is of the view that personal use falls within the domestic purposes exemption found in Section 36 of the Act. Blogging about family activities, for example, does not fall within the data protection principles. If, however, a personal blog is used for commercial purposes, for example a sole trader promoting his or her business, then the domestic purposes exemption is unlikely to apply. The ICO acknowledges that whether the use of social networks is for domestic or non-domestic purposes is not always clear cut and provides working examples for individuals and groups of individuals to consider.
The use of social networking by commercial organisations, in contrast, does not fall within Section 36, even if the information is posted by an individual on behalf of the organisation. Uploading and downloading of personal data in such circumstances is governed by the Act. The more complicated issue is when the provider of a social networking site or online forum is to be considered a data controller under the Act. This is important, as one of the data protection principles (Principle 4) requires that personal data shall be accurate and up to date. If the provider of a forum is a data controller, this raises the question of how far the provider must go in monitoring and moderating the content of its forum to ensure compliance.
The ICO takes the view that in such circumstances the Act imposes the obligation to take reasonable steps to make sure personal data posted by third parties and presented as fact rather than opinion is accurate. "Reasonable steps" are to be assessed on a case-by-case basis, but would not extend as far as pre-moderating every post. The ICO favours a proportionate approach and would look for the provider to have in place clear policies as to content and a mechanism for complaining about inaccurate posts.
The ICO’s guidance on social networking, in particular the clarification on whether or not an individual can rely on the domestic processing exemption and the extent to which a provider of a forum needs to engage with third party posters in order to comply with the Act, is welcome. Although social networking is a useful tool in engaging consumers, commercial organisations need to ensure compliance with the Act and make sure their employees also understand the organisation’s obligations. The dynamic nature of social networking means that organisations should have in place clear policies and a mechanism for educating employees who may be engaged in social networking on behalf of the organisation.