The Data Protection Act (DPA) contains an exemption for personal data that is processed by an individual for the purposes of their personal affairs. This is often referred to as the "domestic purposes" exemption. It will apply whenever an individual is using an online forum purely for personal purposes. However, it does not cover organisational use of online forums and social media - they are therefore subject to the DPA in the normal way. The Information Commissioner's Office (ICO) has issued guidance on this, explaining that when personal data is put on a business social networking site, message board or blog, the organisation takes on responsibilities as a "data controller" under the DPA. As mentioned in relation to the Gayle case discussed above, the ICO's guidance has no legal effect and it is open to organisations to show compliance with the DPA in other ways. However, it is self-evident that documented compliance with the guidance will help in the event of a complaint.
An example is given of a company setting up a social networking account to improve awareness of its products and asking senior staff to post messages commenting on latest developments in the industry. Some messages might comment on high profile business leaders. Although the staff may express a mixture of corporate and personal views, the messages are part of the company's marketing strategy and are posted for corporate purposes. The company will be a data controller and must comply with DPA obligations on keeping personal data accurate and up to date. It will need to take reasonable steps to check the accuracy of any personal data posted by its employees. This means having clear policies for users about postings and responding quickly to any complaints or disputes about accuracy. The guidance states that it would not be reasonable to expect a large social networking site to check all the posts for accuracy but it would be expected to have measures in place to deal with complaints about factually inaccurate postings.