For those who still think that a "Tweet" is a chirping noise made by a small bird, and couldn't tell Mark Zuckerberg from Mark Wahlberg, social networking is big business. Current figures for this year indicate that live Facebook and Twitter accounts in the UK sit at around 34 million for each platform (which represents a very healthy proportion of the UK's population of approximately 62 million).
Considering the informal environment in which social networking operates and the ever increasing accessibility of this tool (people sign into their accounts in all manner of places, such as, trains, pubs, concerts and even A&E), it's easy to forget that use of this online media can have legal implications.
Notwithstanding the masses of data that social networking generates (e.g. it is thought that over 700,000 Facebook posts are made every minute), the principles of data protection are often an oversight.
The over-arching aim of the Data Protection Act 1998 ("DPA") is to achieve good information handling. Accordingly, people are given specific rights in relation to their personal information and, conversely, others (responsible for processing this information) are subject to certain obligations.
To help navigate this minefield, the ICO has recently issued updated guidance on when the DPA applies to social networking and online forums (please click here). The principles can be briefly summarised as follows:
- Individuals that process personal data (e.g. uploading photographs or sharing names/contact details of friends and family) for domestic purposes (i.e. for personal, family or household matters) are exempt from having to comply with the DPA.
- Organisations (including companies, charities, universities, clubs etc) do not benefit from such an exemption. They (and individuals acing for non-domestic purposes) have responsibilities under the DPA for personal information posted by them on social networking sites and forums and for personal information downloaded from social networking sites and forums. This is still the case where an organisation arranges for an employee to process personal data via his or her personal page on its behalf.
- Individuals who operate as sole traders and use social media in relation to their business, i.e. for non-domestic purposes, (e.g. posting customer reviews) must also comply with the DPA.
- Groups of individuals may be exempt from having to comply with the DPA depending on the purpose of their data processing. For example, friends who create a holiday page and upload photographs will likely be doing this for each individual's recreational purposes and therefore be exempt; however, a local running club which publishes race times will be doing so for the distinct collective purposes of the club and must comply with the DPA.
- Organisations or individuals acting for non-domestic purposes, operating an online forum should take reasonable steps to ensure that information posted on their sites by third parties is accurate. What is "reasonable" will vary from case to case. The ICO would, however, expect larger social networking sites to have measures in place to deal with complaints about postings that are factually incorrect.
This area of law is not always black and white (especially when someone uses personal information for mixed purposes from a single account) and legal input is always recommended, to ensure compliance with the legislation and avoid potential ICO fines.
If you are in any doubt as to your data protection obligations (i.e. whether you have them and what it means if you do), we can provide practical and concise advice, including the implementation of risk-based strategies, the preparation of policies and procedures, the handling of subject access requests, the provision of training and the carrying out of compliance audits.