Personal Information Online

The Information Commissioner has now published his Code of Practice on Personal Information Online (also available as PDF), for which we gave early input. It  seems to contain a lot of helpful and pragmatic advice. There are chapters on when the DPA applies, marketing goods and services (including behavioural advertising), providing privacy choices and sensible defaults, operating internationally (including using cloud and other outsourced services), individual rights online and things to avoid. Examples and recommendations are mostly given in the context of designing web services but should be valuable for other types of system as well. This Code of Practice for service operators has a matching guide for users on Protecting Personal Information On-Line.

Throughout, organisations are encouraged to reduce as far as possible the amount of personal data they process, and to be open about what they are doing with it.There is an annex of suggestions on how this can be done, mentioning both pseudonyms and federated access management. There's even a recognition that separating processing and identification can be a privacy gain, which is not how the strict letter of current law regards it.

The Commissioner can't resolve the "practical and sometimes insurmountable difficulties in complying with all aspects of the DPA in respect of non-obvious personal identifiers" - that needs a revision of European law - but he does at least admit that they exist. Having this good practice guidance on the use of 2010 (rather than 1995) technology should both help organisations and developers understand how to do the right thing and help legislators to bring the law up to date with how privacy can and should be protected.