The Information Commissioner’s Office has recently published guidance on the application of the Data Protection Act 1998 (“DPA”) to social networking sites and online forums. Individuals using online forums purely in a personal capacity for their own domestic or recreational purposes do not have to comply with the data protection principles under the DPA because they qualify from an exemption. However, organisations such as businesses, charities and political parties which use social networking sites or other online forums for their ordinary corporate or organisational purposes must ensure they comply with the DPA. Likewise, individuals who process personal data in the course of running a business are subject to the DPA.
Organisations that use social media or other online forums have responsibilities under the DPA
- if they post personal data on their own or a third party’s website;
- if they download and use personal data from a third party website;
- if they run a website which allows third parties to add comments or posts about living individuals, and they are a data controller for the website content.
If the organisation running the site is a data controller for the content that it allows third parties to post, it must take “reasonable steps” to ensure that such personal data is accurate and up to date. What the ICO considers to be “reasonable steps” will vary depending on the individual circumstances of each case. Depending on facts such as the volume of third party posts and whether the site content is moderated in advance, “reasonable steps” may not require the data controller to check every individual post for accuracy, but might include:
- having clear and prominent policies for users about acceptable and non-acceptable posts;
- having clear and easy to find procedures in place for data subjects to dispute the accuracy of posts and ask for them to be removed;
- responding to disputes about accuracy quickly, and having procedures to remove or suspend access to content, at least until such time as a dispute has been settled.
The guidance can be found here.