whatithink

Via Mulley is the case of boards.ie not being able to label a user as being banned because they used part of their name as their boards.ie username. The decision came from the Data Protection Commission, so boards.ie are required to follow it. Although this is a bit of a strange decision, I can see the DPC’s logic.

What interested me more was the last part of the DPC’s letter:

I also note that your website does not have a privacy statement, which is required by data protection legislation if your site does any of the following:

• Collects personal data (vistors filling in web forms, feedback forms etc)
• uses cookies or web beacons, or
• covertly colects personal data (IP addresses, email addresses)

I had a look at the Data Protection Commission’s website for some guidance.

Using WordPress as a publishing platform means that my website does collect this type of information any time a comment is left - WordPress stores the name, email address and IP address. Statistics packages also track IP addresses, along with referring sites, browser versions, OS versions etc. So from what I can see, if you run a personal blog you are required, by law, to have a Privacy Statement.

Furthermore, if your website is hosted on a 3rd party server, (which would mean practically everybody, apart from maybe Michele, who probably has his own server farm at this stage!), then they are also considered to be a Data Processor under the law and are required to give you a contract detailing what they may do with the data on your behalf and the security measures in place to protect it.

Of course, I may be reading this all wrong, so I’ve written to both the DPC and my hosting provider for some clarification on the issue. The details are below the fold, and I’ll get back to you when I hear more.

Questions asked in email sent to DPC:

1. As a personal website that accepts comments from readers, and requiring the above information before accepting a comment can be accepted, am I required to have a Privacy Statement?
2. Am I required to delete comments or to remove personally identifiable information after a certain period of time? As I plan to keep this website going indefinitely, what are my obligations in relation to keeping this data?
3. My website does not use SSL or encryption when accepting a persons information. Am I required to inform a commenter that this is the case when they submit their details, or will the Privacy Statement be sufficient for this?
4. As I also accept comments from readers outside the EU, what are my legal obligations in relation to their data?
5. My website is hosted on a 3rd Party server, as per your Privacy Statement guidelines, if a Privacy Statement is required on my personal website, am I required to include the details of my contract from them detailing what they may do with data on my behalf and what security measures they have in place?
6. I use various statistics packages to measure website usage. These packages generally store information such as IP address, search terms that led the user to my site, referring websites, browser versions, operating systems, and country of origin. Would this information fall within the scope of the Privacy Statement?
7. One of the statistics packages that I use is Google Analytics. The information that this package stores may be kept on servers that are outside the EU. Am I required to make note of this in a Privacy Statement?

If You Found This Post Interesting, Then You Might Also Like:

• Blogging and Privacy Statements