Following on from my post about whether “Do Bloggers Need Privacy Statements”, I received the following response from the DPC. By the way, the delay in posting this is down to the real world intervening and not due to the DPC. In order to make it easier to follow, I have posted my original question, immediately followed by the DPC response.
You should also be aware that the following answers are in response to my specific queries, and as such may not apply to your site. If in doubt, check with the DPC.
Question 1: As a personal website that accepts comments from readers, and requiring the above information before accepting a comment can be accepted, am I required to have a Privacy Statement?
DPC Response:
“We would consider that you would be a data controller for the purposes of the Data Protection Acts.
Further general information on the responsibilities of Data Controllers is available at the link below:
http://www.dataprotection.ie/docs/The_Data_Protection_Rules/21.htm
We also have extensive guidance on the contents of Privacy Statements and as a Data Controller who collects personal information through the website, you would be required to have a privacy statement.
Question 2: Am I required to delete comments or to remove personally identifiable information after a certain period of time? As I plan to keep this website going indefinitely, what are my obligations in relation to keeping this data?
“As a data controller one of the responsibilities above requires that you only retain information for as long as is necessary so you would have to take account of this.”
Question 3: My website does not use SSL or encryption when accepting a persons information. Am I required to inform a commenter that this is the case when they submit their details, or will the Privacy Statement be
sufficient for this?
“You should clearly flag that you do not use such security in your privacy statement.”
Question 4: As I also accept comments from readers outside the EU, what are my legal obligations in relation to their data?
“Your obligations are the same no matter where the comments originate.”
Question 5: My website is hosted on a 3rd Party server, as per your Privacy Statement guidelines, if a Privacy Statement is required on my personal website, am I required to include the details of my contract from them detailing what they may do with data on my behalf and what security measures they have in place?
“You are not required to specifically state that your site is hosted by a third party in a privacy statement. The Data Protection Acts just oblige you to have a contract in place with that third party specifying its obligations to the data. If the host company is located outside of the European Economic Area, you would also be required to use a ‘model contract’ to cover this transfer. Further information on these obligations is available at the following link:
Question 6: I use various statistics packages to measure website usage. These packages generally store information such as IP address, search terms that led the user to my site, referring websites, browser versions, operating systems, and country of origin. Would this information fall within the scope of the Privacy Statement?
“IP addresses collected in the manner you have outlined would be considered to be likely to be personal data. However, as the data controller in relation to this information you can carry out this research for your own purposes, as long as you did not release this information (containing IP addresses) to third parties. To ensure fair processing, you should include the fact that you use IP addresses to monitor usage patterns etc in your privacy statement and delete them within a very short period.”
Question 7: One of the statistics packages that I use is Google Analytics. The information that this package stores may be kept on servers that are outside the EU. Am I required to make note of this in a Privacy Statement?
“In relation to the use of Google Analytics on your site, it would be sufficient to refer to the fact that you use this product in your privacy statement (I understand that Google stipulate this as a condition of use of the product in any case).”
So the answer to my original query, is that yes, bloggers do need a privacy statement if they collect personal information, and that collecting statistics does make you a data controller under the current Irish legislation.