You should also be aware that the following answers are in response to my specific queries, and as such may not apply to your site. If in doubt, check with the DPC.

Question 1: As a personal website that accepts comments from readers, and requiring the above information before accepting a comment can be accepted, am I required to have a Privacy Statement?

DPC Response:

“We would consider that you would be a data controller for the purposes of the Data Protection Acts.

Further general information on the responsibilities of Data Controllers is available at the link below:

http://www.dataprotection.ie/docs/The_Data_Protection_Rules/21.htm

We also have extensive guidance on the contents of Privacy Statements and as a Data Controller who collects personal information through the website, you would be required to have a privacy statement.

http://www.dataprotection.ie/docs/PrivStatements/290.htm”

Question 2: Am I required to delete comments or to remove personally identifiable information after a certain period of time? As I plan to keep this website going indefinitely, what are my obligations in relation to keeping this data?

“As a data controller one of the responsibilities above requires that you only retain information for as long as is necessary so you would have to take account of this.”

Question 3: My website does not use SSL or encryption when accepting a persons information. Am I required to inform a commenter that this is the case when they submit their details, or will the Privacy Statement be
sufficient for this?

“You should clearly flag that you do not use such security in your privacy statement.”

Question 4: As I also accept comments from readers outside the EU, what are my legal obligations in relation to their data?

“Your obligations are the same no matter where the comments originate.”

Question 5: My website is hosted on a 3rd Party server, as per your Privacy Statement guidelines, if a Privacy Statement is required on my personal website, am I required to include the details of my contract from them detailing what they may do with data on my behalf and what security measures they have in place?

“You are not required to specifically state that your site is hosted by a third party in a privacy statement. The Data Protection Acts just oblige you to have a contract in place with that third party specifying its obligations to the data. If the host company is located outside of the European Economic Area, you would also be required to use a ‘model contract’ to cover this transfer. Further information on these obligations is available at the following link:

http://www.dataprotection.ie/docs/Transfers_Abroad/37.htm”

Question 6: I use various statistics packages to measure website usage. These packages generally store information such as IP address, search terms that led the user to my site, referring websites, browser versions, operating systems, and country of origin. Would this information fall within the scope of the Privacy Statement?

“IP addresses collected in the manner you have outlined would be considered to be likely to be personal data. However, as the data controller in relation to this information you can carry out this research for your own purposes, as long as you did not release this information (containing IP addresses) to third parties. To ensure fair processing, you should include the fact that you use IP addresses to monitor usage patterns etc in your privacy statement and delete them within a very short period.”

Question 7: One of the statistics packages that I use is Google Analytics. The information that this package stores may be kept on servers that are outside the EU. Am I required to make note of this in a Privacy Statement?

“In relation to the use of Google Analytics on your site, it would be sufficient to refer to the fact that you use this product in your privacy statement (I understand that Google stipulate this as a condition of use of the product in any case).”

So the answer to my original query, is that yes, bloggers do need a privacy statement if they collect personal information, and that collecting statistics does make you a data controller under the current Irish legislation.

What interested me more was the last part of the DPC’s letter:

I also note that your website does not have a privacy statement, which is required by data protection legislation if your site does any of the following:

• Collects personal data (vistors filling in web forms, feedback forms etc)
• uses cookies or web beacons, or
• covertly colects personal data (IP addresses, email addresses)

I had a look at the Data Protection Commission’s website for some guidance.

Using WordPress as a publishing platform means that my website does collect this type of information any time a comment is left – WordPress stores the name, email address and IP address. Statistics packages also track IP addresses, along with referring sites, browser versions, OS versions etc. So from what I can see, if you run a personal blog you are required, by law, to have a Privacy Statement.

Furthermore, if your website is hosted on a 3rd party server, (which would mean practically everybody, apart from maybe Michele, who probably has his own server farm at this stage!), then they are also considered to be a Data Processor under the law and are required to give you a contract detailing what they may do with the data on your behalf and the security measures in place to protect it.

Of course, I may be reading this all wrong, so I’ve written to both the DPC and my hosting provider for some clarification on the issue. The details are below the fold, and I’ll get back to you when I hear more.

Questions asked in email sent to DPC:

1. As a personal website that accepts comments from readers, and requiring the above information before accepting a comment can be accepted, am I required to have a Privacy Statement?
2. Am I required to delete comments or to remove personally identifiable information after a certain period of time? As I plan to keep this website going indefinitely, what are my obligations in relation to keeping this data?
3. My website does not use SSL or encryption when accepting a persons information. Am I required to inform a commenter that this is the case when they submit their details, or will the Privacy Statement be sufficient for this?
4. As I also accept comments from readers outside the EU, what are my legal obligations in relation to their data?
5. My website is hosted on a 3rd Party server, as per your Privacy Statement guidelines, if a Privacy Statement is required on my personal website, am I required to include the details of my contract from them detailing what they may do with data on my behalf and what security measures they have in place?
6. I use various statistics packages to measure website usage. These packages generally store information such as IP address, search terms that led the user to my site, referring websites, browser versions, operating systems, and country of origin. Would this information fall within the scope of the Privacy Statement?
7. One of the statistics packages that I use is Google Analytics. The information that this package stores may be kept on servers that are outside the EU. Am I required to make note of this in a Privacy Statement?