[thelist] privacy statement - where to begin ?

martin.p.burns at uk.pwcglobal.com martin.p.burns at uk.pwcglobal.com
Thu Jun 14 10:29:18 CDT 2001


Memo from Martin P Burns of PricewaterhouseCoopers

-------------------- Start of message text --------------------

The UK data protection legislation is a pretty good best practise example.

Essentially, if you collect, store, process or use personal data about
individuals,
you have to register:
*) what data types you're collecting
*) What you plan to do with them

Also, you have to get the individual's explicit, separate permissions to
(a) Collect
and store their data and (b) Use it for outbound contact.

In each place you collect data, you need to have these optouts/ins, and be
able to show that anyone on your database has agreed to your collection,
storage
and use of that data.

If the individual requests a copy of what you hold on them, you have to
supply it, although you can charge a 'reasonable' (usually interpreted as
about
UKP10) fee.

One finance company I know had to change a flag for customers - if they're
not
likely to be profitable, they used to be flagged as 'poor' (as in a poor
prospect).
Because of the requirement for inspection, they changed this as it wouldn't
go down too well with the people in question, or the press.

There are also some basic principles you should abide by. Data should be:

   fairly and lawfully processed;
   processed for limited purposes;
   adequate, relevant and not excessive;
   accurate;
   not kept longer than necessary;
   processed in accordance with the data subject's rights;
   secure;
   not transferred to countries without adequate protection.

Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller
towards the individual, although in some limited circumstances exemptions will apply. With processing, the definition is far wider than before. For
example, it incorporates the concepts of 'obtaining', holding' and 'disclosing'.

There's a bunch of stuff at
http://www.dataprotection.gov.uk/

You might also be interested in P3P
fwiw, IE6 implements P3P, although its default settings are, um,
interesting:
http://www.theregister.co.uk/content/4/19654.html
http://www.theregister.co.uk/content/6/19683.html
(MSN cookies allowed through, competitor Doubleclick's not at the default
setting)

Some examples from my site:
http://www.easyweb.co.uk/contact/
note the opt-in, and the privacy policy info:
http://www.easyweb.co.uk/legal/privacy.html
which is basically what IBM's P3P app churns out - it quizzes you on what you're
collecting, and what you're using it for, and puts out:
1) A P3P XML file which isn't well-formed
2) An HTML file - human readable version of the XML info.

Hope this helps

Cheers
Martin




Please respond to thelist at lists.evolt.org

Sent by:  thelist-admin at lists.evolt.org

To:   "'thelist at lists.evolt.org'" <thelist at lists.evolt.org>
cc:


Subject:  RE: [thelist] privacy statement - where to begin ?


hiya!

what you have to do depends on how global you are. the eu has some data
protection rules, and the us has pending legislation. it's not for you or
your boss to write -- you actually probably should get a lawyer. but, imho,
basically you should be ok if 1- you have an "opt-in" policy, not an
"opt-out" and 2- you never ever sell any of the information you collect.
also, try to avoid deals with your online ad people that involve them
tracking users through the site or sending cookie info to their databases.

-----Original Message-----
From: Jelle Desramaults [mailto:nsg_chong at hotmail.com]
Sent: Wednesday, June 13, 2001 10:08 AM
To: thelist at lists.evolt.org
Subject: [thelist] privacy statement - where to begin ?


Heja, evolters

first post here, just wanna say i'm happy to be here and hope i'll be able
to contribute a bit.

anyway, my boss would like to insert a privacy statement in our company's
website, because we"ll be using a mailinglist (and a privacy statement
looks
so damn proffesional).  Neither myself or my boss have a a clue as to what
to put in the statement. Does the privacy statement has any legal power,
does it have to live up to certain legal guidelines ?



--------------------- End of message text --------------------

The principal place of business of PricewaterhouseCoopers and its associate
partnerships is 1 Embankment Place, London WC2N 6NN where lists of the
partners' names are available for inspection. All partners in the associate
partnerships are authorised to conduct business as agents of, and all
contracts for services to clients are with, PricewaterhouseCoopers. The UK
firm of PricewaterhouseCoopers is authorised by the Institute of Chartered
Accountants in England and Wales to carry on investment business.
PricewaterhouseCoopers is a member of the world-wide
PricewaterhouseCoopers organisation.
----------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.   If you received
this in error, please contact the sender and delete the material from any
computer.





More information about the thelist mailing list