Alerts and Updates

UK Updates Guidance for Data-Protection Legislation with Online Code of Practice for Personal Information

July 12, 2010

On July 7, 2010, the UK's Information Commissioner's Office (ICO) issued its new Code of Practice on handling personal information online. The Personal Information Online Code of Practice aims to update guidance on UK data-protection legislation reflecting the new online world, including social networking, cloud computing, cookies and online advertising.

Highlights of the Code include:

  • The Code addresses issues around cloud computing and incorporates a checklist-based approach for moving data into the cloud.
  • The ICO recognizes that with the increased number of alternatives to Microsoft's Internet Explorer as an Internet browser, individuals are likely to have more control over their privacy preferences. The ICO contends that providers of browser software "have a key data protection role to play" and encourages browser providers to develop easy ways for individuals to manage their privacy settings.
  • The ICO maintains that IP addresses should not necessarily be treated as personal data. This contrasts with the position adopted by regulators in some other European jurisdictions and recognizes that shared household PCs could have multiple users.
  • A reminder that data-processing agreements must be in writing with appropriate security measures in place.
  • A reminder that every organization must have a plan in place for dealing with security breaches.
  • The recommendation that "special effort" be made to explain behind-the-scenes information analysis, such as where websites have differential pricing based on previous online behavior. As an illustration, some airlines change the price of a flight based on information about previous visits to their website. The ICO would like to see this type of activity fully disclosed to consumers.
  • The ICO recognizes that the use of cookies could be necessary for some sites, but considers it good practice where cookies are not necessary to provide "a simple means of disabling the targeting of advertising using behavioural data."
  • The ICO recommends that privacy policies also state what will happen to a user's data when they close their account; for example, will it be archived or deleted?

While the Code does not have the force of law, it may be a good indication of how data-protection law will be applied by the regulator in the UK.

The Code comes at a time of great change to data-protection law across Europe. A new European Union directive is likely to signify changes across the EU within the next two years. There are also moves at harmonization, both within Europe and with the United States, with EU data-privacy regulators holding a meeting with the FTC in Brussels today. A number of countries are also looking at their own legislation. In the UK, the Office of Fair Trading recently announced the result of its own consultation (discussed in the June 8, 2010, Duane Morris Alert, "UK to Focus Efforts on Regulating Online Advertising") and the Ministry of Justice announced a review of the primary legislation earlier this month.

About Duane Morris

Duane Morris assisted the Computer & Communications Industry Association (CCIA) in the submissions they made to the ICO on the draft Code. A number of the CCIA's recommendations have been adopted by the ICO. To learn more on the ICO consultation, please visit

For Further Information

If you have any questions this Alert, please contact Jonathan P. Armstrong in our London office, any of the members of the Information Technologies and Telecom Practice Group or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.