Your Website and the DPA


Is your website breaking the law? Are you aware of the Data Protection Act (DPA) and its implications? This month's AGUK Newsletter covers these important points, and provides tips on staying within the law.

Data Protection Act 1998

Anyone handling personal information via a computer system or network must comply with the Data Protection Act. It is the law.  This Newsletter cannot cover the DPA's set of principles comprehensively and looks only at its impact on your website. 

Website Compliance

Ensuring your website complies with the DPA need not be complex or expensive. To check your current level of compliance, use our checklist.

Compliance Checklist

  • Do you ask customers/clients for personal information? If so, is it gathered and processed in a secure way?
  • Is the information you amass from visitors to your website considered reasonable and justified?  Or do you collect more information than you need, or your visitors expect to provide?
  • Who has access to the information collated?  Is any of it sensitive?

Sensitive Data

Even if you are unaware of it, your website - like most websites - may store data considered as sensitive. It is held in "log files". These contain information about each visitor to your website and can include:

  • Their IP address and geographical location
  • Details of the site they were on previously
  • The pages they visit on your site, and in what order
  • Facts about their own computer including its name, and possibly the login username

The most sensitive data, and potentially damaging, is the last. While some internet users have security safeguards to prevent revealing such details, others do not. Some web surfers may even have called their computer by their own name. That, coupled with the potential geographical data, could be deemed under DPA regulations as processing personal information.

Website Location

Did you know the location of a website could result in breaching the DPA? 

It is not uncommon for websites to be hosted outside the UK, and even as far away as the USA.  In this situation you could be collecting data and transporting it to and from a foreign country. This is an important point.

There is nothing wrong with hosting your website outside the UK provided you: (1) tell your customers and (2) ensure your DPA notification states you transfer data worldwide. You must also still apply the same DPA principles as if the data were handled within the UK.