HomeBlogsPatParslow's blog

Data Protection Act and Social Media

2010, January 6 - 16:50 — PatParslow

Although I have been aware of the DPA since the legislation was passed, and have worked in a role where I was responsible for auditing my company’s compliance (or at least my department’s compliance), I confess I had not thought about the burgeoning use of Social Media sites in the context, except in terms of how they should behave with my data.

This discussion does not constitute legal advice.

Following a quick refresher course today, thanks to our Information Management team’s guidance for working from home, it occurs to me that there are several areas of concern.  Although these are put in the context of whether something is legal in terms of the DPA, I am not meaning to suggest that I think that the examples I give are wrong – in some cases I suggest that it may be down to me over-interpreting the DPA, or that the DPA itself needs some clarification (or that I have missed some case law).

The Act

The Data Protection Act is summarised on the Information Commissioner’s Office website.  It relates to processing personal data.

Personal data is any information about a living individual which can be used to identify that individual (even if it may need another piece of information in order to do so). 

Processing is any use, storage, collection, deletion, re-organisation, retrieval or consultation of relevant data.

I will assume, for the sake of argument, that your institution has a ‘legitimate interest’ in processing an item of personal data.  This means that you need to process it, that your interests are balanced with those of the individual concerned, and that your processing is fair and lawful.

You processing must also comply with all of the data protection principles.  First off, your institution has to notify the Information Commissioner that it will be processing personal information.  There are some exemptions, and it is worth checking if these apply to your institution.

One big potential issue when using Social Media sites is that they are often based outside the European Economic Area.  Unless you can show that they have adequate safeguards in place (e.g. Google who are signed up to the Safe Harbour scheme in the US), transferring personal data to them (other than your own) is contrary to the DPA Principal 8.  Companies which are not apparently on the Safe Harbour scheme include Twitter, MySpace, Bebo… (unless someone can point me to their listings?).  Google and Facebook are signed up.

Another issue relates to so-called sensitive information.  This includes anything about political views, sexuality, racial or ethnic origin, religious beliefs, trade union membership, physical and mental health and criminal matters.  In order to process any of these, there are additional requirements.  Fortunately, if the data subject (the individual the data is about) has put the information into the public domain, then these requirements are met.  However, there are a couple of points to watch out for here.

On most social networking services, users can select who may see which pieces of information.  Facebook, for instance, now allows a fairly fine-grained set of permissions.  If their information is not set to public then it is not in the public domain, and in order to process it you would need to meet other requirements (such as obtaining explicit consent) if the information is sensitive.  Fortunately, if you work for a non-profit, and do not disclose any personal information to a third party, there is a clause, with some extra conditions applying, which allows this.

Some examples

In connection with my work, I want to look at somebody’s Facebook profile.  If it is set to public, and I comply with all the other data protection principles (which include there not being a reasonable way of achieving my goals some other way which does not involve using their personal data), then there should not be much of a problem.  If they have limited their profile, then according to the legislation, in order to retrieve or consult any sensitive information, I would need their explicit consent (or meet one of the other criteria).  This is even without doing anything else with that information.

Perhaps I want to use Twitter as part of my work.  People send Tweets about all sorts of things, including, for instance, political opinions.  In many cases, their username, their biographical details or their link to their website makes their offline identity traceable.  Referring to someone as, for instance, @PatParslow, identifies them as an individual.  Mentioning someone in a Tweet means you are transferring personally identifiable information out of the EEA, and I believe it may well be contrary to Principal 8.  Using a Twitter client, which will keep a subset of your friends timeline on your computer, may contravene the DPA, especially if their tweets (or others’ tweets about them) mention sensitive information and if they have set their Tweets to be protected.  Creating a mashup of Tweets to demonstrate a point is even more likely to be an issue.

‘Personal’ use

The DPA allows you to process personal data as an individual if it is for purely domestic purposes.  This is to allow you to keep an address book or similar.  It can also apply, as far as I know, if you run a club or society.  If you are engaging in academic study, I believe you are required to comply with the DPA (including Notifying the ICO).  There is a checklist in section 6 of the Notification Handbook which can help you work out if you are exempt.

If you are engaging in social networking for work purposes, or for personal academic research, it appears to me that you need to take careful consideration of the DPA.  Because the notification system is designed to be quite generic, there is a good chance that your institution’s Notification covers your use; you still need to let your Information Officer know about any processing.

Personal note

I hope that I am wrong about the need to notify just to be able to e.g. read Tweets but taken strictly, as far as I can see this qualifies as processing personal information.  I will be asking our information officer to look through this blog entry and to give their opinion, but I suspect that a close analysis will bear out the view I have presented here.

Comments

2010, February 5 - 15:07 — Lee Shailer (not verified)

Data Protection Act and Social Media

The application of DPA Principle 8 to the internet is fascinating. Ostensibly principle 8 seems clear: don’t transfer personal data beyond the EEA without a specific condition given in Schedule 4 of the Data Protection Act, for instance consent. And you would have thought that anyone posting up personal data on a website, or a social networking site, would be a ‘transfer’, but the European Court of Justice ruling in the Lindqvist case of 2003 muddies the waters somewhat. It stated that:

"There is no 'transfer [of data] to a third country' within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored on an internet site on which the page can be consulted and which is hosted by a natural or legal person who is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country."

Effectively ECJ is saying that placing material on a website is not an international transfer and therefore Principle 8 is not triggered. A real headscratcher of a judgement and it has been said by data protection gurus that it is probably nothing other than a pragmatic acceptance of the existence of the internet and a desire not to make all websites a potential international transfer. Given this ruling I’m not sure most social media sites do trigger principle 8.

Lee

2011, January 18 - 16:19 — PatParslow

ECJ ruling

Hi Lee,

 Just re-read the ECJ ruling - surely your interpretation only holds if the website is hosted within the EU. 

2010, January 7 - 01:13 — Dr Andrew A. Adams (not verified)

Self-Revelation and Revelation About Others

Firstly, once information is in the public domain generally then it is in the public domain and no lonegr attracts muc in the way of DPA protection. This is not a hard line, however, as there have been rulings about information still being regarded as private and personal even if someone has told fifty people about it. However, if the data subject makes no efforts to restrict information from flowing to anyone at all, then we can assume they don't regard that information as private.
There are two further thorny issues, here, though. The first is about passing information from a restricted feed onto others. if one receives information "in confidence" then that confidence should be respected (and this is the point of the privacy ruling I mentioned above - the case I'm thinking of was someone who had told 50 people that they were HIV+ [or maybe had developed AIDS] and one of thosee 50 published that information. The question the court considered was whether there was a limit akin to the "if six people know then it's never a secret" for some value of "six" or whether there was a reasonable right to tell a significant number of people information individually "in confidence" and expect those confidences to be kept. The courts held that such confidences are reasonable and should be adhered to.
The second remaining issue is the dissemination of information about others. As Pat knows, I'm involved in doing some live research on this question, not so much about the legal situation at present, but about attitudes of young people to revelations being passed between others. My intiial analysis suggests that there is a feeling that some are too free with others' information and that there is a problem to be addressed here. Whether the method of addressing that should be DPA regulation or social norms (ostracisation and exclusion from the social network) is one of the thinks I need to think hard and long about as we get more data.