Social networking sites, online forums and the application of the Data Protection Act

What is the legal status of those running social networking sites and online forums and which exemptions apply under the Data Protection Act 1998 (DPA 1998)?

When does the ‘domestic purposes’ exemption apply?

The DPA 1998, s 36 provides an important exemption to the application of the data protection principles under the Act. It applies when personal data is processed by an individual for their own personal purposes.

Whilst this covers many individuals using social networking sites, new guidance from the ICO makes it clear that businesses or organisations that use social media do not fall within the exemption and continue to have responsibilities under the DPA 1998. The guidance clarifies that this is still the case even if an organisation gets a member of its staff to do the processing for it through their personal networking page.

The crucial analysis is whether the processing is for the organisation’s purposes or the purposes of the individual’s personal, family or household affairs. As ever, the distinction blurs where the organisation consists of, for example, groups of friends or is a recreational club but the guidance provides useful examples of the ICO’s thinking on different scenarios.

When is a person or organisation running the site a data controller and what are their responsibilities?

Obligations under the DPA 1998 fall upon the data controller. The guidance provides some useful insight into the applicability of the DPA 1998 to those running sites onto which personal data is posted by third party subscribers. In the case of The Law Society and Others v Rick Kordowski (Solicitors from Hell) [2011] All ER (D) 46 (Dec), the defendant moderated posts and charged a fee for adding or removing them. Mr Justice Tugendhat had no hesitation in accepting that Mr Kordowski was a data controller under the DPA 1998 and this was not disputed by any party.

Even when content is not moderated, the guidance states the organisation running the site may remain a data controller for the purposes of the DPA 1998. The ICO would expect such data controllers to take ‘reasonable steps’ to check the accuracy of any personal data posted on the site by third parties. Under the guidance, ‘reasonable steps’ include:

  1. having clear and prominent policies for users about acceptable and non-acceptable posts
  2. having clear and easy to find procedures in place for data subjects to dispute the accuracy of posts and ask for them to be removed
  3. responding to disputes about accuracy quickly, and having procedures to remove or suspend access to content, at least until such time as a dispute has been settled

How will the ICO handle complaints against those running social network sites, organisations and individuals?

Helpfully, the guidance explains how the ICO will advise members of the public who complain to them about unfair or inaccurate posting about them. Where complaints are made about posts by businesses, organisations, or individuals acting for non-domestic purposes, they will ultimately be considered in the normal way. However, in the first instance, the ICO will advise members of the public who feel aggrieved to deal directly with the site. The ICO’s expectation is that those running a social networking site or online forum will have policies in place to deal with:

  1. complaints from people who believe their personal data may have been processed unfairly or unlawfully because they have been the subject of derogatory, threatening or abusive online postings by third parties
  2. disputes between individuals about the factual accuracy of posts
  3. complaints about how the person or organisation running the site processes any personal data (such as contact details) given to it by its users or subscribers

Does the guidance address any other exemptions?

The ICO guidance ends with a useful overview which considers the possible application of further exemptions and legislation.

For the full original news analysis and further guidance, (Lexis®PSL IP & IT subscribers), please see:

Social networking sites, online forums and the application of the DPA

Data Protection-overview  for more on the data protection principles

The Law Society and Others v Rick Kordowski (Solicitors from Hell) [2011] All ER (D) 46 (Dec)

Ben Horton, solicitor in the Lexis®PSL IP&IT team

Relevant Articles
Area of Interest