The report, entitled “Study of compliance with the Data Protection Act 1998 by UK-based web sites,” was carried out by the University of Manchester’s Institute of Science and Technology (UMIST) and the Office of the Information Commissioner.
The following were among the study’s other findings:
- There was "good general awareness" of the Act across both large and small companies.
- Large companies and those within regulated industry sectors demonstrated a high level of compliance. Smaller companies or those in unregulated sectors had a low level of compliance. The report comments: "those who were compliant tended to be so more by accident than by design." It continued, "Even the best examples were not 100% compliant, the key areas for concern being those of data retention and data security."
- A common problem is that data back-ups are not secured against falling into the wrong hands. Only 37% of small companies have any kind of data security policy. Encryption was rarely mentioned or used. When one web site operator was asked about data security, the reply was that he or she "lived in an apartment block with a security man in reception."
- Web site terms and conditions sometimes contradicted the site's privacy statement.
- Many small companies wrongly assume that their ISP, when it stores their customer data, relieves their responsibility for compliance.
- Many organisations fail to understand the meaning of "data collection." They assume that if they haven't explicitly asked for the data then they haven't "collected" it - such as data entered by individuals in e-mails, chat rooms and discussion groups.
- Privacy statements were rated out of a maximum score of 100 for ease of reading - i.e. using plain English to explain how data is collected, used etc. The average score was 45; the maximum score, achieved by an unnamed bank, was 62.
- 42% of sites did not post any form of privacy information. Of those that did, only 5% reached a recommended level for intelligibility to the average reader. "Financial and insurance sites faired worse, while children's sites, travel and retail sites scored better."
To assist organisations in achieving compliance, the specialist information law team of Masons, the firm behind OUT-LAW.COM, offers a web site review service which will provide an organisation with a report and recommendations for web site compliance. A range of follow-up services can also be provided to ensure that an organisation achieves and maintains compliance.