THOROGOOD PROFESSIONAL INSIGHTS
A SPECIALLY COMMISSIONED REPORT
WEBSITES AND THE LAW PROTECT YOUR POSITION
Susan Singleton
IFC
THOROGOOD PROFESSIONAL INSIGHTS
A SPECIALLY COMMISSIONED REPORT
WEBSITES AND THE LAW PROTECT YOUR POSITION
Susan Singleton
Published in 2005
Other Thorogood Professional Insights
Thorogood Publishing Ltd 10-12 Rivington Street London EC2A 3DU. t: 020 7749 4748 f: 020 7729 6110
Email – Legal Issues
e:
[email protected] Susan Singleton
w: www.thorogood.ws
Data Protection Law for Employers Susan Singleton
The Competition Act 1998: Practical Advice and Guidance Susan Singleton
Applying the Employment Act 2002 – Crucial Developments for Employers and Employees
© Elizabeth Susan Singleton 2005 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, photocopying, recording or otherwise, without the prior permission of the publisher.
Audrey Williams This Report is sold subject to the
A Practical Guide to Knowledge Management
condition that it shall not, by way
Sue Brelade and Christopher Harman
re-sold, hired out or otherwise
of trade or otherwise, be lent, circulated without the publisher’s
HR Business Partners and HR Outsourcing Ian Hunter and Jane Saunders
prior consent in any form of binding or cover other than in which it is published and without a similar condition including this
Employee Sickness and Fitness for Work
condition being imposed upon
Gillian Howard
No responsibility for loss
the subsequent purchaser.
occasioned to any person acting
Successfully Defending Employment Tribunal Cases Dennis Hunt
or refraining from action as a result of any material in this publication can be accepted by the author or publisher.
Special discounts for bulk quantities of Thorogood books are available to corporations, institutions, associations and other organisations. For more information contact Thorogood by telephone on 020 7749 4748, by fax on 020 7729 6110, or email us:
[email protected] A CIP catalogue record for this Report is available from the British Library. ISBN 1 85418 331 1 Printed in Great Britain by printflow.com
To my children Rachel, Rebecca, Ben, Sam and Joseph. Wireless broadband gives you freedom and power and enhances children’s rights. To my late mother, Anne Morgan, 1929 – 2004, who never used the Internet, but whose love of words, ability as a teacher, hot-housing of her children and enthusiasm for knowledge is the reason I write, practise law today and appreciate the information available on-line.
About the author Susan Singleton is a solicitor with her own London firm, Singletons which specializes in Internet/IT/e-commerce law, competition law, intellectual property law and general commercial law. Articled at Nabarro Nathanson, she joined Slaughter and May’s EC/Competition Law Department on qualifying in 1985, moving to Bristows in March 1988, where she remained until founding her own firm in 1994. Since then she has advised over 480 clients. According to the Chambers and Partners Legal Directory she is one of the UK’s leading IT Lawyers. In 2002 she acted for the claimant in the first damages action for breach of the EU competition rules to come before the English courts Arkin v Borchard and Others. Her clients range from major plcs and institutions to small start up businesses. She is author of over 30 law books on topics such as Internet and e-commerce law, competition law, commercial agency law, data protection legislation and intellectual property and writes 15 legal articles a month. She is a frequent speaker in the intellectual property, competition and commercial law fields, both in the UK and abroad. Susan Singleton is on the Committee of the Competition Law Association, is a member of the Licensing Executives Society (EC/Laws Committee) and serves on the Legal Committee of the Chartered Institute of Purchasing and Supply (CIPS) and is a member of the Society of Computers and Law and The Intellectual Property Lawyers’ Organization (TIPLO). She has five children and lives in London. Singletons welcomes clients of any size. Contact: Susan Singleton Singletons Solicitors Tel: 020 8866 1934 Fax: 020 8866 6912 Web: www.singlelaw.com Email:
[email protected] THOROGOOD PROFESSIONAL INSIGHTS
iv
Preface This book aims to provide the reader with a full description of the areas of law which apply to websites. Most companies in the UK have a website and many do not follow the legislation. The EU has been largely responsible for most of the legal rules which apply from legislation on distance selling to electronic commerce and data protection. What is lacking is a coherent statute containing all relevant laws. Instead, businesses need to know about sale of goods law, laws relating to advertising, data protection legislation and even disability laws. This report summarizes the main legislation and provides practical guidance on how to ensure your website is legally compliant. There are over 100 countries in the world and in most of them there is Internet access. It will never be possible to check a website for compliance with all laws in all states but this should not put businesses off going on-line. There are risks in all methods of sale or advertising but in most cases they are not huge risks. Most countries require websites to be accurate and businesses to supply goods as described when they say they will. Therefore most suppliers who are honest and whose contract conditions on the website are clear have little to fear. In 1983 I began my legal training contract, then called Articles of Clerkship, with Nabarro Nathanson, a solicitor’s firm in London. I remember they had typewriters which amazingly, could delete a few words of text. It was a big development. Deletion without Tipp-Ex! Shortly after, the first fax machines were coming into use and word processing on computers became the thing. Telex was on the way out. Computerized searches were limited to corporate filings and registered trade mark matters and we had early training on LEXIS, a very novel electronic research tool in its day. When I qualified in 1985 I went to work for Slaughter and May as a competition law but also did some IT contracts. Big Bang was happening in the City of London and suddenly share trading was going electronic. We were doing the contracts for those IT systems and software licences. Computers were becoming very important. When I went to the intellectual property law firm Bristows in London in 1988 most lawyers still did not have computers on their desks. By the time I left in 1994 to set up my own solicitor’s firm, e-mail was taking off. So in that short ten year period a huge change had occurred in business practices. The early business to business electronic document exchange systems for contracts between big businesses were being replaced by the simple e-mailing of legal documents which everyone could easily use. It was access to free information on the Internet and the ability to work easily from a PC which made it possible for me to work for
THOROGOOD PROFESSIONAL INSIGHTS
v
P R E FA C E
myself. I have a lot for which to thank the Internet and technological developments over that period. Now 96% of the work I receive and work I generate from clients all over the world will come in by e-mail. Telephones have fallen silent and people can work at their convenience. Whereas on the other hand previously posting a draft contract meant a rest of a few days whilst it was examined and posted back, nowadays there may be several drafts marked up and passing between the parties on one day so perhaps there is more pressure in some respects. The Internet and websites are tools which need to be used intelligently. One of my favourite phrases is that the telephone is a request not a demand. You do not have to be there to answer it and it is the same with e-mail. My father and brother are consultant psychiatrists and my sister a chartered clinical psychologist. I escaped, but not unscathed. Always think about whether you are using e-mail and the Internet and allowing others access to you in an intelligent way which ensures the survival of your business and good relationships with your customers and clients, but which also allows you to live your non-working life in a way with which you can live comfortably. There are no rules. Some people will never be happy unless they receive business calls every hour whilst they are lying on a beach on holiday because it makes them feel important and wanted. Others will feel a holiday is ruined by one conference call on one day. What is crucial is to be content with what you have and if not change it. For some limiting the times of day when e-mails are checked can be a key change which helps ensure the work of a particular day is done without it being spent replying to unimportant e-mails. Work out a procedure which suits you and try to stick to it. As for websites, the principal subject of this book, do not worry too much about the site once it is up and running (except to update the content regularly) but do set up a system whereby every one to two years it is checked by solicitors familiar with this area of law. It will only take them about an hour to read it and see if any changes in the law in the last year or two mean changes are needed to the site. The legislation is strewn across at least ten directives/regulations which for lawyers make it an interesting area in which to practise but for those simply trying to set up a website it can make the whole process seem complicated. The aim of this book is to make it simple. The Report describes English law and EU legislation where relevant. This report cannot be a substitute for taking specific legal advice relevant to your circumstances. This Report is up to date to April 2005. The law does change swiftly in this field so it always pays to take up to date legal advice. Susan Singleton Singletons • www.singlelaw.com
THOROGOOD PROFESSIONAL INSIGHTS
vi
Contents
1
INTRODUCTION AND SETTING UP A WEBSITE
1
Your employment contract .........................................................................2 Blogs..............................................................................................................2 Commissioning a website or designs for your site..................................3 Copyright ownership issues.......................................................................3 Timing ...........................................................................................................4 Principal laws to consider...........................................................................5 Computer viruses.........................................................................................7 Computer Misuse Act 1990 ........................................................................8 Copyright, Designs and Patents Act 1988.................................................8 FAST and BSA .............................................................................................8 Pirated software...........................................................................................9
2
DOMAIN NAMES AND TRADE MARKS
10
Summary.....................................................................................................11 International trade mark disputes ...........................................................12 Legal notices ..............................................................................................13 ICANN.........................................................................................................13 Uniform Dispute Resolution Procedure .................................................13 Cybersquatters...........................................................................................14 Resolving disputes .....................................................................................14 Metatags and search engines and trade marks .....................................15 International trade mark issues ...............................................................16 Parallel imports and exhaustion of rights...............................................16 Further information...................................................................................16
THOROGOOD PROFESSIONAL INSIGHTS
vii
CONTENTS
3
ADVERTISING AND COPYRIGHT
17
Summary.....................................................................................................18 Advertising agencies .................................................................................19 Running a competition..............................................................................20 Points schemes...........................................................................................20 Partnerships and alliances ........................................................................20 Offering warranties ...................................................................................21 Linking and the law ...................................................................................21 Copyright notices and intellectual property...........................................22 Example copyright notice .........................................................................23 Confidentiality ............................................................................................23 Codes of Practice .......................................................................................24 Further information...................................................................................24
4
SELLING FROM A WEBSITE
25
Summary.....................................................................................................26 Making the terms stick..............................................................................27 Distance selling regulations......................................................................27 Exclusions ..................................................................................................29 Rights ..........................................................................................................29 Delivery in 30 days.....................................................................................30 Action for companies ................................................................................30 Credit card transactions ...........................................................................31 Security .......................................................................................................31 The electronic commerce regulations .....................................................31 Electronic contracting...............................................................................33 Rescinding contracts .................................................................................33 Further information...................................................................................34
THOROGOOD PROFESSIONAL INSIGHTS
viii
CONTENTS
5
PERSONAL DATA AND WEBSITES
35
Summary.....................................................................................................36 Notification .................................................................................................37 The data protection principles .................................................................37 Subject access ............................................................................................38 Opting in and out.......................................................................................38 Glossary of terms.......................................................................................39 Exporting data ...........................................................................................40 Breaching the law ......................................................................................41 Example of a privacy policy......................................................................41 Further information...................................................................................42 B2B telemarketing guidance published ..................................................43
6
DISABILITY ACCESS TO WEBSITE
44
Summary.....................................................................................................45 ‘Reasonable adjustments’?........................................................................46 RNIB recommendations............................................................................47 Compliance.................................................................................................48 The W3C standard.....................................................................................48 DRC investigation .....................................................................................49 Further information ..................................................................................50
APPENDICES
51
Appendix 1...........................................................................................................52 Websites and the internet: frequently asked questions of the information commissioner.............................................................52 Appendix 2...........................................................................................................65 Complying with the E-Commerce Regulations 2002.............................65 Introduction...........................................................................................65 New information requirements...........................................................69 Information requirements ...................................................................70
THOROGOOD PROFESSIONAL INSIGHTS
ix
CONTENTS
Commercial communications..............................................................72 Electronic contracting..........................................................................74 Limited liability for service providers ................................................75 Other sources of information ..............................................................76 Appendix 3 ..................................................................................................77 Monitoring at Work...................................................................................77 Guidance for small businesses ............................................................77 Appendix 4...........................................................................................................81 Extract from: Information Commissioner’s Data Protection Code of Practice – Monitoring at Work Good Practice Recommendations V1.0 29. ......................................................................81
THOROGOOD PROFESSIONAL INSIGHTS
x
THOROGOOD PROFESSIONAL INSIGHTS
Chapter 1 Introduction and setting up a website Your employment contract ...................................................................2 Blogs........................................................................................................2 Commissioning a website or designs for your site ...........................3 Copyright ownership issues.................................................................3 Timing .....................................................................................................4 Principal laws to consider.....................................................................5 Computer viruses ..................................................................................7 Computer Misuse Act 1990 ..................................................................8 Copyright, Designs and Patents Act 1988 ..........................................8 FAST and BSA .......................................................................................8 Pirated software.....................................................................................9
Chapter 1 Introduction and setting up a website This chapter looks at what is legally involved in setting up a website, as well as the contracts with those individuals or companies who may prepare your website. The next chapter looks at choosing a domain name for your website, ensuring that in that process you do not breach trade marks of others. This chapter also looks at any legal restrictions on setting up a site and considers the law and blogging websites. In the UK anyone can set up a website. There are few legal formalities for setting up a business. You can trade as a sole trader or limited company or partnership. You can have a website for your own personal purposes. Apart from acquiring a domain name you need to do very little legally before setting up a site. You should check the name is not the same or similar to anyone else’s – for details see the next chapter.
Your employment contract If you have a contract with your employer it may prevent your undertaking particular activities in your spare time, such as setting up and/or running another business. These clauses in employment contracts are lawful so check the contract carefully. In addition, if you are planning to leave one employment and set up a new business take legal advice. Many employment contracts contain post termination restrictions which might affect your new business including the setting up of any website and until you leave employment with the previous employer you will, in addition, owe duties of fidelity and good faith to the employer.
Blogs If you plan to set up a personal website blog (regular diaries by individuals which are posted on-line) which describes elements of your life or work be very careful. Check your employer’s contract, staff handbook and/or e-mail and Internet policy.
THOROGOOD PROFESSIONAL INSIGHTS
2
1 INTRODUCTION AND SETTING UP A WEBSITE
Even if that does not prevent what you propose to do, you may break some laws if you denigrate your current employer in the blog, if you bring the company into disrepute and if you make any disclosure in the blog which could be in breach of copyright or disclose confidential information belonging to your employer. Also ensure that if you write about other people you obtain their consent to disclose any personal data about them. Under the Data Protection Act 1998 you may not do that without their consent or otherwise subject to the strict requirements of the Act.
Commissioning a website or designs for your site Far too many businesses spend much more money than they need on setting up a website. It may be more economic to buy one off the peg from an established and reputable provider for a few hundred pounds than commissioning an individual site for thousands of pounds. Whichever route you follow, make sure the contracted company has a good track record and is likely to be in business for years to come so that you have some legal recourse against them and they will still be financially viable if you were to have to take any legal action against them if the site proves defective. Consider different proposals or quotes before proceeding and make sure you read their standard written terms of contract before agreeing that they may proceed. Keep copies of all documents and e-mails and ensure you know what documents form part of the contract with the provider. If you were assured in correspondence that the site would do XYZ but the contract does not say so and indeed includes a clause saying no prior representations are part of the agreement, your legal position will be much worse than had you an express term to that effect in the agreement saying the site would have functions XYZ.
Copyright ownership issues If you are commissioning designs, make sure the contract terms say whether the person commissioning/paying or the designer will own the intellectual property rights, such as copyright, in those designs. If the contract says nothing about this then the designer retains all such rights and all the buyer receives is a non-exclusive licence to use the designs. That may not be good enough. The
THOROGOOD PROFESSIONAL INSIGHTS
3
1 INTRODUCTION AND SETTING UP A WEBSITE
buyer may want ownership so that the designs can be easily passed to another agency or supplier if the relationship with the designer breaks down or the supplier may want to prevent the designer using those designs with another customer. It is a common myth held wrongly by many businesses that if they pay for copyright works then ownership of the copyright will automatically vest in them. This is not correct. The position is the reverse of that under the Copyright, Designs and Patents Act 1988.
Timing It is wise to draw up a plan of the technical and legal steps that will need to take place before the website is set up as well as a business plan for the running of the site. Work backwards from the proposed completion date so that all the legal formalities are dealt with in time. These will include: •
Written contracts with the website designers/providers and whoever is hosting the site.
•
Getting the domain name you want and, where relevant, registering it as a trade mark and company name.
•
Having the pages on the site checked from a legal point of view – e.g. you may have advertisements, forms, pictures, products even prize competitions which lawyers may need to vet/check.
•
Drafting terms and conditions for people to buy goods or services from the site or, where the site does not sell anything, terms to use the site and a privacy policy. Where the site gathers personal data from those visiting the site (and registering under the Data Protection Act if you have not already done so and if you will be handling personal data from the site).
•
Ensuring all written terms and legal conditions are in the right place on the website.
THOROGOOD PROFESSIONAL INSIGHTS
4
1 INTRODUCTION AND SETTING UP A WEBSITE
Principal laws to consider Below is a list of the main areas of law relevant to running a website.
Sale of Goods and Services Law Just as if you sell any other goods or services you will be subject to laws on sale of goods. If you already have a bricks and mortar business you will be able to use your existing written terms and conditions of sale and have those adapted to comply with e-commerce laws. There will be implied conditions that goods are of satisfactory condition for example, or you may offer an additional or alternative warranty instead.
The EU Distance Selling Directive This is examined in Chapter 4. The directive states that you must give certain information to consumers buying at a distance (such as by mail order, telesales and most relevantly here from a website) and that they have a right to cancel the contract within seven days even if there is nothing wrong with the goods or services.
The EU Electronic Commerce Directive This directive sets out certain information you must give people who view your web site, whether the site sells goods and services from the site or not – such as your company registration and VAT numbers. It also addresses liability for e-mail libel and related areas.
The Data Protection Act 1998 and e-privacy directive Chapter 5 looks at the laws on data protection. If you run a business which has a mailing list then whether you are on-line or not you almost certainly have to notify the Information Commissioner that you hold ‘personal data’ such as customers’ names and addresses or even just staff/employee records and then comply with eight data protection principles. There are some specific EU laws in this area too. It is compulsory to inform users if a website uses a device known as a ‘cookie’ for example. If employees are subject to surveillance of their web viewing habits at work they should be told about this too. The Information Commission has issued an Employment Code of Practice. Part 3 of that code is about data protection law and employee surveillance. Many websites have a
THOROGOOD PROFESSIONAL INSIGHTS
5
1 INTRODUCTION AND SETTING UP A WEBSITE
separate privacy policy document setting out how users’ personal details will be used. You may need to take legal advice on your ‘opting in’ notices.
Trade mark law Every website has a name. It may be a generic name which will not be anyone’s registered trade mark like www.law.com or it may be a well-known registered trade mark such as www.macdonalds.com. http://www.psychiatry-uk.org/ is my brother’s website. It does not involve use of any registered trade mark in its name. It is a good example of a generic name. The most successful website in history was www.sex.com which also became the most fought over in US history when damages of millions of dollars were won because the name provider wrongly allocated that name. http://www.singlelaw.com is my web site. I tried to register www.singletons.com which is the name of my firm but that name belongs to a string of hairdressing salons in the US. My domain name contains a part of the name of my firm – the single part – I practise as a sole practitioner and my surname is Singleton and also is generic in the law part of the name. Chapter 2 examines trade mark issues. Some businesses use other competitors’ trade marks on their sites to lure people away from the trade mark owner’s site and this can amount to an infringement of trade mark. There have been some interesting recent cases on use of registered trade marks on search engines such as Google.
Copyright Over the last ten years I have had many clients who have ‘innocently’ used suppliers’ photographs or product descriptions on their websites without consent. They thought that as the pictures were in the public domain and that they were selling those products they could just copyright them without a licence. They are usually wrong even if an acknowledgement is made. Make sure every document and picture used on a site does not infringe the copyright of anyone else.
Other laws Much depends on what will be on the site as to what other legal areas will be relevant. For example one client of mine has a competition to win a car on their web site. So we had to make sure we complied with the very complicated laws on competitions. Get one element wrong and there is an illegal lottery.
THOROGOOD PROFESSIONAL INSIGHTS
6
1 INTRODUCTION AND SETTING UP A WEBSITE
I have also advised people setting up competitions on websites to dispose of a house. In another case a client was setting up a financial services website – laws on liability relating to shares recommended or otherwise on-line were relevant. Some sites are information based and the client is concerned that the information (whether it is about a flight or a tourist attraction or law or whatever) might become out of date. This is a risk which cannot entirely be ameliorated by drafting but a disclaimer can help. There are other general laws to comply with such as laws on advertising and trade descriptions and also those relating to disability access (which is the subject of Chapter 6). Some products such as alcohol are illegal in some states so it may be necessary to include country restrictions on the territories into which the products might be sold. Alternatively, the trade mark rights to the product may be owned by someone else in that other country and thus sales have to be made under a different trade mark in one country only.
Computer viruses Computer viruses cost companies thousands of pounds. Well-known recent viruses such as the Kournikova and Melissa viruses crippled many companies for days. They spread quickly around the world and often the perpetrator is not caught. Companies should have virus checking software in place, and firewalls. Many companies will update such software at least weekly. It is sensible to include a statement about viruses on e-mails. The recipient of the e-mail is given responsibility for the virus checking. If an agreement is in place for the supply of data or computer software, frequently it will contain a term or condition about viruses. Most companies commissioning computer software will have a written contract with the supplier of the software and will include a term that the supplier warrants that the material produced does not contain viruses. That is a case where a provider is being paid to supply software. Where an e-mail is sent, the situation is different. There may well be no contract between the parties and it is not usually the case that the sender is liable for the damages caused to the recipient from the virus.
THOROGOOD PROFESSIONAL INSIGHTS
7
1 INTRODUCTION AND SETTING UP A WEBSITE
Computer Misuse Act 1990 The Computer Misuse Act 1990 makes it a criminal offence to gain unauthorised access to computer systems and, separately, a further offence, once having gained such access, to modify material. There are few prosecutions, although a special department of police forces around the country handles this area – the computer crimes unit. Many employers do not want to draw public attention to problems with their own security so offences are covered up or reported infrequently. Even when prosecutions are brought before local courts, the penalties are often weak. Other countries have similar hacking legislation, so a hacker who has been hacking in many nations may find him or herself prosecuted in a number of different locations. The US Department of Justice is active in the computer crime area and has a cyber-crime website at www.cybercrime.gov.
Copyright, Designs and Patents Act 1988 The same is the case with criminal offences under the Copyright, Designs and Patents Act 1988. Sentences can be light. Some computer software owners will seek to have a criminal prosecution brought against a computer software pirate or counterfeiter as a threat of a jail sentence can be more of a deterrent to some individuals than a large damages claim or seizure of the infringing programs.
FAST and BSA Bodies such as the Federation Against Software Theft (FAST) (www.fast.org.uk) and Business Software Alliance (BSA) (www.bsa.org/uk) will obtain court orders on behalf of their members to seize infringing products. They also help companies ensure that all software used within a business is properly licensed and they run a telephone line for infringements to be reported, with rewards of thousands of pounds paid to those tipping off the organization about infringement of copyright where this leads to a successful prosecution.
THOROGOOD PROFESSIONAL INSIGHTS
8
1 INTRODUCTION AND SETTING UP A WEBSITE
Pirated software Businesses buying software on-line need to ensure that it is not pirated. The BSA estimates that more than 90 % of the software sold on auction sites is pirated. The BSA runs an Online Investigative Unit which recently looked at counterfeit software on Internet auction sites in the US and Europe. Its investigation, called ‘Operation Bidder Beware’, found sales of pirated or counterfeit software from vendors in the UK, Germany and the US. Each of the 13 defendants caught in the US faces damages of up to $150,000 per work infringed. All this ensures that Internet and website law is a fascinating area with which to be involved and the rest of this book aims to provide an overview of the main areas of law which need to be considered.
THOROGOOD PROFESSIONAL INSIGHTS
9
THOROGOOD PROFESSIONAL INSIGHTS
Chapter 2 Domain names and trade marks Summary ..............................................................................................11 International trade mark disputes .....................................................12 Legal notices ........................................................................................13 ICANN...................................................................................................13 Uniform Dispute Resolution Procedure ...........................................13 Cybersquatters.....................................................................................14 Resolving disputes...............................................................................14 Metatags and search engines and trade marks ...............................15 International trade mark issues .........................................................16 Parallel imports and exhaustion of rights.........................................16 Further information ............................................................................16
Chapter 2 Domain names and trade marks
Summary •
Domain names should not breach registered trade marks or amount to passing off.
•
Avoid unlicensed use of competitors’ marks on a site.
•
Be careful of use of hidden metatags.
•
Consider paying to have your site appear high in searches on search engines such as Google and Yahoo.
•
If domain name disputes arise, consider UDRP (Uniform Dispute Resolution Procedure) mediation rather than court action.
•
Get those hosting the infringing site to ‘take it down.’
•
Be careful of selling trade marked goods or services in a country where there is no license from the trade mark owner to sell goods in that place.
Every website has a domain name and picking the name is important. Increasingly individuals looking for goods or services will use the Internet as their first port of call, whereas previously they might have used Directory Enquiries or word of mouth recommendation. Names used in business are valuable assets. Some companies even write the value of their trade marks and trade names into their annual accounts. Those already trading other than on-line will typically want to use their current trade mark or an abbreviation of it as their domain name. Thus the Financial Times uses www.ft.com and British Telecommunications plc uses www.bt.com. English case law in One in a Million case held that a registered trade mark registered under the Trade Marks Act will prevail over an Internet domain name. So first do a trade mark search ideally using the search services of a trade mark agent who is a member of the Institute of Trade Mark Attorneys or the Patent Office (www.patent.gov.uk) to check for registrations in the UK and major markets
THOROGOOD PROFESSIONAL INSIGHTS
11
2 DOMAIN NAMES AND TRADE MARKS
where the goods or services will be sold. Then undertake Internet searches. The English case law of passing off protects trade names even if not registered as registered UK or Community Trade Marks (a CTM is a registered trade mark which covers all 25 countries of the EU).
International trade mark disputes Websites can be viewed around the world. It is not uncommon for two companies in different countries to have the same name. That is not a problem when each serves customers only in their own country and each may even have their own registered trade mark there. It does become a problem when they go online, as any customer doing an Internet search may find the rival from the other country. What should the companies do? •
Often the bigger company will send lawyers’ letters to the smaller and bully them into giving up the name.
•
The company with the registered trade mark will usually win any domain name dispute.
•
Sometimes each party with a similar name can provide a link on their website to the site of the other, so that if people reach one site by mistake then they can be referred to the other site. Trade mark lawyers often draw up contracts between two warring parties setting out how each will use a similar name.
•
Each could adopt a domain that makes it clear what goods they sell through the name itself. Adding an extra word, such as ‘lawpackbooks.com’, could do this.
•
One could buy the name of the other.
If one company is using the same name, but for different products, there may be no confusion in ordinary business, but when websites and the Internet become involved, a customer doing a search will not search by class of products so the two will suddenly find confusion. Even if no application has been made for a registered trade mark, English law and the laws of some other states protect unregistered trade marks on which goodwill has been built up through laws known as ‘passing off’. This can be harder to prove than trade mark infringement, as there is no certificate of ownership, but in particular, if confusion can be shown, then someone using the name without permission may be sued. Take legal advice.
THOROGOOD PROFESSIONAL INSIGHTS
12
2 DOMAIN NAMES AND TRADE MARKS
Legal notices Companies need to consider not only registering their name on the Internet as a domain name, but also contacting the UK Trade Marks Registry (www.patent.gov.uk) to register a registered trade mark. Some companies have lots of different trade marks which may not be the same as their domain name. A food manufacturer, for example, might have 100 food brand names but one company name. It would register the company name in most cases as its domain name but where on the website it refers to products which are protected by trade mark, it would indicate, as it would do in its printed marketing material, which names are registered trade marks. A look at any large company’s website will show how this is done.
ICANN The international body in charge of domain names is ICANN, the Internet Corporation for Assigned Names and Numbers (www.icann.org), which is one of the best sources of information in this area. It describes itself as a ‘non-profit corporation that was formed to assume responsibility for the IP address space allocation, protocol parameter assignment, domain name system management, and root server system management functions previously performed under US Government contract by IANA and other entities’.
Uniform Dispute Resolution Procedure Some domain name disputes can be handled cheaply through the Uniform Dispute Resolution Procedure (UDRP) operated by ICANN and the World Intellectual Property Organization (WIPO, www.wipo.org). All registrars in the .com, .net, and .org top-level domains follow the UDRP. Those in the UK with .co.uk, however, need to follow a slightly different resolution procedure – if they choose to do so rather than going to court – operated by Nominet.
THOROGOOD PROFESSIONAL INSIGHTS
13
2 DOMAIN NAMES AND TRADE MARKS
Cybersquatters Sometimes people cybersquat – register a business’ name as a domain name and try to sell it back to the true owner. Often their bluff can be called by doing nothing. They do not intend to trade under it anyway, and others to whom they may sell it will not buy it because they know it is the registered trade mark of the company to whom the trade marks belong. If legal costs of fighting for it are an issue, try the resolution procedures operated by Nominet (www.nominet.org.uk for .co.uk domains) and ICANN or WIPO (www.icann.org and www.wipo.org) for others. They do not lead to awards of damages or legal costs, but they can result in the name being handed over to the true owner, which may be the simple remedy the complainant wants. The US has specific cybersquatting legislation that sets out when use of someone else’s name is bona fide. Difficulties occur when a name is used to denigrate its true owner – sometimes a fan club is set up without approval by a famous person and there are many dot.sucks sites on the Internet. In slang terms, when someone derogates another person or company, they often say they ‘suck’ in the US and this applies to Internet slang and increasingly English slang too. Thus downingstreetsucks.com could be a website devoted to criticism of the Government. There are thousands of sites on the Internet with ‘.sucks’ in their name designed for this purpose.
Resolving disputes 1.
Make sure disputes do not arise by picking a name which is not in use in the first place.
2.
Settle disputes early before a great deal of money is spent on legal fees and lots of management time wasted. Never litigate on principle.
3.
For valuable trade marks, litigation may become necessary. In the English case One in a Million, some well-known English companies which owned trade marks for their names sued an Internet cybersquatter who had registered their names simply in order to ‘cash in’ by selling those names back to their rightful trade mark owners. The court said the names should be handed back to Marks & Spencer, Virgin and the other companies for nothing. Do not let breaches continue or rights can be lost.
4.
Do a cost analysis to determine the best means of settling the dispute.
THOROGOOD PROFESSIONAL INSIGHTS
14
2 DOMAIN NAMES AND TRADE MARKS
Metatags and search engines and trade marks Do not use a competitor’s trade marks on a website without taking legal advice first. In the EU some comparative advertising using another person’s registered trade mark is allowed as long as the comparison is fair but it is a dangerous legal area. In Reed v Reed (Court of Appeal) the judge looked at use of the word ‘Reed’ as a reserved term by a search engine so as to bring up a rival ‘total jobs’ banner advertisement, and the use of ‘Reed’ as a metatag in the respondents’ website so that there would be a higher ranking in search engine results. The court said there was no breach of passing off law as there was no misrepresentation, a requirement for passing off. Even so, be careful about using competitors’ marks as even a threatened law suit can involve time and money which could be better spent elsewhere. The court said that it was ‘fanciful’ that anyone would think there was a trade connection between the total jobs banner and the respondents when they searched using the word ‘Reed’. The metatag claim was dismissed on the basis that the evidence showed that the respondents’ result appeared below the appellants’ results and therefore no one was likely to be misled. This was the case irrespective of whether the search engine made the metatag visible. The case also involved registered trade marks and use of the word Reed which was part of both parties’ registered marks and logos. Here again the court said there was no confusion, so there could be no infringement. When discussing metatags the judge said that ‘causing a site to appear in a search result, without more, does not suggest any connection with anyone else’. The judge also thought that it was unlikely that metatag and reserved-term use could count as ‘use’ of a trade mark at all. Even if it was, so far as metatags were concerned he questioned whether it was infringement. Some people will pay to have their website appear high up on lists resulting from searches with search engines like Google on the Internet. This can be a valuable service and is certainly worth considering. For example, a company selling garden chairs might want to be in the top ten on any search of the words ‘garden chairs’.
THOROGOOD PROFESSIONAL INSIGHTS
15
2 DOMAIN NAMES AND TRADE MARKS
International trade mark issues Trademarks are registered in a particular class of goods or services and in a particular country (or over the whole EU if they are Community Trade Marks). The goods therefore may only be allowed to be sold in countries where the seller owns the trade mark rights concerned. Sometimes different companies own the same name in different states. If that is the case then caution needs to be exercised before using that name in that state including on the Internet. Case law around the world has vacillated between saying use on a site in one country amounts to infringement of trade mark abroad and that it does not. Certainly taking active steps to market the site in a country where the sale of goods under that trade mark infringes a third party’s rights will almost always amount to an infringement.
Parallel imports and exhaustion of rights Always take legal advice if parallel importing or exporting trade mark or copyright protected goods, whether from a website or otherwise. Under copyright and trade mark law importing goods without permission from the national owner of the trade mark or copyright is a breach and the goods can be seized. Damages and costs may have to be paid. Tesco found this to be the case when they imported Levi’s jeans from the US without permission and the European Court held that Levi’s were entitled to prevent the sale and seize the goods. As an exception to this, however, once a trade mark or copyright owner has put the goods on the market in the EU/EEA or had a licensee do so, they cannot stop someone buying in one of the 27 EU/EEA states and importing into another as the rights are said to be ‘exhausted’ by the first sale. Counterfeit or pirated goods will, however, always however infringe and can be prevented by law from sale.
Further information Information on trade marks law can be found at www.patent.gov.uk.
THOROGOOD PROFESSIONAL INSIGHTS
16
THOROGOOD PROFESSIONAL INSIGHTS
Chapter 3 Advertising and copyright Summary ..............................................................................................18 Advertising agencies...........................................................................19 Running a competition........................................................................20 Points schemes.....................................................................................20 Partnerships and alliances..................................................................20 Offering warranties.............................................................................21 Linking and the law .............................................................................21 Copyright notices and intellectual property.....................................22 Example copyright notice...................................................................23 Confidentiality......................................................................................23 Codes of Practice .................................................................................24 Further information ............................................................................24
Chapter 3 Advertising and copyright
Summary •
Ensure all advertisements on websites are, and remain, accurate.
•
Trade descriptions and laws against misleading pricing are as applicable on- line as off.
•
Codes of practice on advertising such as the CAP Code apply online as well as off-line.
•
Where arrangements are made with other sites to market a site or goods or services via that site have written contracts setting out how any revenue sharing will be achieved.
•
Make sure all material or pictures used on a website can legally be used; obtain copyright licences where necessary.
Advertising is crucial if a website is to generate business or indeed be worth having at all. Many businesses put their website address at the end of all e-mails and on their notepaper to encourage people to use it. Some have links with other websites and others even pay for advertising of the site in more conventional media. The Internet is not immune from laws that regulate advertisements. Make sure the accuracy of the site is thoroughly checked and that prices are up to date. Some companies have been prosecuted by trading standards authorities around the world, where prices are out of date or goods are described inadequately or incorrectly. The following is a non-exhaustive list of the regulations to consider: •
Trade Descriptions Act: it is an offence to apply a false trade description to goods – for example, saying goods on the site are wool when they are nylon.
•
Consumer Protection Act: it is unlawful to apply a misleading price indication to goods. Make sure prices are accurate and up to date.
•
Sale of Goods Act 1979: when goods are sold there is an implied condition that they will be of satisfactory quality and fit for their purpose.
THOROGOOD PROFESSIONAL INSIGHTS
18
3 ADVERTISING AND COPYRIGHT
The EU Consumer Guarantees Directive that came into force in 2002 provides very similar protection for consumers throughout the EU. •
Control of Misleading Advertisements Regulations: advertisements must not be misleading. Caution should be exercised when an advertisement compares one product with that of another company. The comparison must be fair, otherwise a breach of the Trade Marks Act 1994 may occur if the competitor’s trade mark is used in the advertisement.
•
Electronic Commerce Regulations: set out information about sellers on websites which must be given.
•
Distance selling regulations: give buyers a right to cancel contracts after they have made (see Chapter 4) and set out information that must be given on websites selling goods or services to consumers.
Advertising agencies When using an advertising agency, do not assume they will check that the words used comply with legislation. Always make sure there are contract terms setting out whose responsibility this is. For example, music or pictures used in an advertisement should only be used when permission from the copyright owner is obtained. Sometimes the agency simply gives the customer a right to use the material once. Just because the company is paying for the advertising work to be done, does not mean they will automatically own the copyright in what they have commissioned. If they want ownership of such rights, they should ensure the agency assigns the rights in a written contract. Many websites carry advertising from third party companies. It is a major revenue generator for the bigger sites. Sometimes no advertising fee is paid, but instead, mutual links are established – see partnership section below. In other cases, there is a simple arrangement with a fee paid. Both parties should draw up a written contract setting out the terms of the deal. The advertiser will want to ensure their logo and other details are displayed prominently, that links work, that no competitor is similarly allowed to advertise on the same page and/or site and that there is a right to terminate the arrangement on notice and, in particular, if hits are not high enough.
THOROGOOD PROFESSIONAL INSIGHTS
19
3 ADVERTISING AND COPYRIGHT
Running a competition Many websites offer those registering the opportunity to take part in a prize draw or other incentives for persuading friends and/or contacts to join. There are strict English laws on the running of competitions, so it is best to take advice from solicitors expert in the laws of lotteries and competitions. The rules should be clearly stated on the site as well. If an incentive scheme is offered whereby people are paid or rewarded for drawing others into a network, then legislation in the Trading Schemes Act should be considered. Often, pyramid selling schemes, of which there are many on the Internet, will infringe this legislation. Again, it is wise to take legal advice.
Points schemes Many loyalty schemes operate on the Internet. People gain points or money the more hits they make to a site or the more goods they buy at the site. Ensure the rules are clear and that it is also clarified as to how the scheme can be terminated and what happens to accumulated points in such a case. Not all countries allow such schemes, so it is sensible to take legal advice in the major markets that will be targeted.
Partnerships and alliances Many partnership agreements are entered into between companies operating on the Internet. Frequently, the parties agree that each will pay the other for business generated through the website of the other. Technology can ensure that it can be relatively easily established when business comes through such a link. There should be a written contract between the parties to the partnership arrangement. An example of such an agreement appears at the end of the chapter. However, every commercial deal is different and readers should take their own legal advice.
THOROGOOD PROFESSIONAL INSIGHTS
20
3 ADVERTISING AND COPYRIGHT
Offering warranties There may be legislation specific to marketing a particular product too so take legal advice. An example of this is The Supply of Extended Warranties on Domestic Electrical Goods Order 2005 (SI 2005/37) which came into force in April 2005 and provides that the specific web site issues in the regulations are relating to how information about warranties appear on the site. “6. (1) Whenever a supplier publishes the price of a domestic electrical good on his website the supplier shall: (a)
subject to paragraph (2), publish the price and duration of one applicable extended warranty adjacent to the price of the relevant domestic electrical good or, where the price and duration of that applicable extended warranty apply to a range of domestic electrical goods, in close proximity to that range, in a manner that is clear and legible;
(b)
ensure there is a link on the home page of the website, and on each introductory page offering domestic electrical goods, directing consumers to further relevant information relating to the purchase of extended warranties offered by the supplier; and
(c)
ensure that further relevant information is published on his website.”
Paragraph (1)(a) does not apply if the price of a domestic electrical good is published on the website after the consumer has selected that domestic electrical good for purchase.
Linking and the law Normally there is no restriction on providing a link between websites, although it is better practice to obtain consent from the party to whom the link will be made. However, if use of the site to which the link is to be formed is subject to on-line terms and conditions these are likely to be a ‘contract’. One of those contract terms might prohibit linking without consent. In that case, the person forming a link without such consent may be in breach of the contract and could be restrained from so breaching the contract and be required to pay damages. There is a large legal difference between a simple link and putting one’s own heading above a third party’s content. For example, if Singletons Solicitors has
THOROGOOD PROFESSIONAL INSIGHTS
21
3 ADVERTISING AND COPYRIGHT
information about data protection laws on its website, someone could link to that page of legal materials, usually without any legal problems. But, if that person makes the content appear beneath its own banner headlines then there may be a right to bring an action for ‘passing off’ (see Chapter 2), as users may believe that the material was generated by the company whose banner headings appear at the top.
Copyright notices and intellectual property Lots of information on the Internet is protected by the laws of copyright. This means the words and drawings and sounds on many web pages cannot be copied without permission of the copyright owner. Just because it is in the ‘public domain’ does not mean it is free of copyright. It does not matter whether there is a copyright notice on the site. The work is still protected by copyright – although such a notice is a good idea. It does not matter whether the copyright is registered or not – in fact, in the UK copyright cannot be registered – it arises as soon as it is created. It is irrelevant that the information has been published – it is still protected by copyright. There is no right to copy, even if an attribution is made of the author and source. Sometimes authors allow copying on that basis, but they do not have to do so. Copyright is not the only intellectual property right relevant to websites. Some industrial inventions which power the Internet and computer systems, are protected by registered patent rights. In the UK, such protection is given by the Patents Act 1977. Trade marks are much more likely to be relevant and these were addressed in Chapter 2. There is another intellectual property right called ‘design’ right, but it is rarely applicable and it does not protect most ‘designs’ on the Internet (they are protected by copyright). Registered and unregistered design rights protect the aesthetic appearance of, usually, three-dimensional objects. Although copyright will be obtained and reserved whether or not a copyright notice is put on a website and indeed on any commercial documents, such as buyer’s invitations to tender specification documents, etc., it is sensible to ‘warn
THOROGOOD PROFESSIONAL INSIGHTS
22
3 ADVERTISING AND COPYRIGHT
off’ potential infringers with such a notice and also to tell those using a site what use they can make of the copyright works on the site: 1.
May they print a copy of a page of information protected by copyright?
2.
May they e-mail a copy to a friend?
3.
May they save a copy to their computer’s hard drive?
4.
May they reproduce the information, but only for non-commercial use and only as long as it is unchanged and the author’s name remains on it? (Some government websites contain such a right.)
In practice, be aware that anything placed on a website may be copied and the copyright owner may find it hard or expensive to prevent even clear breaches of the law, so be cautious before putting important documents on the Internet.
Example copyright notice The international symbol for copyright is ©. This should be followed by the name of the legal entity that owns the copyright. With regard to the term ‘All Rights Reserved’, this is required in some countries to assert copyright, but this is not the case in the UK. However, it is wise to add those words. Just about all websites have copyright information on them. It would be hard to write a page without words appearing which comprise copyright works. Therefore it is sensible to include a copyright notice. In some countries of the world, copyright is not obtained unless a notice appears. As the website will be seen throughout the world it is therefore an important precaution.
Confidentiality Secret information should obviously never be put on the Internet, as it will then go into the public domain and will lose protection under the common law of confidence. Make sure that any ideas for websites, business plans, etc., are marked ‘confidential’ and are only disclosed to website designers, suppliers, business partners, etc., where they have signed a non-disclosure or confidentiality agreement.
THOROGOOD PROFESSIONAL INSIGHTS
23
3 ADVERTISING AND COPYRIGHT
Codes of Practice Always consider any relevant codes of practice. For example, solicitors are subject to Law Society Codes. Doctors will have their own rule books too and some sectors such as pharmaceuticals are very heavily regulated. All advertising is likely to be caught by the Code of Advertising Practice which includes sections on e-mail marketing and the like. In addition, sometimes codes such as that of ICSTIS are relevant (e.g. if a game is being marketed to play on a mobile telephone).
Further information Code of Advertising Practice is at: http://www.cap.org.uk/cap/codes/cap_code/CodeIndex.htm The DTI guidance on The Supply of Extended Warranties on Domestic Electrical Goods Order 2005 (SI 2005/37) is at: http://www.dti.gov.uk/ccp/topics2/pdf2/ewguidance.pdf The Supply of Extended Warranties on Domestic Electrical Goods Order 2005 is at http://www.hmso.gov.uk/si/si2005/20050037.htm
THOROGOOD PROFESSIONAL INSIGHTS
24
THOROGOOD PROFESSIONAL INSIGHTS
Chapter 4 Selling from a website Summary ..............................................................................................26 Making the terms stick........................................................................27 Distance selling regulations................................................................27 Exclusions ............................................................................................29 Rights ....................................................................................................29 Delivery in 30 days...............................................................................30 Action for companies ..........................................................................30 Credit card transactions .....................................................................31 Security .................................................................................................31 The electronic commerce regulations ...............................................31 Electronic contracting.........................................................................33 Rescinding contracts...........................................................................33 Further information ............................................................................34
Chapter 4 Selling from a website
Summary •
If making sales from a website comply with relevant legislation in the e-commerce and distance selling directives.
•
Ensure there are terms and conditions on the site which are at the correct point for buyers to see and accept.
•
Keep the site up to date.
•
Ensure acknowledgements of orders are not acceptance of an offer and thus contractually binding.
•
Give consumers a right to cancel as required by law where this applies (most cases).
Not all websites involve sales from the site. Some are just a glorified paper brochure or catalogue. Others, however, allow consumers or business buyers to buy on-line. This chapter looks at selling goods or services directly from a website. Usually this is effected by means of the buyers paying by credit card, although that is by no means always the case. A contract will be arranged with a company like NetBanx for the processing of the credit card payments. The principal legislation will be that which applies to any sale of goods or services – the Sale of Goods Act 1979 as amended and the Supply of Goods and Services Act 1982. However, for e-commerce purposes there are some special regulations which additionally apply. Anyone wanting to sell goods or services from a website needs to ensure they draw up a set of terms and conditions for supply of the goods or services. Distance selling legislation and electronic commerce regulations (see below) require that buyers from websites who are consumers must be given certain basic contractual and other information, so traders need terms and conditions for this and other reasons.
THOROGOOD PROFESSIONAL INSIGHTS
26
4 SELLING FROM A WEBSITE
Making the terms stick Just as important as the terms, is ensuring they are on the right place on the website so that they are seen and ideally accepted before the consumer makes the purchase. It is better if they can be viewed generally before a purchaser proceeds down a chain of clicks that leads to a purchase and in addition that they appear before the point when the consumer commits to buying the goods or services concerned. The consumer should ideally be allowed to print the conditions and save them to a hard drive for future reference. Best practice is to have the consumer click to indicate that the terms are accepted. The terms and conditions will deal with issues such as return of the goods if they are defective, delivery charges, import duties (if they are being imported from abroad), substitutes, warranties, exclusions of liability, etc. On-line terms and conditions are available on most websites where goods or services are supplied. It is therefore incredibly easy to find examples of the terms used on other sites. Copying those terms will be a breach of the Copyright, Designs and Patents Act 1988, and make the business copying a potential competitor’s conditions look ridiculous when such plagiarism is discovered. There is nothing to stop a company taking any of the ideas for types of clauses from another site, however, and then producing their own set. Remember that foreign law contracts may not be appropriate for England and Wales or Scotland and that the products are very relevant to the terms, so they may need modification. Terms and conditions for downloading software on-line, for example, will nothing like terms and conditions for the purchase of a book from a website. Ensure that the acknowledgement of order simply says the order has been received but not accepted so that if there were an error, e.g. in the price, there is no binding contract at that stage so the seller could pull out.
Distance selling regulations All businesses selling goods and services from a website in the EU to consumers (not other businesses) need to comply with the EU Distance Selling Directive 97/7. In the UK, this was brought into force by the Distance Selling Regulations. The regulations do two things: (i) they require consumers to be given certain information about the seller, rights to cancel the contract, etc., and (ii) the consumer is given a right to cancel the contract after it is made, whether or not there is anything wrong with the goods or services. Not all contracts can be cancelled. Lots of information on the regulations is on the Department of Trade
THOROGOOD PROFESSIONAL INSIGHTS
27
4 SELLING FROM A WEBSITE
and Industry distance selling website. The regulations do not apply to all distance contracts; the most important exception is for financial services (a separate directive on the distance marketing of financial services came into force in the UK in 2004 – see UK implementing regulations – Financial Services (Distance Marketing) Regulations 2004. Clearly selling from a website is a ‘distance’ communication under this provision. The list of means of distance communications which is caught by the Directive includes: Exclusions include any contract: (a)
for the sale or other disposition of an interest in land, except for a rental agreement;
(b)
for the construction of a building where the contract also provides for a sale or other disposition of an interest in land on which the building is constructed, except for a rental agreement;
(c)
relating to financial services, a non-exhaustive list of which is contained in Schedule 2 of the regulations and includes:
(d)
1.
investment services
2.
insurance and reinsurance operations
3.
banking services
4.
services relating to dealings in futures or options.
concluded by means of an automated vending machine or automated commercial premises;
(e)
concluded with a telecommunications operator through the use of a public pay-phone;
(f)
concluded at an auction (so Internet auctions are also excluded).
The major provisions of the Directive do not apply to contracts for the provision of accommodation, transport, catering or leisure services where the supplier undertakes, when the contract is concluded, to provide these services on a specific date or within a specific period. So, anyone buying air tickets on-line, for example, has no right to cancel.
THOROGOOD PROFESSIONAL INSIGHTS
28
4 SELLING FROM A WEBSITE
Exclusions There are many exclusions both from the regulations and from the right to cancel in the regulations. All traders therefore should read the regulations carefully to check whether and how they apply to them.
Rights The regulations give consumers: 1.
The right to receive clear information about the goods or services before
deciding to purchase. 2.
Confirmation of this information in writing or in another appropriate durable medium, e.g. fax or e-mail. The Directive on which the regulations are based requires that the consumer be given information in writing or another ‘durable medium that is available and accessible to him’. It does not say exactly what this means, so the DTI takes the view that e-mail is a durable medium in the sense that it is open to the consumer to retain the information. Giving the details verbally, however, is not, enough.
3.
A cooling-off period of seven working days, in which the consumer can withdraw from the contract (for sales of goods, this is seven working days from the day after the goods are delivered). The statutory right of withdrawal below does not apply where: (a)
for the supply of services if the supplier has complied with regulation 8(3) and performance of the contract has begun with the consumer’s agreement before the end of the cancellation period applicable under regulation 12;
(b)
for the supply of goods or services, the price of which is dependent on fluctuations in the financial market which cannot be controlled by the supplier;
(c)
for the supply of goods made to the consumer’s specifications or clearly personalised or which by reason of their nature cannot be returned or are liable to deteriorate or expire rapidly;
(d)
for the supply of audio or video recordings or computer software, if they are unsealed by the consumer (the DTI guidance on distance selling and unfair terms in the area of IT include a section on what this involves);
THOROGOOD PROFESSIONAL INSIGHTS
29
4 SELLING FROM A WEBSITE
(e)
for the supply of newspapers, periodicals or magazines; or
(f)
for gaming, betting or lottery services.
The cooling-off period is three months where the supplier has not given notice of the seven-day period to the customer. This is one reason why terms and conditions should be altered to allow for this. This point illustrates the importance for businesses in amending their terms and conditions now, to cover these new rights, so that the legal position can to some extent be ameliorated. The effect of a notice of cancellation is that the contract shall be treated as if it had not been made. Regulation 8(3) says: Subject to regulation 9, prior to the conclusion of a contract for the supply of services, the supplier shall inform the consumer in writing or in another durable medium which is available and accessible to the consumer that, unless the parties agree otherwise, he will not be able to cancel the contract under regulation 10 once the performance of the services has begun with his agreement.
Delivery in 30 days Unless agreed otherwise with the supplier, there is a right to receive goods or services within 30 days. This accords with the period that is usual in the mail order industry, in any event.
Action for companies •
Check if the regulations apply to the particular business.
•
Are the goods or services excluded?
•
Are the sales to consumers rather than businesses?
•
Assuming the regulations apply, check that the correct information is given to consumers.
•
Check compliance with other requirements such as 30 day delivery dates.
•
Ensure the right to cancel is implemented.
•
Take legal advice in cases of doubt.
THOROGOOD PROFESSIONAL INSIGHTS
30
4 SELLING FROM A WEBSITE
Credit card transactions Most companies selling goods or services over the Internet will require the consumer to provide a credit or debit card number. This should be done on a secure part of the site or it is unlikely that the consumer will be prepared to give those details. In any event, the consumer should ideally be given access to further information on the site about how the details provided will be kept confidential.
Security Traders will need to enter into a contract with the relevant credit card company who have standard agreements for this purpose, before being entitled to offer payment by card on accounts. Businesses may also like to consider giving consumers a telephone number they can ring, fax number, e-mail contact or even a postal address if they would prefer to place their order that way. This can certainly help maximise business/orders for smaller, growing businesses. Large Internet trading companies may not be happy to have such a mixture of means of communication.
The electronic commerce regulations It is complicated that the rules on what information must be provided on websites appears in both the distance selling and electronic commerce regulations and that they differ and may each apply in some or all cases. The distance selling regulations apply only to websites where goods or services are sold. The electronic commerce regulations apply to all marketing websites and require that certain information requirements must be followed:
1. Information requirements Provide end users with: •
the full contact details of the business;
•
details of any relevant trade organizations to which a business belongs;
•
details of any authorization scheme relevant to the on-line business;
•
VAT number, if the on-line activities are subject to VAT;
•
clear indications of prices, if relevant, including any delivery or tax charges.
THOROGOOD PROFESSIONAL INSIGHTS
31
4 SELLING FROM A WEBSITE
This information must be provided ‘easily, directly and permanently accessible’. The Government recognizes that technological constraints (e.g. the 160 character limit on mobile text messages) mean that the information may not readily be accessible by the same means by which the service provider transacts with recipients of his services. The Government envisages, however, that these criteria should be capable of being met if the information is accessible by other means (e.g. inclusion on a website). The Government also envisages that temporary interruptions to the availability of the information that are essential (e.g. to maintain a website or the integrity of a network) or unavoidable (e.g. in the event of force majeure) will not count against its being permanently accessible. However, the onus is on the service provider to make the information accessible for as long as it may be necessary to do so. It may therefore be advisable to retain evidence of the information that recipients had available. As a result, the author’s web site – www.singlelaw.com gives Singletons’ VAT number and a link to the Solicitors’ Code of Professional Conduct because of these regulations.
2. Commercial communications These requirements include providing end users with: •
clear identification of any electronic communications designed to promote (directly or indirectly) the goods, services or image (e.g. an e-mail advertising the goods or services);
•
clear identification of the person on whose behalf they are sent;
•
clear identification of any promotional offers the business advertises e.g. any discounts, premium gifts, competitions, games;
•
clear explanation of any qualifying conditions regarding such offers;
•
clear indication of any unsolicited commercial communications a business sends.
The purpose of this requirement is to ensure that recipients or their Internet service providers can block or delete the e-mail without the need to open and read it. The definition of commercial communications in the Regulations does not cover domain names and e-mail addresses themselves, independent audits of your products, statutory reports or reports compiled by independent regulators. The DTI in their guidance notes on the regulations for SMEs state ‘Certain specific types of communications, such as mobile text “welcome messages” and electronic greetings cards, may not be “designed” to promote your business and
THOROGOOD PROFESSIONAL INSIGHTS
32
4 SELLING FROM A WEBSITE
may not fall within the definition. Such matters of interpretation will be addressed on a case-by-case basis by the relevant enforcement authority.’ For a description of e-mail marketing and the law and the separate directive on e-privacy and UK regulations in that field which came into force in late 2003, see the following chapter.
Electronic contracting The electronic commerce regulations also contain a section on electronic contracting. These requirements include providing end users with (i) a description of the different technical steps to be taken to conclude a contract on-line; (ii) an indication of whether the contract will be filed by the business and whether it can be accessed; (iii) clear identification of the technical means to enable end users to correct any inputting errors they make; and (iv) an indication of the languages offered in which to conclude the contract. Those whose websites do not take orders and are simply a glorified brochure are not thus engaged in electronic contracting and so this part of the Regulations does not apply to them. These requirements do not apply where, for example, initial contact is made via a website but, for reasons relating to the complexity of the contract, it is actually concluded off-line. Regulation 9(3) stipulates that where the service provider supplies terms and conditions applicable to the contract to the recipient, the service provider must make them available to him in a way that allows him to store and reproduce them. The Government envisages that this requirement should be capable of being met if the terms and conditions are provided in a form other than was the case during the original transaction (e.g. via a printed receipt sent with goods rather than downloaded or copied from a website).
Rescinding contracts Regulation 15 provides that where a person has entered into a contract to which the Regulations apply and the service provider has not made available means of allowing him to identify and correct input errors in compliance with Regulation 11(1)(b), he is entitled to rescind the contract unless any court having jurisdiction in relation to the contract in question orders otherwise on the application of the service provider.
THOROGOOD PROFESSIONAL INSIGHTS
33
4 SELLING FROM A WEBSITE
Depending on the exact nature of the non-compliance, end users may cancel their order; seek a court order; sue you for damages for breach of statutory duty if they can demonstrate that they have suffered a loss as a result of your failure to comply with your obligations under the Regulations.
Further information The DTI bulletin on distance selling legislation is at at: www.dti.gov.uk/cacp/ca/dsdbulletin.htm. The DTI has issued detailed guidance for business on the Electronic Commerce (EC Directive) Regulations 2002 and also a short guide for small and medium sized enterprises which appears in Appendix 2. The UK regulations implementing the financial services and distance selling EU directive are the Financial Services (Distance Marketing) Regulations 2004) and they appear on the Internet at: http://www.hmtreasury. gov.uk/consultations_and_legislation/dmd/consult_dmd_index.cfm
THOROGOOD PROFESSIONAL INSIGHTS
34
THOROGOOD PROFESSIONAL INSIGHTS
Chapter 5 Personal data and websites Summary ..............................................................................................36 Notification ...........................................................................................37 The data protection principles ...........................................................37 Subject access ......................................................................................38 Opting in and out.................................................................................38 Glossary of terms.................................................................................39 Exporting data .....................................................................................40 Breaching the law................................................................................41 Example of a privacy policy................................................................41 Further information ............................................................................42 B2B telemarketing guidance published ............................................43
Chapter 5 Personal data and websites
Summary •
Most websites gather personal data from those using the site and need to comply with the Data Protection Act 1998.
•
It is usually necessary to notify the Information Commissioner that personal data is held (register).
•
Users should be told how their data will be used, often in a document on the site called a privacy policy.
•
Users should in most cases not be sent unsolicited e-mails due to the provisions of The Privacy and Electronic Communications (EC Directive) Regulations 2003.
•
If personal data will be exported from the 27 EU/EEA states then special rules need to be followed.
Most websites include forms where users can send their contact details so they can be sent further information. The passing on of that personal information puts those running the site within the ambit of the Data Protection Act 1998 and its eight principles. This is not a problem in practice. The site owner should register under the Act with the Information Commissioner and should tell people on the site how and when their data should be used. This is sometimes done by provision of a privacy policy document on the site. The Privacy and Electronic Communications (EC Directive) Regulations 2003 require that no unsolicited emails should be sent to users without their consent, subject to an exception (known as the soft opt in) described below. Some sites require people to register before they can use the site. However, that often discourages people from using the site, so it does not make commercial sense when the aim is to have as many people as possible using the site and returning regularly because they like it and it is updated on a regular basis.
THOROGOOD PROFESSIONAL INSIGHTS
36
5 P E R S O N A L D ATA A N D W E B S I T E S
Others require users to register in order to be sent information about development or products. Those users are then volunteering their personal data and often expressly agreeing to follow-up e-mails. The better sites let them ‘unsubscribe’ quite easily to such mailings later and set out a simple procedure to do this. When signing up users on a website, offer the following: 1.
A right to opt in to receiving further information about products and services.
2.
An easy means to unsubscribe later.
3.
A clear privacy policy setting out how their data will be used.
4.
Clear details of what personal data of theirs will be held or used and by whom.
5.
Information about whether the site uses “cookie” devices.
Notification The Data Protection Act 1998 also requires that all those holding personal data must notify the Information Commissioner (register). This costs £35 a year. Most businesses in the UK should be registered. A company can check whether it or someone else is registered, free of charge, by searching at www.dpr.gov.uk.
The data protection principles The eight data protection principles are that personal data must be: 1.
processed fairly and lawfully
2.
processed for limited purposes and not in any manner incompatible with those purposes
3.
adequate, relevant and not excessive
4.
accurate
5.
not kept for longer than is necessary
6.
processed in line with data subjects’ rights
7.
secure
8.
not transferred to countries that don’t protect personal data adequately.
THOROGOOD PROFESSIONAL INSIGHTS
37
5 P E R S O N A L D ATA A N D W E B S I T E S
Subject access The Act gives individuals a right to demand to see copies of the personal data that is held about them. Many people checking their credit history will make such requests. The Information Commissioner has set out useful guidance on how this right applies where the personal data is contained in e-mails held by the company concerned. In extreme cases, it may even be necessary to recover the information in deleted e-mails (which is often technically possible despite the deletion) in order to comply with such a ‘subject access’ request.
Opting in and out The Privacy and Electronic Communications (EC Directive) Regulations 2003 introduced two new rules in December 2003:
1st new rule This rule applies to all marketing messages sent by electronic mail, regardlessof who the recipient is. •
The sender must not conceal their identity and
•
The sender must provide a valid address for opt-out requests.
2nd new rule This rule only applies to unsolicited marketing messages sent by electronic mail to individual subscribers. •
Senders cannot send such messages unless they have the recipient’s prior consent to do so.
This strict ‘opt-in’ rule is relaxed if three exemption criteria are satisfied. These three exemption criteria are as follows: 1.
The recipient’s e-mail address was collected ‘in the course of a sale or negotiations for a sale’.
2.
The sender only sends promotional messages relating to their ‘similar products and services’ AND
3.
When the address was collected, the recipient was given the opportunity to opt out (free of charge except for the cost of transmission) which they didn’t take. The opportunity to opt out must be given with every subsequent message.
THOROGOOD PROFESSIONAL INSIGHTS
38
5 P E R S O N A L D ATA A N D W E B S I T E S
Glossary of terms ‘electronic mail’ This means e-mail and text/picture/video messages.
‘individual subscriber’ This means a residential subscriber, a sole trader or an unincorporated partnership in England, Wales and N. Ireland.
‘unsolicited’ This means something that is not invited. However, it does not mean something that is “unwanted”. For example, you might welcome information about special promotions from a company that you trust and who always offers a good deal. You have not specifically ‘invited’ these offers but you have told the company that you don’t mind receiving information about special promotions that they choose to send you. You may or may not take up the offer if it interests you.
‘consent’ This is where you actively sign up for something and where you know what you are signing up to. There may be a number of ways to indicate consent. For example, where you tick a box as a positive indication that you agree to receive marketing or where it is made clear to you that providing your e-mail address means you agree to receive marketing.
Opt-in/opt-out Opt-in is where you don’t get marketing e-mails from an organization unless you actively consent to receiving them (see Consent above). Under the new rules, organizations must collect your e-mail address on an opt-in basis unless the three exemption criteria are satisfied. Opt-out is where you are told that you will get marketing e-mails unless you say you don’t want them. Organizations can collect only your e-mail address on an opt-out basis if they can satisfy the exemption criteria. FAILING TO OPT-OUT WHEN GIVEN THE CHANCE IS NOT THE SAME AS GIVING CONSENT.
THOROGOOD PROFESSIONAL INSIGHTS
39
5 P E R S O N A L D ATA A N D W E B S I T E S
‘In the course of a sale or negotiations for a sale’ A sale does not have to be completed to satisfy this criterion. For example, you may have asked for a quote for insurance on-line but chose not to take up the offer. Where the company offering insurance wants to collect your e-mail address to market you in the future, they should give you a chance to opt-out when they collect that address (see Opt-in/opt-out above). In other words, the prior consent rule is relaxed because your details are being collected in the course of a sale or negotiations for a sale. If you don’t opt-out when your details are collected, they must give you a chance to opt-out with every subsequent marketing message they send.
‘Similar products and services’ In the view of the Data Protection Commissioner’s office, this means ‘what products and services do you reasonably expect to hear about from this organization’. For example, a supermarket may sell a diverse range of products and services but a florist may only sell a limited range of products and services. If you order flowers from an on-line florist and you didn’t opt-out of receiving further e-mail marketing when the on-line florist collected your details (see ‘In the course of a sale or negotiations for a sale’ above), you would only expect to receive e-mails about the limited range of products and services that the florist offers.
Exporting data Companies that gather data abroad and process it there and are not connected with the EU should consider their own and usually not EU/UK data protection laws. However, UK companies exporting data from the UK/EU to countries that do not have the same strong data protection legislation must consider the impact of the legislation. A lot of data is shipped abroad where labour costs are lower, so it can be processed more cheaply. The eighth data protection principle provides that personal data must not be shipped outside the EU/EEA without consent of the individual or where other conditions are satisfied to countries without adequate data protection legislation. Switzerland and Hungary have been found to have adequate laws and there is a special Safe Harbor Agreement with the US, whereby companies who register under it may then export data freely between the US and EEA (although few US companies have signed that agreement). Export is permitted in certain cases, so it is always worth taking legal advice.
THOROGOOD PROFESSIONAL INSIGHTS
40
5 P E R S O N A L D ATA A N D W E B S I T E S
The European Commission agreed a set of standard clauses that can be used where data is to be exported. Where the recipient of the data signs the clauses, the export may go ahead. In 2005 an alternative less onerous set was issued in conjunction with the CBI.
Breaching the law A breach of the Data Protection Act 1998 can lead to a fine of up to £5,000, so companies should do their best to be compliant. In any event, consumers are put off using websites that do not conform to the standard, good, privacy practices of the better websites. Looking at any large consumer-orientated website will show the types of data protection issues which are addressed by such bigger companies. Smaller businesses would be well advised to follow suit.
Example of a privacy policy An example of a simple Privacy Policy is that of the Information Commissioner’s website:
Privacy and cookies YOUR INFORMATION
1.
If you choose to request an interview with one of our public speakers or want to subscribe to e-mail notification of updates to various areas of the Information Commissioner’s site you will need to pass personal data to the Information Commissioner through this site.
2.
Where you provide personal data to the Commissioner such data will be used only for the service you have requested.
3.
The Information Commissioner’s site does not automatically capture or store personal data from visitors to the site, other than to log the user’s IP address and session information such as the duration of the visit to the site and the nature of the browser used. This information is used only for administration of the site system and in the compilation of statistics used by the Information Commissioner to assess the use of the site.
THOROGOOD PROFESSIONAL INSIGHTS
41
5 P E R S O N A L D ATA A N D W E B S I T E S
The Information Advertising Bureau provide in depth information about cookies. The IAB site also tells you how to remove cookies from your browser. 4
This privacy policy does not cover the links within this site linking to other sites.
The policy tells users how their data will be used. Here it will not be used for any purpose other than what the individual has requested. Other sites may use the data for wider purposes. It also does not store information about users to the site and it explains the relevant technology.
Further information Information on the DPA is found at www.informationcommissioner.gov.uk. Practical guidelines on how people can protect their personal privacy have been published by the Information Commissioner’s Office. They have been accredited by the Plain English Campaign and follow the format of a ‘lively comic book’ to provide people with essential information about their rights under the Data Protection Act 1998 The book is called How to manage your personal information under the Data Protection Act covers issues such as: •
What is personal information?
•
How to access your personal information.
•
Who can hold this information?
•
What can happen if information is wrong or used for a wrong purpose?
•
How to change incorrect information? and
•
How to deal with junk mail and telesales.
THOROGOOD PROFESSIONAL INSIGHTS
42
5 P E R S O N A L D ATA A N D W E B S I T E S
B2B telemarketing guidance published Guidance on how to comply with rules on business-to-business telemarketing have been published by the Information Commissioner’s Office (ICO). Regulations came into force on 25 June 2004, which allow businesses to register their phone numbers on a national ‘do-not-call list’. The Corporate Telephone Preference Service (the CTPS) requires telemarketers to screen their contact databases against the CTPS and to suppress any calls to companies that are registered. An exemption applies to own customer lists. The ICO’s guidance warns that marketers must put systems in place to comply with these rules but does accept that mistakes are likely to occur. The ICO has said that as long as companies have acted in good faith and responded to any complaints or opt-out requests it is unlikely to take formal enforcement action. 31,000 companies registered almost as soon as the new system got up and running in June. Since the launch of Corporate TPS on 25 June 2004, 31,182 numbers have been registered on the file. The majority of companies (64%), have registered one number, 31% have registered between two and nine numbers. Four companies have registered over 1,000 numbers. Over 2,000 companies have registered numbers on the file. As of 23 July 2004, companies making unsolicited telemarketing calls must screen data against the CPTS.
THOROGOOD PROFESSIONAL INSIGHTS
43
THOROGOOD PROFESSIONAL INSIGHTS
Chapter 6 Disability access to website Summary ..............................................................................................45 ‘Reasonable adjustments’? .................................................................46 RNIB recommendations......................................................................47 Compliance...........................................................................................48 The W3C standard...............................................................................48 DRC investigation ...............................................................................49 Further information ...........................................................................50
Chapter 6 Disability access to website
Summary •
Part III of the Disability Discrimination Act 1995 requires businesses to seek to ensure their premises and facilities, including websites, are accessible to the disabled.
•
The Disability Rights Commission investigates whether sites are compliant
•
Achieving common standard ‘W3C’ should ensure compliance with the legislation.
•
Sometimes only simple adjustments are needed to ensure a site is compliant with the law in this area.
There are many other general laws which apply to websites but one area of particular concern is the law relating to access to websites by the disabled which is the subject matter of this final chapter. The Disability Discrimination Act 1995 (‘the DDA’) aims to tackle discrimination against the disabled. The part relevant to websites came into force on 1st October 1999 and the Code of Practice for this section of the Act was published on 27 May 2002. Then some changes came into force to the DDA on 1st October 2004: a small employer exemption was removed. All employers are now legally obliged to make all their services accessible including websites, intranets and extranets. Police and fire services are now also legally obliged to make their websites, intranets and extranets accessible. Previously they were exempt. The only area of employment still specifically excluded is the armed forces. Service providers will have to make physical adjustments to their premises where these features make it impossible or unreasonably difficult for disabled people to use the service they provide. Note that since 1999 websites have had a legal obligation to be accessible. The DDA makes it an offence unlawfully to discriminate against disabled people including in the provision of services. Discrimination is either treating a disabled
THOROGOOD PROFESSIONAL INSIGHTS
45
6 DISABILITY ACCESS TO WEBSITE
person less favourably; and/or by failing to make ‘reasonable adjustments’ so that disabled people can participate in employment and education or make use of a service. Websites may be covered under the employment provisions, as they may be a means of advertising jobs; or there may be an intranet which staff need to use. Websites will most commonly be covered when they constitute the provision of a service, or they are related to education. The Code of Practice cites an airline website as an example to define a service on-line. Taken from the Code of Practice 2.13 – 2.17 (p11-13): ‘What services are affected by the Act? An airline company provides a flight reservation and booking service to the public on its website. This is a provision of a service and is subject to the Act.’
‘Reasonable adjustments’? Steps that should be taken to make reasonable adjustments include changing a practice, policy or procedure which makes it impossible or unreasonably difficult for a disabled person to use a service; any physical features which make it impossible or unreasonably difficult for a disabled person to use a service. Reasonable steps must also be taken to provide ‘auxiliary aids and services’ (an example of which would be an accessible website) where these would enable or facilitate the use of a service. These changes have been required since October 1999. ‘Reasonable’ is not defined in the Act, but the Code of Practice does give some guidance on this, and indicates that it will depend upon: •
the type of service provided
•
the type of organization you are and resources available
•
the impact on the disabled person.
The RNIB has issued guidance on these provisions and says as follows in relation to penalties – ‘A disabled person can make a claim against you if your website makes it impossible or unreasonably difficult to access information and services. If you have not made reasonable adjustments and cannot show that this failure is justified, then you may be liable under the Act, and may have to pay compensation and be ordered by a court to change your site.’
THOROGOOD PROFESSIONAL INSIGHTS
46
6 DISABILITY ACCESS TO WEBSITE
A useful reference is the case brought against the Sydney Olympics Committee in Australia in 2000. This resulted in a landmark decision against the website owners, requiring them to pay $20,000 Australian dollars. “This response, I am satisfied, was very hurtful for him; the suggestion that he enlist the aid of a sighted person to assist him was wholly inconsistent with his own expectations and what he himself, unaided, had been able to achieve, both at university level and in business, in spite of his disability. To dismiss him and to continue to be dismissive of him was not only hurtful, he was also made to feel, I am satisfied, various emotions including those of anger and rejection by a significant statutory agent within the community of which he himself was a part.” Judge Hon. William Carter QC . There have not been any cases so far on the Act, so it is not entirely clear what measures do need to be taken.
RNIB recommendations The RNIB recommends that websites exceed the basic level of compliance that the World Wide Web Consortium (W3C) recommends in their Website Accessibility Guidelines (WAG). This is not a legal requirement, however. Some websites will be used in education and have more disabled users than others. The Special Educational Needs and Disability Act 2001 (SENDA) establishes legal rights for disabled students in pre- and post-16 education by amending the DDA to include education. The Act ensures that disabled students are not discriminated against in education, training and any services provided wholly or mainly for students. This includes courses provided by further and higher education institutions and sixth form colleges. It is unlawful to treat a student ‘less favourably’ for reasons due to disability. If an individual is at a ‘substantial disadvantage’ due to the way in which a body provides its educational services, responsible bodies are required to take reasonable steps to prevent that disadvantage. This may include: •
changes to policies and practices (these are the only changes required in pre-16 education)
•
changes to course requirements or work placements
•
changes to the physical features of a building
•
the provision of interpreters or other support workers
THOROGOOD PROFESSIONAL INSIGHTS
47
6 DISABILITY ACCESS TO WEBSITE
•
the delivery of courses in alternative ways
•
the provision of material in other formats.
The application of the law will depend on the size and resources of the educational institution, nature of services and the impact it has on the disabled person.
Compliance A survey 90% of the FTSE 100 companies’ websites did not meet minimum accessibility standards. A report by digital design company Nomensa looked at this area. Disabled access can be ensured by making sites usable by people with disabilities such as sensory or mobility problems. A visually impaired Internet user can use a screen reader to translate the contents of web pages for speech synthesizers or Braille displays; but the user will struggle to understand web pages if, for example, images are displayed on the page without a text alternative (which can be provided in HTML by an ALT tag).
The W3C standard There is consensus that the best practice is to comply at least with a minimum accessibility level defined by the World Wide Web Consortium, or W3C. It is widely believed that this minimum standard – known as Level One or Level A – is the standard required to fulfill a legal obligation in the UK’s Disability Discrimination Act of 1995. The Act states that it is unlawful for ‘a provider of services’ to discriminate against a disabled person in failing to comply with its provisions. The Nomensa survey found that 79% of sites surveyed did not provide alternative text for all images and 56% did not use appropriate alternative text. 77% of sites did not allow the font size to be rescaled, which is important for visually impaired users. 99% of sites did not use valid HTML codes to construct their sites, with the result that many of their web pages were displayed incorrectly in some way – a problem exacerbated when screen readers are employed by disabled users. Conformance with the W3C standard was achieved by only 11% of sites, proving, said the report, that ‘Many of the FTSE 100 have a long way to go in providing a public-facing website that supports a diverse range of people with some form of disability.’
THOROGOOD PROFESSIONAL INSIGHTS
48
6 DISABILITY ACCESS TO WEBSITE
Nomensa warned: ‘If the guidelines are not used as a starting point from which to implement accessibility, there can be little expectation that a web accessibility and usability strategy will be successful. Sites without a flourishing strategy of this kind not only stand to endanger customer levels, they run the more serious risk of falling foul of the anticipated measures for the Disability Discrimination Act.’ Only 10% of the FTSE 100 sites showed a good site structure and layout but on the positive side, almost half of the sites included clear, descriptive links. 49% of sites had sufficiently descriptive page titles to satisfy the survey but only one site included access keys – allowing users to navigate by means of keyboard shortcuts rather than a mouse. The report stated: ‘Along with valid code, the inclusion of access keys ranks as the least successful area within the review and the results indicate that more understanding of such techniques is extremely desirable.’ With an average ‘score’ of 3.76 out of 15, the FTSE 100 companies compare unfavourably with an earlier survey by Nomensa of the top 100 university websites. The average university score was nine – a total achieved by only six companies in the present study. The top-rated site was Barclays, followed by Exel Group, HSBC Group and Lloyds TSB. Bottom of the survey was Severn Trent, along with Hanson and Capita Group.
DRC investigation In 2004 the Disability Rights Commission investigated this area too. The Commission looked at the user friendliness of websites – covering Government, business, leisure, web services and e-commerce. The DRC issued a stern warning that many businesses may not be complying with existing equal access laws and it was ‘only a matter of time’ before they faced legal challenges from disabled consumers. The study also revealed high levels of ignorance among web developers over both the steps required and the costs of making their websites accessible for disabled people. The DRC’s report contains 15 key recommendations aimed at Government, the web industry, business and disability organizations.
THOROGOOD PROFESSIONAL INSIGHTS
49
6 DISABILITY ACCESS TO WEBSITE
Automated software tools – used to test whether the sample sites complied with voluntary web access guidelines set by the World Wide Web Consortium – revealed that 81% of websites (808) failed to meet minimum standards for disabled web access. The survey also found that the average home page contains 108 barriers that make it impossible or very difficult for disabled people to use. The evaluation of 100 websites by the disabled user group revealed that because of poor accessibility over a quarter of the most routine and straightforward online tasks could not be completed successfully. The survey found that blind people were the most disenfranchised of web users. They were unable to perform nearly half the tasks set them despite using devices such as screen readers. They also found that levels of accessibility expertise amongst website developers was low, with only 9% claiming any expertise in access. Only 9% of developers had used disabled people to test their sites.
Further information The report The Web: Access and Inclusion for Disabled People is at: www.drc-gb.org/publicationsandreports/report.asp A copy of the Nomensa report can be obtained through www.nomensa.com
THOROGOOD PROFESSIONAL INSIGHTS
50
THOROGOOD PROFESSIONAL INSIGHTS
Appendices Appendix 1 ..........................................................................................52 Websites and the internet: frequently asked questions of the information commissioner ......................................................52 Appendix 2 ..........................................................................................65 Complying with the E-Commerce Regulations 2002.......................65 Introduction .................................................................................65 New information requirements .................................................69 Information requirements ..........................................................70 Commercial communications ....................................................72 Electronic contracting.................................................................74 Limited liability for service providers .......................................75 Other sources of information.....................................................76 Appendix 3 Monitoring at Work ............................................................................77 Guidance for small businesses...................................................77 Appendix 4 ..........................................................................................81 Extract from: Information Commissioner’s Data Protection Code of Practice – Monitoring at Work Good Practice Recommendations V1.0 29. ................................................................81
Appendix 1
Websites and the internet: frequently asked questions of the information commissioner 1. If we collect personal data directly from individuals via our website, what information should we give them? For the processing of personal data to be fair, website operators who collect personal data directly from individuals must always ensure that individuals are aware of: •
the identity of the person or organization responsible for operating the website and of anyone else who collects personal data through the site;
•
the purposes for which they intend to process the personal data;
•
any other information needed to ensure fairness to individuals, taking into account the specific circumstances of the processing. This will include informing individuals of any disclosure of information about them to third parties, including disclosure to companies within the same group.
Unless it is obvious, website operators must give this information to individuals before they collect any personal data from them. It should be remembered that visitors to a website will not necessarily enter it through its homepage. They may, for example, come directly to a particular page via a hypertext link. The above information should therefore be provided at any point at which personal data is collected. It should also be borne in mind that there may be more than one data controller involved in the collection of personal data on a website, particularly where banner advertising is placed by a third party, or where a third party provides a secure payment mechanism. In such cases all data controllers should be identified. Where information is to be used or disclosed for direct marketing purposes, individuals should be provided with the opportunity to prevent this.
THOROGOOD PROFESSIONAL INSIGHTS
52
APPENDICES
Website operators may wish to adopt the Information Commissioner’s padlock symbol (http://wood.ccta.gov.uk/dpr.dpdoc1.nsf). This alerts individuals to the fact that their information is being collected and draws their attention to the explanation of how it is to be used. Further information about the symbol is available on the Commissioner’s website. 2. We have a privacy statement on our website. Is this sufficient? Although a privacy statement is important, it is not sufficient to provide the above information simply in the form ‘click here to view our privacy statement’. At least the basic messages and choices should be displayed in an intelligible and prominent form wherever personal data is collected, even where a more detailed explanation is provided elsewhere by means of a privacy statement. Clearly, any basic messages or information given about choices should correspond with the contents of any privacy statement.
DATA PROTECTION ACT 1998
Help in designing a privacy statement is available. The Organization for Economic Cooperation and Development (OECD) has developed a privacy policy generator. This is available at www.oecd.org under ‘OECD tools’. As a matter of good practice and as an aid to encouraging confidence, a privacy statement should describe not only what a website operator does with personal data but also what it does not do. It should also tell individuals something about their rights and how to exercise them. For example, individuals have a right to be told whether data about them are being processed and to have a copy of the data. They should be told how to go about this. The privacy statement must include the physical address of the website operator unless this is clearly available on the site. 3. If we want to use personal data obtained via our website for direct marketing or to disclose personal data to third parties for their direct marketing purposes, should we provide an ‘opt-in’ or an ‘opt-out’ facility for individuals? The general standard to ensure compliance with the Data Protection Act 1998 is for a website to provide an individual with an opportunity to opt-out of the use or disclosure of their personal data for direct marketing, whether by e-mail or other means. This requires a statement along the following lines: •
‘We would like to e-mail you with offers relating to products of ours that we think you might be interested in. Click here if you object to receiving such offers.’
THOROGOOD PROFESSIONAL INSIGHTS
53
APPENDICES
And/or: •
‘We would like to pass your details on to other businesses so they can e-mail you with offers of goods/services that you might be interested in. Click here if you don’t want your details to be passed on.’
•
It should be easy for the individual to register his or her wishes. It would not be acceptable, for example, to expect an individual to visit another site to register his or her wishes, or to register his or her wishes by post.
In some cases an opt-out facility will not be sufficient. This is likely to be the case where the processing of sensitive personal data is involved. Where sensitive data about an individual is collected it will usually be necessary to obtain the data subject’s explicit consent to the processing before collecting the information. Sensitive data, as defined in the Act, is information as to a person’s: •
racial or ethnic origin
•
political opinions
•
religious or similar beliefs
•
trade union membership
•
physical or mental health
•
sexual life
•
commission of criminal offences
•
involvement in criminal proceedings.
Where explicit consent is required a statement along the following lines will be needed: ‘We keep information you have provided us with about your health in order to send you offers of vitamin supplements we think you are likely to be interested in. Click here to show that you agree to this.’ It should be noted that explicit consent cannot be obtained by the presence of a pre-crossed box. The individual must take some positive action to signify consent and must be free not to consent.
THOROGOOD PROFESSIONAL INSIGHTS
54
APPENDICES
4. We have heard that some other countries always require an opt-in to use personal data for marketing. Is this true? Our understanding is that within the European Union the general standard is ‘opt-in’ in Germany, Denmark, Finland, Sweden and Italy. There are also developments which may lead to an ‘opt-in’ standard being adopted throughout the EU. For the time being the situation in the UK is that in most cases the opt-in standard is not currently legally enforceable. However, if a website operator wishes to adopt best practice or aspires to market to individuals on the basis of permission or consent, an opt-in is a better indication of a person’s wishes than a failure to opt-out. 5. Are we allowed to ask visitors to our website for information that we only want to support our marketing activities? There is nothing to stop you doing this but you must not mislead your visitors. This is a common problem with websites. If personal information is only required for marketing and is not strictly necessary for the supply of a product or service it should be made clear to visitors why the information is being requested and its supply should be optional. Wording along the following lines might be used, ‘You do not have to answer the following questions but if you do so your answers will help us understand you better as a customer. We will then be able to bring to your attention offers that we believe you are likely to be interested in’. 6. What are the implications if we use ‘Cookies’ to build our profiles of visitors to our site? Through tracking the on-line movements of an individual, a website operator is able to develop a profile of that individual which may be used for targeted advertising. If the operator intends to link this profile to a name and postal address or even an e-mail address, there is no doubt that the profile information is personal data subject to the Act. However, profiles can be developed and used by means of ‘cookies’ without the collection of traditional identifiers. The Commissioner takes the view that in the context of the on-line world the information that identifies an individual is that which uniquely locates him or her in that world, by distinguishing him or her from others. Thus profiles that are based on cookies and that are used to deliver targeted marketing messages to particular individuals are personal data. Cookies are used in a variety of ways by websites. They are not always used to develop profiles of individual site visitors but a visitor must be informed wherever a cookie or other tracking system enables the collection of personal data. This
THOROGOOD PROFESSIONAL INSIGHTS
55
APPENDICES
might be done via an on-line notification that appears before data collection begins, or via the website’s privacy statement. However, if a notification provided via an on-line privacy statement is to be relied upon it is important that at least some reference to the use of tracking technology is clearly displayed to all site visitors. 7. Is the position the same if we use IP Addresses to profile our site visitors? In theory yes, but in practice it is difficult to use IP addresses to build up personalized profiles. Many IP addresses, particularly those allocated to individuals, are dynamic. Each time a user connects to his or her ISP he or she is allocated an IP address. This IP address will be different each time. Thus it is only the ISP that can link the IP address to an individual. It is hard to see how the collection of dynamic IP addresses without other identifying information would bring a website operator within the scope of the Data Protection Act 1998. Static IP addresses are different. As with cookies they can be linked to a particular computer which may actually or by assumption be linked to an individual user. If static IP addresses were to form the basis for profiles that are used to deliver targeted marketing messages to particular individuals they, and the profiles, would be personal data subject to the Data Protection Act 1998. However, it is not easy for a website operator to distinguish between dynamic and static IP addresses. Thus the scope for using IP addresses for personalized profiling is limited. If dynamic or static IP addresses are collected simply to analyze aggregate patterns of website use they are not necessarily personal data. They will only become personal data if the website operator has some means of linking IP addresses to a particular individual, perhaps through other information held or from information that is publicly available on the Internet. ISPs will of course be able to make this link but the information they keep will not normally be available to a website operator 8. Are we allowed to use personal data which is available on the internet for our own purposes? Website operators should exercise caution when obtaining personal data from a source other than the individual him or herself. It is by no means the case that the processing of personal data obtained via the Internet is free from restriction. Simply because individuals have put their e-mail addresses in the public domain, perhaps by participating in a chat-room, does not mean they can be used for marketing or other purposes. Those who use ‘spiders’ or other scavenging type programmes to harvest e-mail addresses, or other personal
THOROGOOD PROFESSIONAL INSIGHTS
56
APPENDICES
data from the Internet, are likely to breach the Act unless the use they are making of the information is consistent with the purpose for which it was first made available. If e-mail marketing lists were used there is a responsibility to ensure that the personal data on the list were obtained fairly in the first place, bearing in mind the intended use of the list. The user of the list must also respect any relevant conditions put on its use by the source. Individuals may choose to put information about themselves on the Internet, for instance by including their CV on their homepage. They should be wary of doing so as the information is clearly open to misuse. Nevertheless, this does not absolve others from their responsibility for ensuring that if they make use of the information they do so fairly with proper regard for the purpose, whether express or implied, for which it was posted on the Internet. 9. We’ve been told we can use a web-bug to collect information about visitors to our site. What is a web-bug and can its use comply with the Data Protection Act 1998? A web-bug is a graphics file, generally only 1 x 1 pixel in size that is designed to monitor who is reading a web page or e-mail message. As with the use of a cookie, the use of such a device may well result in personal data being processed. The Act does not necessarily prohibit the use of web-bugs or similar software. However, if the web-bug or similar device is invisible to the person whose on-line activities it is monitoring, it is difficult to envisage how the collection of personal data through the use of such a device can be done fairly. Individuals being monitored through the use of a web-bug or similar device should be informed that monitoring is taking place, who the monitoring is being performed by and for what purposes the monitoring is taking place. The Information Commissioner suggests that data controllers who intend to place a web-bug or similar device give the individual a simple means of refusing or disabling the device prior to any personal information being collected through it. 10. If we have collected information about someone other than directly from them, do we have to tell them that we have got it? Where information is obtained from a third party, for example, where one website operator obtains information about an individual from another website operator, there is still a duty to ensure that the subsequent processing of information about the individual is fair, i.e. that the individual is aware of such matters as the identity of the person or organization that now holds the information and the purposes for which it is to be used.
THOROGOOD PROFESSIONAL INSIGHTS
57
APPENDICES
In some cases it may be possible for operators to inform individuals of the fact that information about them is to be obtained indirectly, and the purposes for which the data are to be used, before the data is obtained. This might be the case where the operator has already had contact with the individual, perhaps when he or she has registered with a website, and has informed him or her that there is an intention to obtain information from other sources. In other cases the source may already have provided a full explanation to the individual on behalf of the third party website operator. This might be the case where two operators routinely exchange information about individuals, and their respective fair processing notices explain this. Where individuals do not have the information necessary to make the processing of personal data about them fair, operators should provide the necessary information as soon as is practicable. If there is an intention to disclose personal data, the explanation should certainly be provided no later than the time when the information is first disclosed. The website operator does not have to contact the individual where it would involve ‘disproportionate effort’ to do so. If an operator believes this to be the case it will have to ensure that it can provide the necessary explanation to any individual who asks for it. It must also keep a record of the reasons why it concluded that providing the information would involve disproportionate effort. Website operators should be aware that the ease by which explanations can be provided on-line, for example by the automated sending of ane-mail, means that the circumstances in which they can rely on this exemption are limited. However, the Commissioner would not normally seek to challenge a website operator’s compliance with the Act if after obtaining a legitimate e-mail marketing list, the operator provided the necessary explanation with its first marketing approach rather than separately, as long as the first marketing approach came soon after the list was obtained. 11. Our website is directed at children? Are there any special rules that we have to follow? Websites that collect information from children may have to put more rigorous safeguards in place to ensure the processing of those children’s information is fair. Website operators should recognize that children generally have a lower level of understanding than adults and notices explaining the way their data will be used should be appropriate to this level of understanding and should not attempt to exploit any lack of understanding. The consent of a parent or guardian is necessary where a child is asked to provide personal data unless it is reasonable to believe the child clearly understands what is involved and is capable of making an informed decision.
THOROGOOD PROFESSIONAL INSIGHTS
58
APPENDICES
The Act does not lay down a precise age at which a child can act in his/her own right and the Commissioner does not consider it is valid to try and do so. Much depends on the capacity of the child and the complexity of the proposition that is being put to him/her. As a general rule the Commissioner considers the standard adopted by Trust UK (www.trustuk.org.uk) in its accreditation criteria to be a reasonable one. This is that: ‘Personal data must only be collected from children with the explicit and verifiable consent of the child’s parent/guardian unless that child is aged 12 years or over, the information collected is restricted to that necessary to enable the child to be sent further but limited on-line communications and it is clear that the child understands what is involved.’ The above standard is based on the definition of a child as a person aged 16 years or under. There are certain practices that, if adopted, are likely to breach the requirements of the Act. These include collecting personal data relating to other people (for example parents) from children and enticing children to divulge personal data with the prospect of a game prize or similar inducement. If personal data collected from children are to be disclosed or transferred to third parties this should not take place without the explicit and verifiable consent of the child’s parent/guardian unless it can be demonstrated that the child really appreciates what is going on and the consequences of his or her actions. Similarly, where a website operator wishes to publish personal data relating to a child on the Internet, the verifiable consent of the child’s parent/guardian should usually be obtained. Whether it is necessary to seek the parent or guardian’s consent to publication, rather than that of the child, will again depend on the circumstances, in particular the age of the child, and whether or not the data controller can be certain that the child fully understands the implications of making their information available on the Internet. Where parental consent is required the website operator must have some way of verifying that this has been given. It will not usually be sufficient to simply ask children to confirm that their parents have agreed by means of a mouse click. It will in all likelihood be necessary to revert to postal communication. If parental consent is the required standard but the website operator concludes that the effort in verifying the consent is disproportionate, the proposed marketing activity or other course of action should not be pursued.
THOROGOOD PROFESSIONAL INSIGHTS
59
APPENDICES
12. We collect personal information through our website. Do we have to use an encryption-based transmission system? A website operator is responsible for the security of its processing of personal data. It must adopt appropriate technical and organizational measures to protect the personal data. The processing of personal data includes its obtaining. A website operator is therefore required to obtain personal data in a way that is sufficiently secure. It is hard to see how this can be done without the use of a secure, encryption-based transmission system if the personal data is in any way sensitive or otherwise poses a risk to individuals, for example because they include credit card numbers. Website operators should be aware that whilst the use of a secure, encryptionbased transmission system will protect personal data whilst in transit, there is a potentially greater threat to the security of personal data once the data have been decrypted and they are held in unencrypted form on a website operator’s server. Personal data that are in any way sensitive or otherwise pose a risk to individuals should not be held on a website server or, if they are, should be properly secured by encryption or similar techniques. 13. If we use another company to host our website who is responsible for data protection? Responsibility for compliance with the Data Protection Act 1998 rests with the data controller, that is the person who determines the purposes for which, and the manner in which, the personal data is or is to be processed. This is likely to be the website operator rather than the host. A data controller does not have to own the equipment on which the processing actually takes place. A website operator that uses a separate processor, i.e. a person who processes personal data on the operator’s behalf, must have a written contract with the processor under which the processor is required to act only on instructions from the website operator and to have in place appropriate technical and organizational security measures. 14. Can we publish personal data on our website? The eighth principle of the Act states that personal data shall not be transferred outside the European Economic Area if the country to which the data are transferred does not ensure an adequate level of protection for the individual in each case. Placing personal data on the Internet potentially involves a transfer to any country worldwide. In many countries the processing of personal data is not protected by legislation, so it will not always be possible for website providers to guarantee the protection of personal data placed on their website. However,
THOROGOOD PROFESSIONAL INSIGHTS
60
APPENDICES
all the circumstances of such a transfer can be taken into account when assessing the adequacy of protection provided for the data. In some cases the risks arising as a result of a transfer, even in the absence of protective legislation, may be negligible. This may be the case with information that is already in the public domain, for example publication of details of the sporting achievements of well known athletes. It may also be a relevant factor if the information published does not enable the individual to be contacted, although the sensitivity of the information will have to be taken into account. In other cases it will be necessary to obtain the individual’s consent for their data to be published on the Internet. This consent must be ‘informed’, in that the website operator must explain the possible consequences of publishing the data. Consent must also be ‘freely given’ in that the individual must be able to decline without penalty. Although likely to lead to similar conclusions, in most cases the general requirement of fairness in the processing of personal data must also be addressed when considering publication on a website. For example, a yacht club may have traditionally published the names and contact details of its members in a handbook distributed to all members and placed in local libraries. The club now intends to publish these details on its website. Although the information has always been publicly available, the implications for members of publication on the web are significantly different. Fairness requires that the individuals concerned are told that there is an intention to publish information about them on the website and that the wishes of individuals who object are respected. If the intention is that information about the club’s membership is only made available to other club members, the club should employ technical means to prevent access by unauthorized individuals, for example, by preventing general access to the site or to the part of the site where information about the club’s members is published through the use of password protection. 15. If we want to use personal data we have obtained through our website differently can we simply change our privacy statement? The simple answer is no. Changing the privacy statement and other information on the site can only affect how you can use personal data that are obtained after the date of the change. Visitors who provided you with personal data prior to the change will have done so on the basis of the privacy statement and other information you provided at that time. You must honour the assurances you gave them.
THOROGOOD PROFESSIONAL INSIGHTS
61
APPENDICES
If you want to use the personal data differently the safest course of action is to obtain your customers’ consent to the new use. In other words, you must explain the proposed new use to them and only proceed when they have given you a positive indication of their agreement. Failure to respond to an e-mail message would not be sufficient. This is sometimes referred to as ‘opt-in’. The opt-in approach will be necessary if the data you have obtained is to be used by you or others for a new purpose or is to be disclosed either for the first time or to different organizations from those referred to in your privacy statement. It will also be necessary if the personal data is sensitive or if it is subject to a duty of confidentiality which would be breached by the new use. In some cases it will be sufficient to advise your customers of the new use and to give them an opportunity to object. This will be the case if the new use does not amount to use for a new purpose or where the nature and purpose of a new disclosure remains close to the terms described in the privacy statement. For example, your site was originally set up to sell books, your customers were advised only that you would use their information for marketing and they were given an opportunity to opt-out. In the absence of any indication to the contrary they would have assumed your marketing was confined to books. You are now expanding into the sale of CDs and want to market these. As this activity is close to but nevertheless outside the terms of your original privacy statement, you should at least advise those customers that did not opt-out originally of the new use and give them another opportunity to opt-out, either from all marketing or from the marketing of CDs. Those customers that opted out originally should not be contacted. If in the above example the new marketing is of financial services or holidays, for example, or if customer details are to be provided to a third party for their marketing, the standard has to be opt-in. This will certainly be the case if, for the first time and with no previous explanation, the marketing is to be based on a profile of the individual’s book buying habits. In other cases the new use might fall within the original privacy statement. For example, the privacy statement might have referred to the intention to market a range of products even though at the time this was confined to books. Now it will include CDs. There is no need to advise customers specifically of this as the products are sufficiently closely related. Clearly the wishes of any customers that subsequently object to the receipt of the new marketing message should be respected. If the new products are substantially different, for example if they now include financial services, the marketing of these would not have been within customers’ expectations even though
THOROGOOD PROFESSIONAL INSIGHTS
62
APPENDICES
arguably the privacy statement might have covered it. It is the interpretation customers are likely to have placed on the privacy statement rather than its precise wording that is important. Depending on how far removed from this likely interpretation the new use is, the standard may be opt-in rather than opt-out. 16. Can we disclose personal data if our web-based company is subject to a take-over or merger? The Act would not necessarily prevent this. Essentially the position on disclosure is no different simply because a web-based company goes out of business or is otherwise subject to a take-over or merger. A disclosure could breach the Act where individuals have previously been assured that personal data about them will not be disclosed, where the personal data is subject to a duty of confidentiality or where once disclosed the personal data is processed in a manner that has a markedly different effect on individuals. In such cases the consent of individuals will be required before the disclosure takes place. Before making a disclosure of personal data, careful consideration should be given as to how the data was originally obtained. If a disclosure is to take place, in order to prevent unfairness to individuals, it may be necessary to place restrictions on the purposes for which and the manner in which the data may be processed. So long as individuals were not led to believe their data would never be disclosed, the new owner in effect takes over the existing business and the personal data will be used in substantially the same way as previously. The Act is likely to be satisfied if individuals are told of the change of ownership and have an opportunity to object to the new owner holding their details. 17. Do we have to notify the commissioner if we put personal data on our website or obtain personal data through it? Website operators who are established in the UK and who process personal data will need to notify the Commissioner unless exempt. Failure to notify is a criminal offence for those required to do so. There are conditional exemptions from notification where personal data are only processed for certain core business purposes. These include advertising and marketing your own business and keeping accounts and records. The exemptions will not necessarily be lost because personal data are obtained through a website or used for marketing by electronic means. They are more likely to be lost through publishing personal data on a website. Many website operators will need to notify under the Act. You should visit www.dpr.gov.uk for more information about this and to notify. The current fee for notification is £35 for one year.
THOROGOOD PROFESSIONAL INSIGHTS
63
APPENDICES
18. Does the Data Protection Act 1998 apply if our website is operated outside the UK? Website operators not based in the UK but established elsewhere within the European Economic Area (EEA) will be subject to the data protection laws of the countries where they are established. In some circumstances website operators established outside the EEA might be subject to UK data protection law. If a website operator established outside the EEA uses equipment in the United Kingdom to process personal data, the processing will be subject to the Act even though the operator is not established in the UK. This might be the case where the operator’s site is hosted in the UK or where the operator places a ‘cookie’ on the computer of a UK Internet user in order to create a profile of that individual’s on-line behaviour. 19. What is the position if I only use my website for domestic purposes? Where personal data is processed only for an individual’s personal, family or household affairs, including recreational purposes, the data is exempt from the Act’s notification requirements and from the requirements of the data protection principles. However, the Information Commissioner retains her powers of investigation and enforcement to determine whether the scope of the exemption has been exceeded, for example because the site is also used for business purposes. 20. Is this the Commissioner’s final word on the question of data protection and websites? No, these frequently asked questions may be updated in the light of technological, legal or other developments. Please let us know if there are questions of general interest to website operators that we have failed to address.
THOROGOOD PROFESSIONAL INSIGHTS
64
APPENDICES
Appendix 2
Complying with the E-Commerce Regulations 2002 You should read this guide if you… •
advertise goods or services online (i.e. via the Internet, interactive television or mobile telephone)
•
sell goods or services to businesses or consumers online
•
transmit or store electronic content or provide access to a communication network.
Action you may need to take If the Regulations apply to you, you may need to make textual or structural changes to the medium you use to advertise or sell your goods or services online, e.g. your website, in order to comply with the new requirements.
Introduction What are the Electronic Commerce Regulations 2002? The Electronic Commerce (EC Directive) Regulations 2002 (SI 2002 No.2013) (“Regulations”) transpose the main requirements of the E-Commerce Directive (2000/31/EC) into UK law.
What are the Regulations intended to achieve? The purpose of the Directive (and therefore the Regulations) is to encourage greater use of e-commerce by breaking down barriers across Europe and boost consumer confidence by clarifying the rights and obligations of businesses and consumers.
THOROGOOD PROFESSIONAL INSIGHTS
65
APPENDICES
It also seeks to promote the single market in Europe by ensuring the free movement of “information society services” (essentially all commercial online services) across the European Economic Area (i.e. the 15 Member States of the European Union and Iceland, Norway and Liechtenstein).
Who do the Regulations apply to? The Regulations may apply to you if you do any of the following: •
advertise goods or services online (i.e. via the Internet, interactive television or mobile telephone)
•
sell goods or services to businesses or consumers online
•
transmit or store electronic content or provide access to a communication network.
What are the key features of the Regulations? The Regulations include provision for: •
the national law that will apply to online services
•
the information an online service provider must give a consumer, including discounts and offers in online advertising and how to conclude contracts online
•
limitations on service providers’ liability for unlawful information they unwittingly carry or store.
What is the legal status of this guide? This guide to the Regulations is designed to help you to identify the steps you may need to take to ensure that you comply with their requirements and minimise any resulting compliance costs. This guide has no legal force but is intended to help you understand how the main features of the Regulations will impact on you. It is intended as a general overview only and should not be taken as legal advice. If you are affected by the Regulations you should refer to them for a full statement of the requirements and, in case of doubt, seek legal advice on questions of interpretation.
THOROGOOD PROFESSIONAL INSIGHTS
66
APPENDICES
REFERENCE
The official text of the Regulations is available in hard copy from normal suppliers and on the HMSO website at: http://www.hmso.gov.uk/si/si2002/20022013.htm. More substantive guidance on the Regulations is available on the DTI website at: www.dti.gov.uk/cii/ecommerce/europeanpolicy/ecommerce_directive.shtml
What happens to businesses that do not comply? Non-compliance with the Regulations could have serious implications for a business. Depending on the exact nature of the non-compliance, end users may: •
cancel their order
•
seek a court order against you
•
sue you for damages for breach of statutory duty if they can demonstrate that they have suffered a loss as a result of your failure to comply with your obligations under the Regulations.
As of 23 October 2002, the consumer-protection aspects of these Regulations will also be subject to the Stop Now Orders (EC Directive) Regulations 2001. This extension will permit the Director General of Fair Trading and Trading Standards Departments to apply to the courts for a Stop Now Order if your failure to comply with the Regulations “harms the collective interest of consumers”. The courts will also have the power to order you to publish corrective statements with a view to eliminating the continuing effects of past infringements. If you fail to comply with a Stop Now Order you may be held to be in contempt of court and could face a fine and/or imprisonment.
THOROGOOD PROFESSIONAL INSIGHTS
67
APPENDICES
Who enforces the Regulations? The definition of enforcement authorities in the Regulations includes any body able to impose a sanction for failure to observe or comply with any provision of UK law. Examples include Trading Standards Departments, the Office of Fair Trading and the Independent Committee for the Supervision of Standards of Telephone Information Services (ICSTIS).
Whose law will apply to cross-border trade? The Regulations seek to liberalise the provision of online services in two key ways: •
first, they require UK-established service providers to comply with UK laws even if they are providing those services in another Member State. In other words, UK-established service providers will have to comply with UK law even if they are providing their services to, for example, French recipients; and
•
second, they prevent the UK from restricting the provision of information society services from another Member State in the EEA.
These basic rules are subject to a number of qualifications and exclusions, which include in particular the freedom to choose the law applicable to a contract and contractual obligations concerning consumer contracts. In addition, the Regulations permit UK enforcement authorities (and in certain cases courts) to take proportionate measures against given services on a case-by-case basis in limited circumstances (e.g. if such restrictions are necessary to protect public policy or consumers). The Regulations do not deal with the jurisdiction of the courts (i.e. which court will hear a cross-border trading dispute) but a Guidance Note from the DTI is available on this issue.
REFERENCE
The DTI website at www.dti.gov.uk/cacp/ca/policy/jurisdiction/index.htm
THOROGOOD PROFESSIONAL INSIGHTS
68
APPENDICES
New information requirements The new information requirements contained in the Regulations can be divided into three categories, as seen below.
1. Information requirements These requirements include providing your end users with: •
the full contact details of your business
•
details of any relevant trade organisations to which you belong
•
details of any authorisation scheme relevant to your online business
•
your VAT number, if your online activities are subject to VAT
•
clear indications of prices, if relevant, including any delivery or tax charges.
2. Commercial communications These requirements include providing your end users with: •
clear identification of any electronic communications designed to promote (directly or indirectly) your goods, services or image (e.g. an e-mail advertising your goods or services)
•
clear identification of the person on whose behalf they are sent
•
clear identification of any promotional offers you advertise e.g. any discounts, premium gifts, competitions, games
•
clear explanation of any qualifying conditions regarding such offers
•
clear indication of any unsolicited commercial communications you send.
3. Electronic contracting These requirements include providing your end users with: •
a description of the different technical steps to be taken to conclude a contract online
•
an indication of whether the contract will be filed by your business and whether it can be accessed
•
clear identification of the technical means to enable end users to correct any inputting errors they make
•
an indication of the languages offered in which to conclude the contract.
THOROGOOD PROFESSIONAL INSIGHTS
69
APPENDICES
Information requirements
Does this category of the Regulations apply to you? This category of Regulations applies to anyone who advertises or sells goods or services online (e.g. via the internet, mobile phone or interactive television).
What must you do? You must ensure you provide end users with: •
the full name of your business
•
your geographic address
•
contact details, including an e-mail address, to enable direct and rapid communication with you.
Other information requirements These requirements may apply depending on the nature of your business. If you belong to a trade association whose register is open to the public (e.g. CORGI), provide end users with: •
the name of the register
•
your registration number or other means of identification on the register
If your online service is subject to an authorisation scheme (e.g. an authorisation to advertise or sell financial services), provide end users with: •
the details of the relevant supervisory authority which has granted the authorisation
If your business is part of a profession whose qualifications are recognised across Europe (e.g. the Institute of Chartered Accountants), provide end users with: •
details of any professional body or institution with which you are registered
•
details of any professional titles you hold
THOROGOOD PROFESSIONAL INSIGHTS
70
APPENDICES
•
details of the Member State in which such titles were granted
•
a reference to professional rules and how end users can access them
If your online business activities are subject to VAT‚ provide end users with: •
details of your VAT number
If you refer to prices‚ provide end users with: •
a clear indication of prices
•
details of any associated taxes and delivery costs
Technological constraints The Government recognises that technological constraints (e.g. the 160character limit on a mobile text message) may mean that you may not be able to provide the information by the same means by which you transact with your customers. The Government believes that the information requirements outlined above will be met if the information is accessible by other means. For example, if a customer purchases one of your products or services via their mobile telephone, you should be able to satisfy the requirements if you put the relevant information on your website.
Temporary interruptions Similarly, the Government believes that temporary interruptions to the availability of information that are essential (e.g. for maintenance purposes) or unavoidable (e.g. if your computer system crashes because of a virus) will not place you in breach of your legal obligations.
Other relevant legislation The information requirements outlined above are in addition to existing requirements, including those under the Consumer Protection (Distance Selling) Regulations 2000. These, amongst other things, require you to provide a description of your goods or services, details of any after sales services and guarantees and details of your customers’ rights to cancel orders.
THOROGOOD PROFESSIONAL INSIGHTS
71
APPENDICES
REFERENCE
The official text of the Consumer Protection (Distance Selling) Regulations is available in hard copy from normal suppliers and on the HMSO website at: www.hmso.gov.uk/si/si2000/20002334.htm.
Commercial communications
Does this category of the Regulations apply to you? This category of Regulations applies to anyone who actively promotes their goods or services through any form of electronic communication (e.g. an e-mail advertising your goods or services).
What must you do? Any form of electronic communication designed to promote your goods, services or image, such as an e-mail advertising your goods or services, must: •
be clearly identifiable as a commercial communication
•
clearly identify the person and/or organisation on whose behalf it is sent.
Other requirements These requirements may apply depending on the nature and content of your electronic commercial communications: If your electronic commercial communications contain discounts, promotional offers, premiums, gifts, promotional competitions or games‚ you must: •
clearly identify them as such
•
ensure that any qualifying conditions for such offers, promotions or games are easily accessible and presented clearly and unambiguously.
THOROGOOD PROFESSIONAL INSIGHTS
72
APPENDICES
If you send unsolicited commercial communications by e-mail (e.g. an email advertising your goods or services which is sent to a recipient who has not requested it)*, you must: •
ensure that recipients are able to identify them as such as soon as they receive them
*Possible ways of meeting this requirement include placing the words “unsolicited advertisement” or "unsolicited commercial communication" in the title of the e-mail. The purpose of this requirement is to ensure that recipients or their Internet service providers can block or delete the e-mail without the need to open and read it. The definition of commercial communications in the Regulations does not cover domain names and e-mail addresses themselves, independent audits of your products, statutory reports or reports compiled by independent regulators. Certain specific types of communications, such as mobile text “welcome messages” and electronic greetings cards, may not be “designed” to promote your business and may not fall within the definition. Such matters of interpretation will be addressed on a case-by-case basis by the relevant enforcement authority.
Other relevant legislation The Regulations do not define what is meant by 'unsolicited commercial communications by e-mail', but mobile text messages are not considered to be within the scope of this requirement. The Information Commissioner, however, treats such messages as “calls” for the purposes of the provisions regarding unsolicited direct marketing in the Telecommunication (Data Protection and Privacy) Regulations 1999; you should refer to these Regulations for a full statement of those requirements.
REFERENCE
The official text of the Telecommunications (Data Protection and Privacy) Regulations is available in hard copy from normal suppliers and on the HMSO website at: www.hmso.gov.uk/si/si1999/19992093.htm.
THOROGOOD PROFESSIONAL INSIGHTS
73
APPENDICES
Electronic contracting
Does this category of the Regulations apply to you? This category applies to anyone who enables end users to place orders online.
What must you do? You must provide end users with the following information in a “clear, comprehensive and unambiguous manner” prior to an order being placed: •
the different technical steps to follow in order to conclude the contract so that end users are made aware of what the process will involve and the point at which they will commit themselves to the contract*
•
whether or not the concluded contract will be filed by you and whether it will be accessible*
•
the technical means for identifying and correcting input errors made by an end user prior to placing an order so that end users know how to correct any mistakes they make*
•
the languages offered for the conclusion of the contract.*
If you subscribe to codes of conduct, you must: •
supply details of any relevant codes of conduct and details of how end users can access them.* (The Government believes that the codes in question are those relevant to the particular order and not to your business as a whole.)
If you supply end users with the terms and conditions applicable to their contract, you must: •
make them available in a way which allows them to store and reproduce them. (You should be able to satisfy this requirement if end users are able to save the terms and conditions onto their computer and subsequently print them out.)
THOROGOOD PROFESSIONAL INSIGHTS
74
APPENDICES
If an end user places an online order with you, you must: •
acknowledge receipt of the order without undue delay and by electronic means *
•
make available appropriate, effective and accessible technical means which will allow them to identify and correct input errors prior to the placing of the order. *
The Regulations state that the order and the acknowledgement of receipt are deemed to have been received when the parties to whom they are addressed are able to access them. Receipt of the order need not be acknowledged by the same means used by your customer to place their order: * These requirements do not apply to: •
online transactions between two businesses (i.e.B2B transactions) if both parties agree to opt out of them
•
contracts concluded exclusively by exchange of e-mail or by equivalent individual communications.
Limited liability for service providers The Regulations limit the liability of service providers who unwittingly carry or store unlawful content provided by others in certain circumstances. You should refer to Regulations 17 – 22 for a full statement of the requirements you will have to meet in order to qualify for these limitations and in case of doubt you should seek legal advice on such issues.
REFERENCE
The official text of the Regulations is available in hard copy from normal suppliers and on the HMSO website at: http://www.hmso.gov.uk/si/si2002/20022013.htm.
THOROGOOD PROFESSIONAL INSIGHTS
75
APPENDICES
Other sources of information DTI You can contact the DTI at: Department of Trade and Industry International Communications Bay 206 151 Buckingham Palace Road London SW1W 9SS Tel: (020) 7215 1806 Fax: (020) 7215 4161 E-mail:
[email protected] Trading Standards Offices You will find the address and telephone number of your local Trading Standards Department for England, Scotland or Wales in the telephone book under ‘Local Authority’ or on the Internet by visiting www.tradingstandards.gov.uk and entering your postcode. The address for Northern Ireland is: Trading Standards Service Department of Enterprise, Trade and Investment 176 Newtownbreda Road Belfast BT8 6QS Tel: (028) 9025 3900 Fax: (028) 9025 3953 E-mail:
[email protected] You can contact the Office of Fair Trading through its website, www.oft.gov.uk, or at: Office of Fair Trading Fleetbank House 2-6 Salisbury Square London EC4Y 8JX Tel: (020) 7211 8000 Fax: (020) 7211 8800 E-mail:
[email protected] THOROGOOD PROFESSIONAL INSIGHTS
76
APPENDICES
Appendix 3: Monitoring at Work
Guidance for small businesses This guidance has been produced to help small businesses comply with the Data Protection Act when monitoring their workers. It is based on Part 3 of the Information Commissioner’s ‘Employment Practices Data Protection Code’. The Code itself contains, in full, the Information Commissioner’s recommendations as to how the legal requirements of the Act can be met. It can be used by those who need additional information. The full Code is available free of charge from our office.
What is the Data Protection Act? •
The Data Protection Act concerns information about living, identifiable people, such as workers.
•
It regulates, through the data protection principles, how information about them can be collected, handled and used.
•
It also gives them rights such as access to the information and compensation if things go wrong.
•
It applies to computerised information and to some manual records, such as personnel files.
How does the Act affect monitoring? •
If you monitor your workers by collecting or using information about them, the Data Protection Act will apply. This might be the case, for example, when you video workers to detect crime, when you check telephone logs to detect excessive private use, when you monitor emails or check internet use.
•
The Act doesn’t generally prevent monitoring, but sets out principles which apply when it is carried out. In short, data protection means that any adverse impact of monitoring on workers must be justified by its benefit to the employer and/or others.
THOROGOOD PROFESSIONAL INSIGHTS
77
APPENDICES
•
The Act requires openness. Workers should be aware of the nature, extent and reasons for any monitoring unless, exceptionally, covert monitoring is justified.
If I want to monitor my workers, what do I have to do? •
Consider why you want to carry out the monitoring. This might involve identifying a problem you are trying to solve, for example theft in the workplace.
•
Once you are clear about the purpose, satisfy yourself the particular monitoring arrangement is justified by real benefits that will be delivered.
•
Remember that: 1.
it will usually be intrusive to monitor your workers
2.
workers have legitimate expectations that they can keep their personal lives private
3.
workers are entitled to a degree of privacy in the work environment.
•
Consider whether alternatives or different methods of monitoring would deliver acceptable benefits with less adverse impact on workers. Can you target the monitoring at an area of risk, for example the part of your premises where you think theft is occurring?
•
Ensure your workers are aware that they are being monitored and why. You could tell them this using a notice on a notice-board or signage in the areas where monitoring is taking place. If your workers have computers, you could send them an e-mail telling them about the monitoring. Workers’ awareness will influence their expectations.
•
If monitoring is to be used to enforce your rules and standards make sure workers know clearly what these are.
•
Only use information obtained through monitoring for the purpose for which the monitoring was carried out, unless the monitoring leads to the discovery of an activity that no employer could reasonably be expected to ignore, for example breaches of health and safety rules that put other workers at risk.
THOROGOOD PROFESSIONAL INSIGHTS
78
APPENDICES
•
Keep the information you obtain through monitoring secure. This might mean only allowing one or two people to have access to it. You should also make sure you don’t keep the information for longer than necessary or keep more information than you really need. This might involve deleting it once disciplinary action against a worker is over.
Are there other points to consider for particular types of monitoring? •
Be particularly careful when monitoring communications, such as emails, that are clearly personal. Avoid wherever possible opening emails, especially those that clearly show they are private or personal. Confine monitoring to the message’s address or heading.
•
If it is necessary to check the e-mail accounts or voice-mails of workers in their absence, make sure they are aware this will happen.
•
Where video or audio monitoring is justified target the monitoring, where possible, at areas of particular risk, and confine the monitoring to areas where expectations of privacy are low.
•
Ensure that any use of information held by third parties, such as credit reference or electoral roll information, for monitoring is justified. Take particular care with any information you hold about workers as a result of a non-employment relationship with them, perhaps because they are also your customers.
•
If you are justified in obtaining information about a worker’s criminal convictions for monitoring, only do so through a ‘disclosure’ obtained via the Criminal Records Bureau.
•
Ensure that if workers are monitored through the use of information held by a credit reference agency, the agency is aware of the use to which the information is to be put. Do not use a facility provided to conduct credit checks on customers to monitor or vet workers.
Can I ever undertake secret monitoring? •
It is rare for the covert monitoring of workers to be justified. Do not carry it out unless it has been authorised at the highest level in your business. You should be satisfied that there are grounds for suspecting criminal or activity or equivalent malpractice, and that notifying individuals about the monitoring would prejudice its prevention or detection.
THOROGOOD PROFESSIONAL INSIGHTS
79
APPENDICES
•
Deploy covert monitoring only as part of a specific investigation and cease once the investigation has been completed. Do not use covert monitoring in places such as toilets or private offices unless there is suspicion of serious crime and there is an intention to involve the police.
What rights do my workers have? •
Remember that workers have a legal right of access to information you hold on them, including information you obtain through monitoring. Normally you must give access when a worker requests it, but you can withhold information where providing it to the worker would prejudice the detection of crime.
•
Allow workers to make representations about the information you gather through monitoring where it might have an adverse impact on them. It may be that equipment or systems malfunction means that the information obtained through monitoring is inaccurate or misleading. Information obtained from third parties may simply be wrong.
For further information about monitoring in the workplace please visit the Information Commissioner’s website at: www.informationcommissioner.gov.uk where the full code is available. Contact us on 01625 545745 or write to us at: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
THOROGOOD PROFESSIONAL INSIGHTS
80
APPENDICES
Appendix 4
Extract from: Information Commissioner’s Data Protection Code of Practice – Monitoring at Work Good Practice Recommendations V1.0 29. 3.3 Monitoring electronic communications. This sub-section deals with the monitoring of telephone, fax, e-mail, voicemail, internet access and other forms of electronic communication. 3.3.1 If you wish to monitor electronic communications, establish a policy on their use and communicate it to workers – see ‘Policy for the use of electronic communications’ below. Key points and possible actions: •
If your organisation does not have a policy on the use of electronic communications, decide whether you should establish one.
•
Review any existing policy to ensure that it reflects data protection principles
•
Review any existing policies and actual practices to ensure that they are not out of line, e.g. whether private calls are banned in the policy but generally accepted in practice.
•
Check that workers are aware of the policy and if not bring it to their attention.
Policy for the use of electronic communications Employers should consider integrating the following data protection features into a policy for the use of electronic communications: •
Set out clearly to workers the circumstances in which they may or may not use the employer’s telephone systems (including mobile phones), the email system and internet access for private communications.
•
Make clear the extent and type of private use that is allowed, for example restrictions on overseas phone calls or limits on the size and/or type of email attachments that they can send or receive.
THOROGOOD PROFESSIONAL INSIGHTS
81
APPENDICES
•
In the case of internet access, specify clearly any restrictions on material that can be viewed or copied. A simple ban on ‘offensive material’ is unlikely to be sufficiently clear for people to know what is and is not allowed. Employers may wish to consider giving examples of the sort of material that is considered offensive, for example material containing racist terminology or nudity.
•
Advise workers about the general need to exercise care, about any relevant rules, and about what personal information they are allowed to include in particular types of communication.
•
Make clear what alternatives can be used, e.g. the confidentiality of communications with the company doctor can only be ensured if they are sent by internal post, rather than by e-mail, and are suitably marked.
•
Lay down clear rules for private use of the employer’s communication equipment when used from home or away from the workplace, e.g. the use of facilities that enable external dialling into company networks
•
Explain the purposes for which any monitoring is conducted, the extent of the monitoring and the means used.
•
Outline how the policy is enforced and penalties which exist for a breach of policy.
There may, of course, be other matters that an employer also wants to address in its policy. 3.3.2 Ensure that where monitoring involves the interception of a communication it is not outlawed by the Regulation of Investigatory Powers Act 2000.
Key points and possible actions •
Interception occurs when, in the course of its transmission, the contents of a communication are made available to someone other than the sender or intended recipient. It does not include access to stored emails that have been opened.
•
The intended recipient may be the business, but it could be a specified individual.
•
Check whether any interception is allowed under the Lawful Business Practice Regulations.
•
Take any necessary action to bring such monitoring in line with RIPA and these Regulations.
THOROGOOD PROFESSIONAL INSIGHTS
82
APPENDICES
See Supporting Guidance Page 28 for more information about the Lawful Business Practice Regulations. 3.3.3 Consider – preferably using an impact assessment – whether any monitoring of electronic communications can be limited to that necessary to ensure the security of the system and whether it can be automated.
Key points and possible actions •
Automated systems can be used to provide protection from intrusion, malicious code such as viruses and Trojans, and to prevent password misuse. Such systems may be less intrusive than monitoring of communications to or from workers.
3.3.4 If telephone calls or voice-mails are, or are likely to be, monitored, consider – preferably using an impact assessment – whether the benefits justify the adverse impact . If so, inform workers about the nature and extent of such monitoring.
Key points and possible actions •
If telephone calls or voice-mails are monitored, or will be monitored in the future, consider carrying out an impact assessment.
•
If voice-mails need to be checked for business calls when workers are away, make sure they know this may happen and that it may be unavoidable that some personal messages are heard.
•
In other cases, assess whether it is essential to monitor the content of calls and consider the use of itemised call records instead.
•
Ensure that workers are aware of the nature and extent of telephone monitoring.
3.3.5 Ensure that those making calls to, or receiving calls from, workers are aware of any monitoring and the purpose behind it, unless this is obvious.
Key points and possible actions •
Consider the use of recorded messages, informing external callers that calls may be monitored.
•
If this is not feasible, encourage workers to tell callers that their conversations may be monitored.
THOROGOOD PROFESSIONAL INSIGHTS
83
APPENDICES
3.3.6 Ensure that workers are aware of the extent to which you receive information about the use of telephone lines in their homes, or mobile phones provided for their personal use, for which your business pays partly or fully. Do not make use of information about private calls for monitoring, unless they reveal activity that no employer could reasonably be expected to ignore.
Key points and possible actions •
Remember that expectations of privacy are likely to be significantly greater at home than in the workplace.
•
If any workers using mobiles or home telephone lines, for which you pay, are currently subjected to monitoring ensure that they are aware of the nature and the reasons for monitoring.
3.3.7 If e-mails and / or internet access are, or are likely to be, monitored, consider, preferably using an impact assessment, whether the benefits justify the adverse impact. If so, inform workers about the nature and extent of all e-mail and internet access monitoring.
Key points and possible actions •
If e-mails and/or internet access are presently monitored, or will be monitored in the future, consider carrying out an impact assessment.
•
Check that workers are aware of the nature and extent of e-mail and internet access monitoring
3.3.8 Wherever possible avoid opening e-mails, especially ones that clearly show they are private or personal.
Key points and possible actions •
Ensure that e-mail monitoring is confined to address/heading unless it is essential for a valid and defined reason to examine content.
•
Encourage workers to mark any personal e-mails as such and encourage them to tell those who write to them to do the same.
•
If workers are allowed to access personal e-mail accounts from the workplace, such e-mails should only be monitored in exceptional circumstances.
THOROGOOD PROFESSIONAL INSIGHTS
84
APPENDICES
3.3.9 Where practicable, and unless this is obvious, ensure that those sending emails to workers, as well as workers themselves, are aware of any monitoring and the purpose behind it.
Key points and possible actions •
It may be practicable – for example when soliciting e-mail job applications – to provide information about the nature and extent of monitoring.
•
In some cases, those sending e-mails to a work-place address will be aware that monitoring takes place without the need for specific information.
3.3.10 If it is necessary to check the e-mail accounts of workers in their absence, make sure that they are aware that this will happen.
Key points and possible actions •
If e-mail accounts need to be checked in the absence of workers, make sure they know this will happen.
•
Encourage the use of a marking system to help protect private or personal communications.
•
Avoid, where possible, opening e-mails that clearly show they are private or personal communications.
3.3.11 Inform workers of the extent to which information about their internet access and e-mails is retained in the system and for how long.
Key points and possible actions •
Check whether workers are currently aware of the retention period of e-mail and internet usage.
•
If it is not already in place, set up a system (e.g. displaying information online or in a communication pack) that informs workers of retention periods.
THOROGOOD PROFESSIONAL INSIGHTS
85
Other specially commissioned reports BUSINESS AND COMMERCIAL LAW
The commercial exploitation of intellectual property rights by licensing
The Competition Act 1998: practical advice and guidance
CHARLES DESFORGES
SUSAN SINGLETON
£125.00
£149.00
1 85418 285 4 • 2001
1 85418 205 6 • 2001
Expert advice and techniques for the identification and successful exploitation of key opportunities.
Failure to operate within UK and EU competition rules can lead to heavy fines of up to 10 per cent of a business’s total UK turnover.
This report will show you: •
how to identify and secure profitable opportunities
•
strategies and techniques for negotiating the best agreement
•
the techniques of successfully managing a license operation.
Insights into successfully managing the in-house legal function BARRY O’MEARA
£65.00
1 85418 174 2 • 2000
Damages and other remedies for breach of commercial contracts ROBERT RIBEIRO
£125.00
Negotiating the fault line between private practice and in-house employment can be tricky, as the scope for conflicts of interest is greatly increased. Insights into successfully managing the In-house legal function discusses and suggests ways of dealing with these and other issues.
1 85418 226 X • 2002 This valuable new report sets out a systematic approach for assessing the remedies available for various types of breach of contract, what the remedies mean in terms of compensation and how the compensation is calculated.
Commercial contracts – drafting techniques and precedents ROBERT RIBEIRO
£125.00
1 85418 210 2 • 2002 The Report will: •
Improve your commercial awareness and planning skills
For full details of any title, and to view sample extracts please visit: www.thorogood.ws You can place an order in four ways:
•
Enhance your legal foresight and vision
1 Email:
[email protected] •
Help you appreciate the relevance of rules and guidelines set out by the courts
2 Telephone: +44 (0)20 7749 4748
Ensure you achieve your or your client’s commercial objectives
4 Post: Thorogood, 10-12 Rivington Street, London EC2A 3DU, UK
•
3 Fax: +44 (0)20 7729 6110
t + 4 4 ( 0 ) 2 0 7 7 4 9 4 7 4 8 e i n f o @ t h o r o g o o d . w s w w w w. t h o r o g o o d . w s
The legal protection of databases SIMON CHALTON
Email – legal issues £145.00
SUSAN SINGLETON
£95.00
1 85418 245 5 • 2001
1 85418 215 3 • 2001
Inventions can be patented, knowledge can be protected, but what of information itself?
What are the chances of either you or your employees breaking the law?
This valuable report examines the current EU [and so EEA] law on the legal protection of databases, including the sui generis right established when the European Union adopted its Directive 96/9/EC in 1996.
The report explains clearly:
Litigation costs MICHAEL BACON
•
How to establish a sensible policy and whether or not you are entitled to insist on it as binding
•
The degree to which you may lawfully monitor your employees’ e-mail and Internet use
•
The implications of the Regulation of Investigatory Powers Act 2000 and the Electronic Communications Act 2000
•
How the Data Protection Act 1998 affects the degree to which you can monitor your staff
•
What you need to watch for in the Human Rights Act 1998
•
TUC guidelines
•
Example of an e-mail and Internet policy document.
£95.00
1 85418 241 2 • 2001 The rules and regulations are complex – but can be turned to advantage. The astute practitioner will understand the importance and relevance of costs to the litigation process and will wish to learn how to turn the large number of rules to maximum advantage.
International commercial agreements REBECCA ATTREE
£175
1 85418 286 2 • 2002 A major new report on recent changes to the law and their commercial implications and possibilities. The report explains the principles and techniques of successful international negotiation and provides a valuable insight into the commercial points to be considered as a result of the laws relating to: pre-contract, private international law, resolving disputes (including alternative methods, such as mediation), competition law, drafting common clauses and contracting electronically. It also examines in more detail certain specific international commercial agreements, namely agency and distribution and licensing. For full details of any title, and to view sample extracts please visit: www.thorogood.ws You can place an order in four ways: 1 Email:
[email protected] 2 Telephone: +44 (0)20 7749 4748 3 Fax: +44 (0)20 7729 6110 4 Post: Thorogood, 10-12 Rivington Street, London EC2A 3DU, UK
S e e f u l l d e t a i l s o f a l l T h o r o g o o d t i t l e s o n w w w. t h o r o g o o d . w s
HR AND EMPLOYMENT LAW
Employee sickness and fitness for work – successfully dealing with the legal system GILLIAN HOWARD
£95.00
1 85418 281 1 • 2002 Many executives see Employment Law as an obstacle course or, even worse, an opponent – but it can contribute positively to keeping employees fit and productive. This specially commissioned report will show you how to get the best out of your employees, from recruitment to retirement, while protecting yourself and your firm to the full.
How to turn your HR strategy into reality TONY GRUNDY
£129.00
1 85418 183 1 • 1999 A practical guide to developing and implementing an effective HR strategy.
Internal communications JAMES FARRANT
£125
1 85418 149 1 • July 2003 How to improve your organisation’s internal communications – and performance as a result.
Data protection law for employers SUSAN SINGLETON
£125
There is growing evidence that the organisations that ‘get it right’ reap dividends in corporate energy and enhanced performance.
1 85418 283 8 • May 2003 The new four-part Code of Practice under the Data Protection Act 1998 on employment and data protection makes places a further burden of responsibility on employers and their advisers. The Data protection Act also applies to manual data, not just computer data, and a new tough enforcement policy was announced in October 2002.
MARK THOMAS
£69.00
1 85418 270 6 • 2001 Practical advice on how to attract and keep the best.
Successfully defending employment tribunal cases
1 85418 008 8 • 1997
This report will help you to understand the key practical and legal issues, achieve consensus and involvement at all levels, understand and implement TUPE regulations and identify the documentation that needs to be drafted or reviewed.
New ways of working STEPHEN JUPP
DENNIS HUNT
£95.00
Why do so many mergers and acquisitions end in tears and reduced shareholder value?
Successful graduate recruitment JEAN BRADING
Mergers and acquisitions – confronting the organisation and people issues
£99.00
£95 1 85418 169 6 • 2000
1 85418 267 6 • 2003 Fully up to date with all the Employment Act 2002 changes. 165,000 claims were made last year and the numbers are rising. What will you do when one comes your way?
New ways of working examines the nature of the work done in an organisation and seeks to optimise the working practices and the whole context in which the work takes place.
t + 4 4 ( 0 ) 2 0 7 7 4 9 4 7 4 8 e i n f o @ t h o r o g o o d . w s w w w w. t h o r o g o o d . w s
Knowledge management SUE BRELADE, CHRISTOPHER HARMAN
changes to internal disciplinary and grievance procedures
•
significant changes to unfair dismissal legislation
•
new rights for those employed on fixed-term contracts
•
the introduction of new rights for learning representatives from an employer’s trade union
£95.00
1 85418 230 7 • 2001 Managing knowledge in companies is nothing new. However, the development of a separate discipline called ‘knowledge management’ is new – the introduction of recognised techniques and approaches for effectively managing the knowledge resources of an organisation. This report will provide you with these techniques.
Reviewing and changing contracts of employment ANNELISE PHILLIPS, TOM PLAYER and PAULA ROME
This specially commissioned new report examines each of the key developments where the Act changes existing provisions or introduces new rights. Each chapter deals with a discreet area.
Email – legal issues £125
SUSAN SINGLETON
£95.00
1 85418 215 3 • 2001
1 85418 296 X • 2003 The Employment Act 2002 has raised the stakes. Imperfect understanding of the law and poor drafting will now be very costly.
360,000 email messages are sent in the UK every second (The Guardian). What are the chances of either you or your employees breaking the law? The report explains clearly:
This new report will: •
Ensure that you have a total grip on what should be in a contract and what should not
•
Explain step by step how to achieve changes in the contract of employment without causing problems
•
Enable you to protect clients’ sensitive business information
•
Enhance your understanding of potential conflict areas and your ability to manage disputes effectively.
Applying the Employment Act 2002 – crucial developments for employers and employees AUDREY WILLIAMS
•
•
How to establish a sensible policy and whether or not you are entitled to insist on it as binding
•
The degree to which you may lawfully monitor your employees’ e-mail and Internet use
•
The implications of the Regulation of Investigatory Powers Act 2000 and the Electronic Communications Act 2000
•
How the Data Protection Act 1998 affects the degree to which you can monitor your staff
•
What you need to watch for in the Human Rights Act 1998
•
TUC guidelines
•
Example of an e-mail and Internet policy document.
£125
1 85418 253 6 • May 2003 The Act represents a major shift in the commercial environment, with far-reaching changes for employers and employees. The majority of the new rights under the family friendly section take effect from April 2003 with most of the other provisions later in the year. The consequences of getting it wrong, for both employer and employee, will be considerable – financial and otherwise. The Act affects nearly every aspect of the work place, including: •
flexible working
•
family rights (adoption, paternity and improved maternity leave)
For full details of any title, and to view sample extracts please visit: www.thorogood.ws You can place an order in four ways: 1 Email:
[email protected] 2 Telephone: +44 (0)20 7749 4748 3 Fax: +44 (0)20 7729 6110 4 Post: Thorogood, 10-12 Rivington Street, London EC2A 3DU, UK
S e e f u l l d e t a i l s o f a l l T h o r o g o o d t i t l e s o n w w w. t h o r o g o o d . w s
SALES, MARKETING AND PR
Implementing an integrated marketing communications strategy
Tendering and negotiating for MoD contracts
NORMAN HART
TIM BOYCE
£99.00
£125.00
1 85418 120 3 • 1999
1 85418 276 5 • 2002
Just what is meant by marketing communications, or ‘marcom’? How does it fit in with other corporate functions, and in particular how does it relate to business and marketing objectives?
This specially commissioned report aims to draw out the main principles, processes and procedures involved in tendering and negotiating MoD contracts.
Defending your reputation Strategic customer planning ALAN MELKMAN AND PROFESSOR KEN SIMMONDS
SIMON TAYLOR £95.00
1 85418 255 2 • 2001 This is very much a ‘how to’ Report. After reading those parts that are relevant to your business, you will be able to compile a plan that will work within your particular organisation for you, a powerful customer plan that you can implement immediately. Charts, checklists and diagrams throughout.
1 85418 251 • 2001 ‘Buildings can be rebuilt, IT systems replaced. People can be recruited, but a reputation lost can never be regained…’ ‘The media will publish a story – you may as well ensure it is your story’ Simon Taylor ‘News is whatever someone, somewhere, does not want published’ William Randoplh Hearst When a major crisis does suddenly break, how ready will you be to defend your reputation?
Selling skills for professionals KIM TASSO
£65.00
1 85418 179 3 • 2000 Many professionals still feel awkward about really selling their professional services. They are not usually trained in selling. This is a much-needed report which addresses the unique concerns of professionals who wish to sell their services successfully and to feel comfortable doing so. ‘Comprehensive, well written and very readable… this is a super book, go and buy it as it is well worth the money’ Professional Marketing International
Insights into understanding the financial media – an insider’s view SIMON SCOTT
£99.00
1 85418 083 5 • 1998 This practical briefing will help you understand the way the financial print and broadcast media works in the UK.
European lobbying guide BRYAN CASSIDY
£129.00
1 85418 144 0 • 2000
Corporate community investment CHRIS GENASI
£95.00
£75.00
Understand how the EU works and how to get your message across effectively to the right people.
1 85418 192 0 • 1999 Supporting good causes is big business – and good business. Corporate community investment (CCI) is the general term for companies’ support of good causes, and is a very fast growing area of PR and marketing.
t + 4 4 ( 0 ) 2 0 7 7 4 9 4 7 4 8 e i n f o @ t h o r o g o o d . w s w w w w. t h o r o g o o d . w s
Lobbying and the media: working with politicians and journalists
Managing corporate reputation – the new currency
MICHAEL BURRELL
SUSAN CROFT and JOHN DALTON
£95.00
1 85418 240 4 • 2001
1 85418 272 2 • June 2003
Lobbying is an art form rather than a science, so there is inevitably an element of judgement in what line to take. This expert report explains the knowledge and techniques required.
ENRON, WORLDCOM… who next?
Strategic planning in public relations KIERAN KNIGHTS
£69.00
At a time when trust in corporations has plumbed new depths, knowing how to manage corporate reputation professionally and effectively has never been more crucial.
Surviving a corporate crisis – 100 things you need to know
1 85418 225 0 • 2001
PAUL BATCHELOR
Tips and techniques to aid you in a new approach to campaign planning.
1 85418 208 0 • April 2003
Strategic planning is a fresh approach to PR. An approach that is fact-based and scientific, clearly presenting the arguments for a campaign proposal backed with evidence.
£125
£125
Seven out of ten organisations that experience a corporate crisis go out of business within 18 months. This very timely report not only covers remedial action after the event but offers expert advice on preparing every department and every key player of the organisation so that, should a crisis occur, damage of every kind is limited as far as possible.
FINANCE
Tax aspects of buying and selling companies MARTYN INGLES
Practical techniques for effective project investment appraisal £99.00
RALPH TIFFIN
£99.00
1 85418 189 0 • 2001
1 85418 099 1 • 1999
This report takes you through the buying and selling process from the tax angle. It uses straightforward case studies to highlight the issues and more important strategies that are likely to have a significant impact on the taxation position.
How to ensure you have a reliable system in place. Spending money on projects automatically necessitates an effective appraisal system – a way of deciding whether the correct decisions on investment have been made.
Tax planning opportunities for family businesses in the new regime CHRISTOPHER JONES
£49.00
1 85418 154 8 • 2000 Following recent legislative and case law changes, the whole area of tax planning for family businesses requires very careful and thorough attention in order to avoid the many pitfalls.
S e e f u l l d e t a i l s o f a l l T h o r o g o o d t i t l e s o n w w w. t h o r o g o o d . w s
MANAGEMENT AND PERSONAL DEVELOPMENT
Strategy implementation through project management TONY GRUNDY
£95.00
1 85418 250 1 • 2001 The gap Far too few managers know how to apply project management techniques to their strategic planning. The result is often strategy that is poorly thought out and executed. The answer Strategic project management is a new and powerful process designed to manage complex projects by combining traditional business analysis with project management techniques.
For full details of any title, and to view sample extracts please visit: www.thorogood.ws You can place an order in four ways: 1 Email:
[email protected] 2 Telephone: +44 (0)20 7749 4748 3 Fax: +44 (0)20 7729 6110 4 Post: Thorogood, 10-12 Rivington Street, London EC2A 3DU, UK
t + 4 4 ( 0 ) 2 0 7 7 4 9 4 7 4 8 e i n f o @ t h o r o g o o d . w s w w w w. t h o r o g o o d . w s