Internet Publishing and the Data Protection Act 1998

On this page:

If you have any comments about this guidance document, we would very much appreciate hearing them. Please contact us with your feedback.

Audience and purpose

This guidance is intended for any member of staff who publishes information on an external University website.

Many websites within the University are used to publish personal data. For example, many units list the names and contact details of members of staff. Listings for academic staff often give details of their research interests and publications. Some units also publish photographs of staff and students. Many committees use the Internet to publish their minutes which contain the names of committee members. The publication of this information falls within the remit of the Data Protection Act. This guidance gives advice on the issues you need to consider to ensure that the information you intend to publish is compliant with the Data Protection Act 1998.

You only need to comply with this guidance if you are publishing personal data on the external website. If you are in any doubt about whether the information is personal data please contact the Records Management Section.

Publishing personal data on the Internet without the necessary protections is a breach of the Data Protection Act. This is because the eighth data protection principle prevents personal data from being transferred to countries outside the European Economic Area unless an adequate level of protection is provided. Publishing personal data on the Internet makes it accessible world wide and is therefore an international transfer of personal data.

Only publish personal information on the Internet if the individual concerned has consented to the publication. There are different ways of obtaining consent; which one you use depends on the risk associated with publishing the information.

Assess the risks of publication using the following matrix. Answers of "Low" or "Very low" to the questions indicate lower risk whereas answers of "High" or "Medium" indicate higher risk.

	High	Medium	Low	Very low
How sensitive is the information I wish to publish?
How much information do I wish to publish about that individual?
How likely is it that the individual will not want their information published?

In cases of higher risk use either option 1 or 2 described below. In cases of lower risk you can use option 3.

In all cases, you must make provisions so that you can quickly remove personal information from the Internet if an individual asks you to. For example, this might happen if someone starts being stalked, which is more prevalent that we are generally aware.

Before you publish the information obtain explicit consent from the individual concerned via a signed consent form. The consent must be freely given, specific and informed. You must keep the form for as long as the information is on the website. If the individual later changes his / her mind you must remove their personal data from the Internet.
Advantage:
- Provides you with a great deal of protection under the legislation.
Disadvantage:
- It is bureaucratic.

In advance of publishing tell the individual concerned that you intend to publish their details on the Internet. Be specific about what information you are going to publish. Explain how they can object, if they wish to, and give them enough time to do so (at least 4 weeks). If they later ask you to remove their details from the Internet you must do so.
Advantage:
- It is less bureaucratic.
Disadvantage:
- If a complaint occurs it may be difficult to prove conclusively that you obtained a sufficient level of consent. You must therefore assess the risks, see paragraph 6 above.

The University Records Management Section provides advice, guidance and training on data protection, records management and freedom of information issues. For further information please contact us.

Author: Anne Thompson
Version 8, December 2007

The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336