The Forthcoming Cookie Legislation

We all need our privacy!

On 26 May 2011 I asked How Should UK Universities Respond to EU Cookie Legislation? The post was published the day before UK government legislation based on the EU Directive requiring users to opt-in to cookie use was due to come into force. However in light of the government’s awareness of the difficulties in conforming with the legislation, the Information Commissioner’s Office (ICO) announced that UK websites were to be being given one year to comply with EU cookie law. But May 2012 is now only three months away, so how are UK Universities responding?

As described in a post on The Half Term Report on Cookie Compliance in December 2011 the ICO published a new set of Guidelines on the Rules on use of Cookies and Similar Technologies (available in PDF format) which seemed to appreciate the difficulties which institutions may face in implementing policies and practices which conform with legal requirements (“The Information Commissioner will take a practical and proportionate approach to enforcing the rules on cookies. He has to enforce the law, but he does have some discretion in how he exercises his formal enforcement powers“), but made it clear of the importance of making web site visitors aware of reasons why personal information is being gathered and used: “A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available“.

One of the key challenges will be in developing policy statements regarding information which is gathered and stored in cookies.

Learning from Current Practices

Back in May 2011 a survey of cookie use across the twenty Russell Group universities was carried out and the findings published in a post on Privacy Settings For UK Russell Group University Home Pages. Subsequently staff working in institutional web teams across the wider UK higher education sector were invited to provide links to their privacy policies in a Google spreadsheet. The following table provides links to privacy policies and statements based on the information available from the spreadsheet.

No. Institution Privacy Policy
1 Aberdeen Privacy statement
2 Aberystwyth Terms and Conditions
 3 Bath Privacy
 4 Bath Spa Website Terms and Conditions of Use
 5 Birmingham Privacy
 6 Bristol Privacy and cookie policy
 7 Cambridge Privacy policies for services
 8 Cardiff Privacy Policy
 9 Cranfield Cranfield University Privacy Policy
10 Edge Hill Privacy Statement
11 Edinburgh Website privacy policy
12 Glasgow Privacy statement
13 KCL Privacy statement
14 Leeds Privacy statement
15 Liverpool Personal information on the web
16 LSE Privacy and data protection
17 Manchester Privacy
18 Nottingham Privacy
19 Oxford Privacy Policy
20 Sheffield Privacy Policy
21 Sheffield Hallam Privacy Policy
22 Staffordshire Protecting Privacy on Data Transmission over the Internet
23 UCL Privacy
24 Warwick Website terms and Conditions
25 York Legal Statements

The links aim to make it easy for people wishing to see the approaches taken by others within the sector to see the approaches which are being taken.

Sharing Practices

In addition to the passive process of seeing what others are doing and making use of approaches which appear useful it can be more useful to collaboratively engage in the development of public privacy statements, such as those listed above, as well as discussions about important issues including approaches to auditing cookie use on web sites; ongoing auditing processes; policies for web sites which are not under the control of a central web team and the internal processes for developing policies and procedures, including reaching agreement on the institution’s willingness to take risks if it is not possibly to conform with the letter of the legislation.

Claire Gibbons, the Senior Web and Marketing Manager at the University of Bradford, has had responsibility for the development of the privacy policy at her host institution. As described in a recent blog post about a north east regional web meeting Claire:

shared our experience in terms of doing an audit of what cookies we have and presenting an updated privacy policy to our Information, Infrastructure, Access and Security group who actually signed it off. However, after subsequent conversations with colleagues and reading up a bit more I think we need to some more work here to go beyond the ‘corporate web’ or at least point out that our Privacy policy covers and anything on another domain isn’t covered by this policy.

Claire subsequently made her draft cookie policy available as a resource which can be used and commented on by others.  The draft cookie policy has been uploaded to JISCPress, with references to Bradford University removed to facilitate its use by others. Claire has made use of JISCPress’s commenting facilities to annotate the document, and is now inviting comments from her peers across the sector.

Feedback can be provided on the JISCPress site or on this blog.