Skip to main content

Internet: Data Protection

Volume 493: debated on Thursday 4 June 2009

To ask the Secretary of State for the Home Department what requirements there are for UK internet service providers wishing to use deep packet inspection targeted advertising systems to obtain consent from individual internet users prior to the collection of data relating to individuals. (277873)

I have been asked to reply.

The Data Protection Act 1998 (DPA) requires all data controllers, including internet services providers, to comply with the DPA and the data protection principles, when processing personal data. Personal data must not be processed unless, amongst other things, at least one of the conditions in Schedule 2 to the DPA is met. In the case of sensitive personal data, a condition in Schedule 3 must also be met. Consent is one condition for processing personal data, but it is not the only one, and whether consent is required for certain processing to take place will depend upon the particular circumstances.

Additionally the Internet Advertising Bureau has recently launched a code of practice which focuses on free and informed consent. Many internet services providers and key players have signed up to this, including Phorm, Google, Yahoo, Microsoft and AOL.

Anyone with concerns or complaints about the way in which personal data are being processed can refer the matter to the Information Commissioner, the independent regulator for the DPA, to investigate.