The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 which came into effect last year has presented UK website owners with a few challenges in moving to compliance. Those of us who work on public sector websites are no exception. We wrote about some of the ways we were working towards compliance here at GOV.UK, in a previous post.
In spite of the challenges, the new regulations have pushed online privacy firmly into the spotlight and this is no bad thing. In fact this online privacy was the focus of a meeting last week of UK government website managers, developers, policy advisers and communications experts. The meeting was hosted by GDS so that people with responsibility for the operation of central government departments’ and agencies’ websites could discuss and learn from one another about some of the ways we could work towards compliance with the new regulations.
We talked about cookies (how could we not?) but we didn’t get hung up on them - other relevant technologies e.g. HTML5 Local Storage and web beacons came up too. We shared our experiences of comprehensively auditing our sites in order to be certain we knew which cookies were being set by us or via our sites (in the case of third-party cookies).
We also discussed how best to probe the use of such cookies in order to correctly classify them (i.e. “moderately intrusive”, “minimally intrusive” or “exempt from changes to privacy legislation”) in terms of their “privacy intrusiveness”. While we were at it, we touched on how best to be transparent about third-party cookies and their impact on visitors’ privacy.
Inevitably, analytics and the vital role analytics-related cookies play in allowing public sector websites to be held to account on the cost-effectiveness of the way we deliver government information and services came up. Even more importantly, analytics are essential to our “continual improvement” approach to developing digital public services, which is critical to delivering the government’s digital by default agenda.
We touched on data-sharing and benchmarking options offered by some analytics vendors’ packages and agreed that despite the fact that no personal data was collected, it was good practice not to share analytics information with third parties in order to reassure government websites’ users.
The conversations were technical but the protection of users’ online privacy remained at the forefront. We’re still working towards compliance but our focus on transparency and education while helping users make informed choices about their privacy seems the right way to go. Finally, we agreed to put together a short implementer guide containing some pointers to a best practice approach, here it is. All in all, it was a useful meeting and as we continue to work towards compliance there will probably be a few more.