Is this acceptable/illegal?

  pj123 14:52 08 Oct 2003

I have a friend who lives in France. He is thinking of building a website offering prospective property buyers a full service package. ie. sourcing, help with buying, surveying, tax laws, opening a French bank account etc?

He has asked me to put a questionnaire form on the site to be filled in. It will ask for Name, Address, Telephone number and email address, along with other details, but no bank account or card details will be asked for. This will not be a secure site. In doing this would it cause any legal problems. I have checked out a few other sites that have similar questionnaires (also not secure) so it seems not to be a problem.

My own personal opinion is: I wouldn?t fill in my address or telephone number until I was sure, I think an email address is sufficient for first contacts? The main point of course is, would it be contravening any UK/EU laws?

  handful 15:02 08 Oct 2003

As far as I know it would contravene the Data Protection Act if it could not be seen to be secure. I know this has become much more stringent recently but best trawl through this click here make sure

  pj123 15:19 08 Oct 2003

handful, thanks for the link but it isn't working?

Although registered in the UK this is a French website, does that make any difference?

  Pesala 17:46 08 Oct 2003
  Forum Editor 21:46 08 Oct 2003

that specifically prohibits asking for personal information - whether you do the asking on a secure website or not.

The UK Information Commissioner (formerly the Data Protection Commissioner) has published a suggested code of practice that covers the 'harvesting' of personal data on websites. I general terms this calls for a clearly worded statement to the effect that people should read your privacy policy before providing you with their data, and that the statement should be as close to the point where data is requested as is reasonable. In practical terms this means a line of text (Before submitting this form please read our privacy statement) placed at the top of the form which you ask visitors to complete and submit. The text would hyperlink to a separate page, on which should be a clearly worded declaration, telling visitors how you intend to use their data (distributing it to other companies in a corporate group for instance), and reassuring them that you will not sell, distribute, or publish their data (in whole or in part) without their prior consent. You should also state that the data you receive will be stored securely, and that it will be deleted on request. Say that anyone may ask to see a copy of the information you hold about them at any time, on payment of a nominal fee (normally £10).

In the UK the law states that if you collect and store personal data belonging to living individuals, and you subsequently 'process' the data, you have a statutory obligation to register with the UK Information Commissioner as a data processor. There's a fee for registering (Which, if my memory serves me well is currently £45 or thereabouts) and if you should register and do not do so you may be prosecuted and fined a hefty amount. If the registration is on behalf of a company or other legal entity (such as a registered charity) there must be a nominated individual who will be responsible for data protection - this person will be held responsible in the case of any infringrement of the data protection laws, and will be prosecuted if there is a serious breach.

Once registered, you may not transfer data outside the UK unless you are satisfied that the country into which you transfer the data has adequate data protection legislation in place, and that the person to whom you transfer the data has adequate protection measures in place. In any event - you must not transfer the data to another country without the data owner's prior consent. If you intend to do so, make it very clear on the web form.

A good way of getting it right on the web is to imagine that you're the one providing the details - if you wouldn't be happy doing so you can be sure that other people will feel the same.

If you would like me to provide you with suitable text for your form (or to look over your own wording prior to publication) I will be happy to do so - just ask.

  Forum Editor 21:57 08 Oct 2003

that although my comments refer to UK legislation I know your friend lives in France. If he intends to publish the site to a French server he will not have to comply with the UK data protection laws. It would be prudent however, to tell people that the site is based in France, and therefore the French data protection laws will apply. I'm not up to speed with French legislation at the moment, but shortly I will be - I'm currently travelling back and forth to France on a project that will involve information gathering on a server in Paris, and I'll need to do some homework.

In broad terms you must comply with the laws that apply in the country where your site is hosted.

  pj123 13:58 09 Oct 2003

Thanks all for the reply's. All noted and copied for future reference. The site hasn't been started yet, also still trying to think of a domain name that hasn't already been taken.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Nintendo Labo review: Hands-on

The best smart speaker: Apple HomePod vs Google Home vs Amazon Echo

Les meilleurs SSD (2018)