Cookies - UK regulations

Cookies - all websites must comply with the UK 'cookie' regulations - schools and services such as VLEs are included.

This article published 20th September 2012 and updated 8th & 10th October 2012 and 30th November 2012.

 

As of May 2012 all websites and services such as VLE must comply with the UK Cookies regulation to gain users "informed consent" to the setting of cookies. Under the regulations all web service owners - those "setting" cookies - to provide clear and comprehensive information on the cookies they use and to gain "informed user consent". These regulations apply to schools and education the same as they do to everybody else in the public or commercial sectors.

 

What's a cookie?

A cookie is usually a small piece of data or code sent from a website and stored in a user's web browser while a user is browsing a website. When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user's previous activity. Some cookies make the use of websites more effective, some aid authentication, some bring added value to the use of the website and some, classed as "intrusive" can harvest data about the web user. Some cookies are used to build user profiles and direct, for instance, advertising to the website user. Cookies are used by services such as VLEs as well as websites.

 

What do the regulations say.

In addition to making a general statement about the collection and use of personal data the Cookies regulation requires the owner of the website or service, including VLE to:

 list all the cookies that are being used

 indicate their level "intrusiveness"

 explain their use in "plain language" to the user

 provide a means by which the user can signal their consent

 apply the key principle "informed consent"

Websites should not include cookies collecting information that is beyond the natural expectation of the user using their site. If a Cookie is processing personal data, the owner must ensure it complies with the Data Protection Act 1998; no harvesting unnecessary data is permitted. Owners must adopt measures that are in keeping with the levels of the cookies set - i.e. the more "intrusive" the cookies used the clearer the measures to ascertain assent must be.

 

Implementation

The regulations came into force in May 2012, but it is expected to take some time before everyone will be compliant. Similar regulations pertain in many EU countries and have been/are being introduced in other countries.

 

Enforcement

As of 21st May 2012 the Information Commissioner's Office (ICO) can start to take enforcement action against websites not complying with the legal requirement. They will adopt a policy of information and education first, before any prosecution procedures are entered into.

  

What does this mean for schools?

Schools already deal with cookies technically and in some curriculum activity. The new regulations mean an added dimension to existing delivery and where schools are developing or managing their own websites and services a new priority.  Schools need to consider 'cookies':

 As users of websites and web services

 Understanding of the cookie regulation and learning how to read the cookie information will need to be added to curriculum for pupils and to training for the workforce.

 Understanding of how to use the tools in browsers and e-safety software to 'control' cookies as part of 'digital literacy'. 

 At an advanced level students designing and building websites and digital services will need to learn to implement the 'Cookie Regulations'.

 Schools developing their own internet services, such as VLE, may need to take account of the regulations if they set cookies or use third party services that set them.

 A statement and explanation to the school community, including parents, may be helpful.

 In procurement of services and use of 'free/open' online services considering whether the supplier has complied with the Cookie regulations.

The issues of 'cookies', their uses and the Cookie Regulations are part of the wider issues of e-privacy which has increasingly become a matter of high-level concern for schools and in it's wider aspect a matter for discussion in 'citizenship education' or as part of 'digital literacy'.

 

Data Protection Act 1998

In particular the Cookies regulations are related to Data Protection and the Data Protection Act 1998.

The ICO Report 'The Data Protection Guidance we gave Schools in 2012' (September 2012) includes a reminder of the need to consider Cookie regulations in Section 11 - see 'Websites' para 4, page 18.  (see weblink below)

Bottom line: Cookie regulations don't obviate the need to think Data Protection first - especially when providing servcies for young people. 

School networks and VLE

School 'networks' or 'intranets' lie outside the Cookie regulations as they are not public; however: "Although the Regulations would not therefore apply in the same way to cookies that are set on an intranet it is important to remember that the requirements of the DPA are likely to apply if your use of cookies is for the purposes of monitoring performance at work, for example. Wherever an organisation collects personally identifiable information using cookies then the normal fairness requirements of the DPA will apply.”   See ICO Cookies Guidance pages 28-29.

School VLE - or VLN in the 'Cookie Guidelines' - comes within the Cookie regulations. "If the VLN is an extranet which individual users must log in to access, the rules on cookies are likely to apply in the normal way."

Student and pupil consent

For younger pupils or those unable to understand the implications of 'consent' the ICO recommends referring to the guidance from the 'Personal Information Online Code of Practice' (see links below) concerning parental consent: “Assessing understanding, rather then merely determining age, is the key to ensuring that personal data about children is collected and used fairly. Some form of parental consent would normally be required before collecting personal data from children under 12. You will need to look at the appropriate form for obtaining consent based on any risk posed to the child. You may even decide to obtain parental consent for children aged over 12 where there is greater risk. This has to be determined on a case by case basis.”  See Page 16 , ICO 'Personal Information Online Code of Practice'

 
Process for those "setting" cookies

In an education setting it is unlikely that cookies that are used will be of the most "intrusive" kind. However, having a clear understanding of the process, is the best way of avoiding risk.

 Audit. List the types and functions of all the cookies used by each particular website or service.

 Categorise. Decide on the level of "intrusiveness" of a particular type of cookie. (see links below)

 Identify measures. Determine the level and type of measure(s) to be taken by the website/service owner. (see links below).

 Don't forget 'third party cookies' such as those set by services that can be embedded such as 'Google Maps' or 'You Tube' videos.

 Make the information of your use of cookies clear to the user - in language the user can understand.

 Provide a means for the user to signal their consent.

 Continue to monitor new developments and new websites and services you use.

This is all new and the practicalities of how wesbites and services provide information and effective measures to enable users to signal their consent will develop over time. Some 'aps' are offering built in tools for users - for instance 'Google Analytics'. 
  

What does a good one look like?

There are lots of examples of 'good practice' to investigate; here's two:

Information Commissioner's Office (ICO) - the measures on their website: This notice appears on first use. "The ICO would like to place cookies on your computer to help us make this website better. To find out more about the cookies, see our Privacy Notice. I accept cookies from this site. <tick box>" This links to the ICO privacy notice about cookies  ... which includes how they deal with, for example, 'Google Analytics' and 'You Tube' embedding.  http://www.ico.gov.uk/Global/privacy_statement.aspx

Produced with permission for re-use by ICO. See original at ICO Privacy Notice 

 

JANET - the universities and colleges network - has published a 'cookie' statement under 'Policies' - It is very detailed and covers server sessions, blogs, mobile display, use of Google maps, embedded video, memorizing logins and preferred language, authentication, etc. etc. Excellent as a reference.

 https://community.ja.net/library/janet-policies/janet-cookie 

 

Implied Consent

The concept of "implied consent" could be appropriate for uses of cookies that are low-level intrusive, but the consent still has to be "specific and informed"

  

Exceptions: Cookies not needing Consent

The ICO has provided guidance on the law's exception to the requirement to provide information about cookies and obtain consent where "... the use of the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or where such storage or access is strictly necessary ..."
However you would need to consider the details that are provided in ICO 'Guidance on Cookies' (see link below).

The EU has adopted a protocol on cookies and data protection which lists types of cookies which could be necessary for the strict functioning of a service - provided the service objectives and parameters are made clear to the user and the user has requested them. This includes: session-id cookies; authentication cookies; multimedia content player session cookies such as 'flash' players; and load balancing cookies. Developers and those requiring fuller details should refer to the EU Art 29 link below.

 

The Bottom Line

Inform your users and tell them what cookies you are using and what you are doing with them and the data collected.
 

  

Get some 'code'!

 A set of free resources with code for a number of popular website systems - 'Word Press', 'Joomla' etc. and providing options to suit the conditons applying to your website have been made available from 'Civic' - a Scottish Government initiative. See http://www.civicuk.com/cookie-law/index    

 

Further Information and Help

 Information Commissioner's Office 'Guidance on Cookies': http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx  ... includes pdf with guidance on cookie audits" and forms for collecting "consent".

 ICO: Guidance on the Rules of Cookies and Similar Technologies (For Excemptions see Section 7; page 13):
http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/cookies_guidance_v3.ashx
 EU Cookie Art29 Working Party Data Protection - Cookie Consent Exemption - June 2012
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf

 Information Commissioner's Office 'Advice for the Public on Cookies': http://www.ico.gov.uk/for_the_public/topic_specific_guides/online/cookies.aspx

 Information Commissioner's Office 'Report on the Data Protection Guidance we gave Schools in 2012' (September 2012) http://www.ico.gov.uk/for_organisations/sector_guides/~/media/documents/library/Data_Protection/Research_and_reports/report_dp_guidance_for_schools.ashx

 Information Commissioner's Office 'Personal information online - code of practice' (2010)http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/personal_information_online_cop.pdf

 All About Cookies - general information on cookies: http://www.allaboutcookies.org/

 JISC Legal: Thorough Guidance on all things 'cookie' legislation. http://www.jisclegal.ac.uk/ManageContent/ViewDetail/ID/2051/What-Does-the-New-Cookie-Legislation-Require-us-to-do.aspx

 Read the Act: The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (UK Regulations) http://www.legislation.gov.uk/uksi/2011/1208/made

 Example of 'industry' response: Google Analytics: Google has developed a browser add-on to allow users to opt-out of Google Analytics across all websites http://tools.google.com/dlpage/gaoptout     

 'Copy Rights and Wrongs' gives information and guidance for schools on 'Copyright in the Digital Age'. Information and Guidance for Schools on the UK Cookies regulations: http://www.copyrightsandwrongs.nen.gov.uk/good-practice/cookies-uk-regulations 

 

Disclaimer

Although every care has been taken in assembling the information and materials in this article, the materials are for general guidance only and are not, and are not intended to be, legal advice.