This post was written by Cynthia O’Donoghue.

In June 2013, the UK Information Commissioner’s Office (ICO) published new guidance entitled “Social networking and online forums—when does the DPA apply?” (Guidance). The document explains what must be considered by organisations that run social media sites, as well as by individuals who upload or download personal data from online forums, social networking sites, message boards, or blogs.

The DPA does not apply when personal data is processed by an individual for the purposes of their personal, family or household affairs. The Guidance makes it clear that the “household exemption”, which permits an individual to process personal data for his or her own use, does not apply to organisations, even if the organisation uses an employee to undertake the processing through his or her personal networking page. Individuals and groups of individuals (including clubs or societies) may only rely on the exemption if they process the data merely for domestic purposes.

Where the exemption does not apply, organisations as well as individuals will be treated as the data controller and will have primary responsibility for compliance with the DPA. The ICO suggests that those running networking sites will be controllers in relation to any contact information or other personal data about the users or subscribers. Equally, the site operator may be responsible for third-party posts. The ICO relied on the case of The Law Society and Others v Rick Kordowski, [2011] EWHC 3185 (QB), to conclude that the DPA will apply when posts are moderated, especially if users pay a fee. Even if the content is not fully moderated, an operator will be a controller when the site’s terms and conditions only allow posts with acceptable content.

The Guidance also recommends that organisations take “reasonable steps” to check the accuracy of any personal data posted. What is “reasonable” will depend on the nature of the site and the extent of moderation of the site by the operator. For example, the watchdog would not consider it reasonable to expect a large social networking site to check all posts for accuracy, but recommends that such sites have a process in place to deal with complaints about inaccurate postings.

Most established social networking sites will already comply with the new Guidance, so this Guidance appears aimed at start-ups and fringe social networking sites, especially since it points out other UK legislation relating to preventing malicious communications, harassment and defamation.