This standard describes the processes that web development teams need to follow in order to ensure their websites are compliant with legal requirements for the following:
This standard does not include information about the following requirements and processes:
We recommend you familiarise yourself with these additional standards and policies to ensure you are aware of accessibility and information security requirements
If you need any information security advice and guidance please email the Information Security Team.
You should refer to this document if:
“OU domain” refers to any domain registered or owned by the University (including but not limited to open.ac.uk and open.edu).
“OU network” refers to the data network operated by the University, typically but not exclusively using IP addresses assigned to the OU.
Data protection refers to the rules enforced by Data Protection legislation around the collection, use and storage of people’s personal data.
The Data Protection Act defines a number of ‘principles’ that all organisations must adhere to if they are collecting data about individuals.
If your website, service or application intends to collect personal data you must follow the data protection procedures, and ensure the data is entered on the Information Asset Register.
Personal data is defined as any one piece of information, or combination of pieces, that can be used to identify a living individual.
You MUST justify the reason for which you are collecting personal data.
You MUST ensure that the data collected is held in accordance with the principles set out in the Data Protection Act and that individuals for whom you hold personal data are able to access that data as and when required.
If your website, service or application intends to display any personal information about individuals (including staff) you must gain their agreement prior to its publication.
It is essential that all external websites contain a privacy notice. A link to the OU’s website privacy statement is contained in the standard OU footer, which MUST be included in all OU websites as defined in the Brand Guidelines.
For advice contact the OU’s Information Rights Team in the University Secretary’s Office.
Anything used in the creation of websites (the build) must not infringe the intellectual property rights or any other rights of any third party (including software). If you are using third party content on your site it MUST be approved by the CLIP team (email LDS-Rights), who will ensure all legal obligations are fulfilled.
It is essential that all websites contain a copyright notice and terms and conditions of use.
Links to the OU’s copyright and conditions of use are included in the standard OU footer.
If you need to vary from the OU standard notices you MUST contact the Head of Intellectual Property – or authorised nominee – to gain approval.
If the website you are creating is subject to a contract with a third party (and may be co-branded as a result), you MUST check terms and conditions of use and clearance levels required for any third-party content with Licensing and Acquisitions prior to the website going live.
Web server access logs are kept primarily by the IT department. Access to and retention of these logs is regulated.
The logs contain details of who has been accessing OU websites and include IP addresses, date and time of access, and usernames. They are only available to IT staff.
The IT department also maintains pathway analytics through University sites.
If you wish to implement web analytics (for reporting purposes) on your site, you MUST first contact Digital Services.
You MUST keep all published versions of important web page content and documents for a period of time after they have been superseded.
Important content includes:
If important content is written in web pages rather than documents, you MUST take measures to ensure it is saved before it is overwritten
For details on how long to keep content refer to the retention schedule (internal link) or contact the Information Rights Team.