The UK Information Commissioner’s (ICO) new guidance aims to help public sector organisations to understand when direct marketing considerations will apply to their messaging. ICO Director of High Priority Investigations & Intelligence Anthony Luhman underlined that: “. . . there are times when the direct marketing rules will apply and we want to help the public sector get it right . . Done properly the public should have trust and confidence in promotional messaging from the public sector.” In this article, we consider the main aspects of the ICO guidance.
What constitutes direct marketing?
Section 122(5) of the UK Data Protection Act 2018 defines direct marketing as: “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. This broad interpretation includes the promotion of aims and ideals (for example, political campaigning) in addition to activities that are more immediately apparent as commercial marketing (for example, promoting a leisure service that the individual has to pay to use).
Routine service messages such as the acknowledgement of receipt of an application, confirmation of an appointment or test results, reminders about overdue payments and updates about delays or changes to services etc., do not constitute direct marketing. However, if these messages incorporate direct marketing, even as an ancillary purpose, they will in fact be classified as direct marketing. The inclusion of service providers’ general branding and / or logos within service messages do not constitute direct marketing in of themselves.
Promotional messages that are strictly necessary for public sector organisations to perform their public functions or tasks, for example promoting their guidance, helplines and new public services, do not constitute direct marketing. Nonetheless, such messages should remain proportionate to the purposes for those messages.
What do public sector organisations need to consider?
If the relevant messages constitute direct marketing and are electronic (automated or live telephone calls, emails, faxes or text messages), public sector organisations must comply with the relevant provisions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), in addition to the absolute right of individuals under Article 21(2) of the UK General Data Protection Regulation (GDPR) to object to the processing of their personal data for direct marketing purposes.
However, if the relevant messages either do not constitute direct marketing or are not electronic, but do rely on “public task” as the valid lawful basis for the processing of the relevant personal data under the GDPR, they will necessitate an alternative consideration for public sector organisations. Namely, the qualified right of individuals under Article 21(1) of the GDPR to generally object to processing of their personal data, which will oblige the public sector organisations to demonstrate: “compelling legitimate grounds . . . which override the [individuals’] interests, rights and freedoms.” In any event, the PECR will not be applicable to such messages.
Whether or not the relevant messages constitute direct marketing, public sector organisations must comply with the other provisions of the GDPR when processing personal data, in particular ensuring that they:
- have a valid lawful basis for the processing (which is likely to be either consent under Article 6(1)(a) or public task under Article 6(1)(e), of the GDPR): and
- provide relevant privacy information in accordance with the lawfulness, fairness and transparency requirement under Article 5(1)(a) and the right to be informed under Article 13, of the GDPR.
Recommendations
In light of the above, organisations should ensure that:
- they have documented and valid lawful bases for the processing of personal data, in particular when sending out messaging on behalf of third parties;
- they provide adequate privacy information in respect of the processing of personal data, including the messaging that individuals should expect to receive;
- they establish whether or not messaging (including those on behalf of third parties) constitutes direct marketing by electronic means and if so, that this messaging complies with the PECR; and
- there are robust procedures and processes in respect of the withdrawal of consent and the right to object, for example simple mechanisms for individuals to unsubscribe from direct marketing.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience supporting organisations in conducting direct marketing. For more information please feel free to contact our advisers, who would be more than happy to help.
