The Impact on Marketing-Related Activities of the Data Protection Act and Related Legislation



Similar documents
Data Protection and Privacy Policy

1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data

technical factsheet 176

How To Know What You Can And Can'T Do At The University Of England Students Union

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

"Direct marketing" is not limited to advertising goods or services for sale. It also includes promoting an organisation s aims and ideals.

Merthyr Tydfil County Borough Council. Data Protection Policy

Data Protection Policy

PRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;

Corporate ICT & Data Management. Data Protection Policy

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

DATA AND PAYMENT SECURITY PART 1

DATA PROTECTION POLICY

START UP LOANS PRIVACY AND DATA PROTECTION TERMS AND CONDITIONS

Data Protection Act. Privacy & Security in the Information Age. April 26, Ministry of Communications, Ghana

DATA PROTECTION ACT 1998 COUNCIL POLICY

Guidance on political campaigning

FISHER & PAYKEL PRIVACY POLICY

ESTRO PRIVACY AND DATA SECURITY NOTICE

DATA PROTECTION POLICY

CORK INSTITUTE OF TECHNOLOGY

Data Protection for Charities

Information Governance Policy

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

Data Protection Consent Clause and Policy Background

DATA PROTECTION POLICY

Data Protection Policy

Kinds of information that the Company collects and holds

Data Protection Policy

CentralNic Privacy Policy Last Updated: July 31, 2012 Page 1 of 12. CentralNic. Version 1.0. July 31,

10 DATABASE PRACTICE

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection policy approved by the Governing Body of Ifield Community College. Ifield Community College Data Protection Policy

Notification of data security breaches to the Information Commissioner s

AC&E Insurance Services Pty Ltd Privacy Statement Effective: 1 August, 2010

Clause 1. Definitions and Interpretation

Fighting spam in Australia. A consumer guide

Data Protection for the Guidance Counsellor. Issues To Plan For

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Data Protection Workshop: How the Law Affects You Practice Questions

Privacy fact sheet 17

CORPORATE TRAVEL MANAGEMENT PRIVACY POLICY

Spam Act 2003: A practical guide for business

Daltrak Building Services Pty Ltd ABN: Privacy Policy Manual

Dublin City University

DATA PROTECTION POLICY

AASA Online Privacy Policy CRP.020

Privacy Policy Draft

BLUE BADGE INSURANCE PTY LTD BLUE BADGE COMMUNITY AUSTRALIA PTY LTD PRIVACY POLICY

singapore american school

Australian Privacy Principle 7 direct marketing

WHAT KIND OF PERSONAL INFORMATION DOES NINE COLLECT AND HOW DOES NINE COLLECT IT?

Data Protection Policy

Data Protection. Policy and Application July 2009

Privacy Charter. Protecting Your Privacy

ZEN Telecom Pty. Ltd. Privacy Policy

1.4 For information about our management of your other personal information, please see our Privacy Policy available at

STATUTORY INSTRUMENTS. S.I. No. 336 of 2011

Data Protection Policy

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

23/1/15 Version 1.0 (final)

Spam Act 2003: An overview for business

Privacy and Electronic Communications Regulations

Overview of the Impact of the Privacy Reforms on Credit Reporting

Personal Data Protection Policy

PRIVACY POLICY. "Personal Information" comprising:

John Leggott College. Data Protection Policy. Introduction

Data Protection Policy June 2014

The Privacy Act 1988 contains 10 National Privacy Principles (the NPPs) which specify how organisations should handle personal information.

Human Resources and Data Protection

DATA PROTECTION POLICY

Pacific Smiles Group Privacy Policy

Protecting your business from spam

Scottish Rowing Data Protection Policy

Personal Data Act (523/1999)

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

PRIVACY POLICY Personal information and sensitive information Information we request from you

Data Protection Act a more detailed guide

Surveying with CustomerGauge - Legal Considerations:

Acceptable Usage Policy

Chapter 7: Australian Privacy Principle 7 Direct marketing

The kinds of personal information we collect and hold vary depending on the services we are providing, but generally can include:

An overview of UK data protection law

12th January Dear Mr. Graham, Complaint: Internet Eyes

Acceptable Usage Policy

Credit Reporting Privacy Policy of Baybrick Pty Ltd

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

Data Protection Good Practice Note

Privacy and Cloud Computing for Australian Government Agencies

Best Practice Standards for Marketing

Data Sharing Protocol

HIPSSA Project. Support for Harmonization of the ICT Policies in Sub-Sahara Africa, Second Mission -Namibia

How To Understand The Data Protection Act

Data protection compliance checklist

SHAREYOURJOB.COM PRIVACY POLICY

Data Protection Policy

ACCEPTABLE USAGE PLOICY

Table of Contents. Introduction 3 What is Title Insurance? What are mortgage processing and loan servicing services? 3 This Privacy Policy 3

Transcription:

The Impact on Marketing-Related Activities of the Data Protection Audience 1. This guidance is intended for all University staff who maintain or use database of contacts for marketing purposes, including publicising events and programmes, fundraising, alumni activities and offering goods for sale Scope 2. The guidance explains the impact of the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 on marketing activities, and identifies the steps necessary for compliance with this legislation. Requirements for all forms of communication 3. At the time that contact information is collected, affected individuals must be made aware that we have the information and of the uses to which we intend to put it. People must be given a clear understanding of the means of contact that we intend to use. For example, if people have just provided a name and address, the expectation is that we will contact them by post. It would be unacceptable to telephone them without having told them of this possibility. 4. If contact information is collected on a form to be returned to the University, we must enable people to opt out of contact on the form itself, and not simply provide them with an additional address they can contact. 5. If the information is collected on a form that is also used for other purposes, but some of the information is only needed for marketing, then this should be made clear on the form. 6. At any time, an individual may say that they do not wish to be contacted for marketing purposes. Within 21 working days of receiving such a notification, we must add their name to a stop list and ensure that we do not contact them again unless they specifically ask us to do so. 7. If we acquire contact details from a third party, we must check the following: What information about the use of the data was provided at the time the data was collected? Did the individuals indicate any preferences about their means of contact? How have unsubscribe requests been handled? How has the list been kept up-to-date? 1

8. We must keep the information securely and ensure that access to it is limited to those who need to see it in the performance of their duties. 9. Seek further advice from the Records Management Section if the information is going to be passed outside the European Economic Area. Guidance is available at http://www.ed.ac.uk/schools-departments/records-management-section/dataprotection/guidance-policies/transferring-data/model-clauses-steps/what-steps. 10. The University must clearly identify itself in any communication. 11. We are responsible for ensuring that subcontractors also comply with all relevant requirements. Additional requirements for e-mail 12. We can contact people on an opt out basis if we are offering them paid goods or services which are similar to ones they have already purchased from us, and they were offered the opportunity to opt out at the time of the purchase. 13. We must have people s consent (ie specific opt in) to contact them by e-mail for all other marketing purposes, including free events, fundraising or paid goods or services in which they have not previously shown an interest. 14. If an e-mail mailing list was compiled in accordance with privacy legislation in force before 11 December2002 and has been used recently we can continue to use. Each time a communication is sent, the individual must be given an opportunity to opt out. 15. E-mail addresses must not be harvested from websites and other sources in the public domain. 16. The University's identity must be clearly stated in the "from" header of any email we send. It is good practice that the subject line should accurately reflect the subject to purpose and content of the message. Avoid use of "Re" or "Fw" in the title. 17. In every e-mail communication, we must provide easily used contact details (including an e-mail address) so that people can opt out of receiving further communications if they wish to do so. Additional requirements for postal communications 18. Contact may be on an opt out basis. You should ensure that people are told about the proposed use and given an opt out at the time the contact details are collected. If this was not done, it would still be acceptable to contact people by post, provided that every communication gives them a clear and easy way to opt out of future communications. 2

Additional requirements for fax, automated calling or SMS messaging 19. We can only contact people by these means if they have specifically agreed that we may do so (i.e. specific opt in). 20. On all communications we must provide a contact address or a phone number that can be used free of charge to opt out of further contact. Additional requirements for telephone calls 21. All call lists must be screened against a recent Telephone Preference Service listing. We must not contact a person listed with the Telephone Preference Service unless they have specifically said we may do so (ie specific opt in). We may contact other people on an opt out basis. 22. It is good practice to state purpose of the call at the beginning of the conversation. 23. If we record telephone calls, we must tell the contact that the call is being recorded and the uses to which the recording will be put. 24. On request, we must provide a contact address or a telephone number that can be used free of charge to opt out of receiving further calls. Background 25. The Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 both affect how information about living, identifiable individuals for marketing activities. 26. The Data Protection Act is concerned with personal data. For practical day-to-day purposes, personal data is any information held by the University about living, identifiable individuals. It gives people the right to see that information, and sets out 8 principles with which the University must comply whenever it collects, uses or stores personal data. They are: 1. Personal data shall be processed fairly and lawfully. This means that, at the time the data is collected, people must be told what we intend to do with that data. 2. Personal data shall not be processed in any manner incompatible with the purposes for which it was originally collected. This means that unless we have told people that we are going to use their contact details for marketing purposes, then we cannot do so. 3. Personal data shall be adequate, relevant and not excessive for the purposes for which it is processed. In other words, we must be careful to collect only the information we need. 4. Personal data shall be accurate and, where necessary, kept up to date. 3

5. Personal data shall not be kept for longer than is necessary. 6. Personal data shall be processed in accordance with the rights of data subjects, including a right to see what information the University holds about them, a right to require the University to stop using information about them, and a right to require the University to amend inaccurate or out-of-date data. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred outside the European Economic Area unless that country or territory without an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. This means that in most cases where personal data is transferred overseas, we must have a contract in place that includes appropriate safeguards. 27. The Privacy and Electronic Communications (EC Directive) Regulations apply to all organisations that use telephones, e-mails, faxes, SMS messages etc for direct marketing. The definition of direct marketing covers not just the offer for sale of goods or services, but also the promotion of an organisation s aims and ideals. For the purposes of this legislation, fundraising, publicising events and programmes and offering goods for sale all qualify as marketing. 28. The Regulations imply two potential sorts of direct marketing relationships: a cold one whereby the organisation has had no previous contact with the individual or a warm one, where an individual has in the past actively expressed an interest in purchasing an organisation s products and services and has not opted out of further marketing of those, or similar, products or services. The Information Commissioner has said that it is not possible for fundraisers to have a warm relationship with an individual within the terms of this legislation; the relationship has to have been a commercial one involving the sale of something. Publicising free events is also unlikely to qualify as a warm relationship. 29. Under the Regulations it is possible to make solicited or unsolicited contact for direct marketing purposes. In the former case, the individual has specifically asked an organisation to contact them about its products and services, perhaps by filling in a form asking to be sent information. Unsolicited communications are those where the individual has not asked to be contacted at this particular time, but they have positively indicated that they do not mind being contacted. The Information Commissioner s guidance implies that situations where individuals have ticked a box to indicate that they want to receive marketing materials, and situations where they have been offered an opportunity to tick a box to indicate that they do not want to receive marketing materials will both fall into the unsolicited category. Almost all the University s marketing communications will fall into the unsolicited category. 4

30. Both pieces of legislation are policed by the Information Commissioner. In the worstcase scenario, failure to comply with these requirements can result in a fine of up to 500,000 or the Information Commissioner requiring the destruction of the entire marketing contacts database. In addition, individuals have a right to compensation if they have been damaged by a breach of these laws, although there is sometimes a defence if the University can demonstrate that all reasonable care has been taken to prevent the breach. About this guidance Version: 01 Date: July 2013 Author: Susan Graham 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information