On 4 August the Information Commissioner's Office (ICO) published guidance on direct marketing and the public sector, which aims to help public sector organisations understand when the direct marketing rules will apply to their messages. The key points are:
The rules on direct marketing apply to all sectors and types of organisations.
The majority of communications that public authorities send to individuals are unlikely to constitute direct marketing.
The guidance provides some examples:
- messages which promote new public services, online portals, helplines and guidance resources may be necessary for delivering your tasks and functions and therefore not direct marketing;
- messages for the purposes of fundraising or advertising services offered on a quasi-commercial basis or for which there is a charge, e.g. promoting a new fitness class at a leisure centre run by a local authority, are likely to constitute direct marketing. This means that the marketing rules in the Privacy and Electronic Communications Regulations (PECR) apply if you are sending such messages by electronic means, as well as the UK GDPR.
When a public authority sends messages that are necessary for your task or function, these messages are not direct marketing, even if you rely on the lawful basis of consent rather than public task (i.e. necessary for the performance of a task carried out in the public interest). The guidance states that while public task may seem the most obvious lawful basis, there is no obligation to use it, and you may want to consider consent.
Public authorities must be cautious when relying on consent, as their position of power can affect whether the consent is freely given. In addition, consent must be fully informed, specific and easy to withdraw.
When relying on the public task lawful basis you need to:
- identify a relevant task or function underlying the communication;
- demonstrate that sending promotional messages to individuals is necessary for your task. This doesn’t mean that it must be absolutely essential, but it must be more than just useful; and
- demonstrate that sending the messages is proportionate to your aim. You should consider whether you could reasonably achieve the same objective through other means.
If a message is not direct marketing (or is direct marketing but is sent by non-electronic means, i.e. by post), you don’t need to comply with PECR, but you must still comply with the UK GDPR (including fairness, transparency and the right to object).
Individuals have the right to object:
- in relation to direct marketing, the right is absolute. This means that if an individual objects, you must stop sending them direct marketing.
- in relation to promotional messages which are sent on the lawful basis that they are necessary for your public task or function, the right is qualified. You may be able to continue sending the messages if you can demonstrate compelling legitimate grounds. You must consider any objections you receive, and balance your legitimate grounds against the individual's rights and freedoms.
Take particular care before sending any messages promoting third party services, as you need to:
- be clear how this is necessary for your functions; and
- consider whether it is fair – have you been transparent with the individuals and explained that you would use their data to send these messages?