CATEGORY: Public Sector
New guidance on public sector communications
The Information Commissioner’s Office (ICO) has published a new resource to help public sector organisations understand when the direct marketing rules will apply to their messages.
Email and SMS have proven to be very important channels to public authorities during the pandemic, enabling them to bring detailed guidance and information to the attention of specific stakeholder groups and citizens with speed and efficiency. Most of this communication would not be regarded as promotional in nature and therefore, legally, would not count as Direct Marketing.
However, sending emails and SMS is still a form of data processing and, therefore, compliance with the UK GDPR is still a factor in how public sector organisations conduct communications and campaigns via these channels.
Under the Data Protection laws, and predominantly the UK GDPR, most commercial direct marketing is conducted on the basis of having consent from the data subject to send information via direct marketing channels such as email and SMS.
This is relatively straightforward for newsletters and promotional campaigns sent from consumer brands, but public authorities tend to have other legal obligations to send.
Each of these legal basis’ have slightly different requirements in terms of evidence and proof. As we have seen recently, getting it wrong mean serious financial penalty and/or reputational damage. Read more about this in Marketing is not at your service, and the Amex ruling that was issued in May 2021, where the ICO determined that some of the emails that Amex had classified internally as service messages also contained marketing materials, and therefore were infringing the regulations.
So whilst case law and specific examples can help bring clarification, the situation for public sector communicators is, still, by no means clear cut.
Anthony Luhman, ICO Director, said:
“If you work in the public sector, the law doesn’t stop you from sending promotional messages when they are necessary for your task or functions. However, there are times when the direct marketing rules will apply and we want to help the public sector get it right.
“Our new guidance will help you understand how to send promotional messages in compliance with the law. Done properly the public should have trust and confidence in promotional messaging from the public sector.”
For public sector communicators the choice of lawful basis for sending promotional messages is likely to be either public task or consent.
Whilst the most obvious basis may seem to be public task, there is no obligation to rely on it. You may still want to consider consent, even if a promotional message is not direct marketing because it is necessary for your task.
In general, public authorities do need to be cautious when considering using consent as a lawful basis as your position of power can affect whether the consent is freely given. But the UK GDPR doesn’t prohibit you from using consent – if the individual has a genuine free choice to give or refuse consent to your promotional messages then the consent will be freely given.
There may be good reasons why you want to rely on consent instead of public task, for example it may be a sensible safeguard to ensure public trust. Using consent doesn’t affect the nature of the message or commit you to marketing rules – if the promotional message is necessary for your public functions it is not direct marketing.
If you do use consent you will be compliant regardless of whether the message is direct marketing. But you must ensure that the consent is valid, which includes making sure it is fully informed and specific, easy to withdraw, as well as freely given.
If a message is direct marketing, public authorities need to comply with the marketing rules in the Privacy and Electronic Communications Regulations (PECR) if they are using electronic communications (eg phone call, email, text message).
However, regardless of whether a promotional message is direct marketing or not, public authorities must still comply with the requirements of the UK GDPR.
Mr Luhman said:
“It’s important to be transparent about what you intend to do with people’s personal data including telling them about the types of messages you want to send.”
The UK GDPR also gives people a right to object and this may apply even if your promotional message is not direct marketing.
Much of the guidance was as we would have expected:
The rules on direct marketing apply to all sectors and types of organisations.
There is a right for individuals to object if you are relying on the public task basis, even if your message is not direct marketing. Unless you can demonstrate “compelling legitimate grounds” to continue sending the messages.
Promotion is not necessarily direct marketing
But this new guidance does hold some ‘surprises’
The majority of communications that public authorities send to individuals are unlikely to constitute direct marketing.
If you are a public authority and your messages are necessary for your task or function, these messages are not direct marketing, even if you decide to rely on consent rather than public task.
If the promotional message is necessary for your relevant function or task then it is not direct marketing.
Examples of messages which are promotional but may be necessary for delivering your tasks and functions could include those that promote:
new public services;
So, if a promotional message is not direct marketing:
the marketing provisions of PECR do not apply;
the absolute right of individuals to object to processing for direct marketing does not apply but the general right to object under the UK GDPR does apply; and
all the other requirements of the UK GDPR still apply when you are processing personal data, including fairness and transparency.
However, many public authorities have quasi-commercial functions, for example running leisure facilities. These are services for which the individual has to pay, so from their perspective it is equivalent to a commercial service. Sometimes these commercial services are in competition with private sector providers of the same service.
If you want to send promotional messages about these types of services then you will be engaging in direct marketing.
When this is the case then, you need to comply with:
the direct marketing provisions of PECR (if you are sending the message by electronic means e.g email, text message, phone call);
the absolute right of individuals to object to processing of their personal data for direct marketing under the UK GDPR; and
all the other general requirements of the UK GDPR including fairness and transparency.
The ICO guidance for the Public sector is now available and provides additional details on determining if a promotional message should be considered direct marketing and specific details around public sector organisations sending out details of other organisation or third party promotional materials.
Email marketing healthcheck
We are confident that we can help you, which is why we offer a free healthcheck to identify potential issues with your current programme and free advice on things that could be done to improve it.