If you process personal information the eight principles of good practice for email marketing requires the data to be:
Fairly and lawfully processed
processed for limited purposes
adequate, relevant and not excessive
accurate and up to date
not kept longer than necessary
processed in accordance with the individual’s rights
secure not transferred to a country outside the EEC unless it has adequate protection for the individual – the Safe Harbour scheme in the USA is not enough (link to Safe Harbour: transferring data to the USA)
These eight principles are further defined.
1/ Fairly and lawfully processed:
‘Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 is met; and in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.’
The provisions of paragraphs 3.1.1 (Schedule 2), 3.1.2 (Sensitive Personal Data) and 3.1.3 (Schedule 3) are covered here only insofar as they apply to direct email marketing. It is advised that these paragraphs should be read and understood in their entirety.
A ‘fair processing guide’ has been produced by the Information Commissioner’s office. Whilst these are guidelines, it is better to view them as requirements.
Appointment of a data controller with defined responsibility for data protection for that company.
Clear contact details in all communications, such as on a web site or direct mail, of how a data subject can contact the data controller or a representative. The Companies (Registrar, Languages and Trading Disclosures) Regulations 2006 make further specific requirements with regards to this point.
Before data processing, the data subject has given his consent or the processing must be necessary either for a contract to which the data subject is a part or because it is required by other laws.
Certain sensitive personal data require particular care, including:
Racial or ethnic origin of the data subject,
Religious beliefs or other beliefs of a similar nature
Membership of a trades union
Physical or mental health conditions
The commission or alleged commission or proceedings of any offence
No other laws must be broken in processing the data processing.
2/ Processed for limited purposes
“Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.’
‘Specified’ here implies that the person must be made aware at the time of signing up:
if further communications will be sent to the person, and
whether the data will be passed on to third parties.
Both of these conditions require express permission, and
How long the data will be kept.
3/ Adequate, relevant and not excessive
‘Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.’
The legislators have come down firmly on the side of the rights of the individual. However, they have avoided specifics and in doing so have allowed a certain flexibility.
‘Personal data shall be accurate and, where necessary, kept up to date.’
The DPA defines ‘inaccurate’ as ‘incorrect or misleading as to any matter of fact’. As for up to date, this is not necessarily as demanding as you may think. The conditions are that your relationship with the customer is on-going and that the rights of the individual will be affected if you fail to update the information. The guidelines state that additional steps should be taken to ensure the data is correct. Whilst it is not a requirement for records of the additional steps taken to be kept, they could be vital in disproving an accusation of failing to conform to the regulations.
5/ Not kept longer than is necessary.
‘Personal data processed for any purpose of purposes shall not be kept for longer than is necessary for that purpose or those purposes.’
The ICO guidelines suggest: ‘To comply with this principle, data controllers will need to review their personal data regularly and to delete the information which is no longer required for their purposes.’
This could be in conflict with the requirement of good business and a customer might well go through stages where they buy nothing for a while. It is suggested that a grocer might well have to delete files of non-buying customers earlier than someone selling new cars.
This is not a demand for a record to be deleted from your files immediately the subscriber ‘opts out’ of direct email marketing.
6/ Processed in accordance with the rights of data subjects under this Act.
‘Personal data shall be processed in accordance with the rights of data subjects under this Act.’
These rights would include a ‘subject access request’. This provision’s intent is to control or prevent circumstances which:
Cause damage or distress. This would include ‘inappropriate’ material,
Is used for automatic decision-taking. This would include automatic insurance charges,
Is used for direct marketing. This means that checks need to be made to the ‘exclusion lists’: see www.dmaconsumers.org.
‘Appropriate technical and organisation measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’
What this means is that if you allow your data to be accessed, altered or destroyed by an outside agency you commit an offence.
8/ Not transferred to countries without adequate protection
‘Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.’
This suggests that not only should these countries have similar preventative legislation but that they should take steps to proceed against those who break such laws. Safe Harbour in the USA is not enough. (link to Safe Harbour: transferring data to the USA)