5.3 Data protection, privacy and electronic communications
All societies must comply with the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 when promoting share offers. Any organisation keeping personal data on individuals is obliged to be registered with the Information Commissioner’s Office (ICO), which is responsible for enforcing both the Act and the Regulations.
The Data Protection Act sets out eight principles relating to the use of personal data by organisations. In the context of community shares, these principles require that personal data obtained from supporters and/or members should only be used for the purposes for which it was originally acquired. This personal data should be accurate and up-to-date, should not be excessive, and should be disposed of when no longer necessary for the original purpose or purposes. The organisation is responsible for ensuring the protection of this data from unauthorised or unlawful use, either by design or by accident.
The Data Protection Act gives individuals the right to prevent their personal data from being used for direct marketing purposes. An individual can, at any time, give written notice to stop receiving direct marketing communications from an organisation. These communications have to stop within a reasonable period, taken to be within four weeks for electronic communications and up to two months for postal communications.
The Privacy and Electronic Communications Regulations provide rules about direct marketing or advertising by electronic means such as automated phone, email, fax, text and picture messaging. It also has rules about website cookies, traffic data, location data and security breaches. These rules apply not only to the promotion of goods and services, but also to campaigning activities by not-for-profit organisations.
The ICO is responsible for enforcing the law and regulations, and has the power to impose fines of up to £500,000 for serious breaches.
Among the more serious breaches is the use of personal contact details for a different purpose from that for which they were obtained. This includes using the membership lists of a community organisation that supports the aims and objects of the society, but where the members have not consented to their details being passed on to other related organisations.
There is no restriction on sending marketing materials to people who have specifically requested such materials. So, if a person completes an on-line form requesting the organisation to send them a newsletter, offer document or some other form of community shares marketing materials, then it is free to do so.
The principle of consent is central to good practice in direct marketing communications. If a person has freely given their prior consent to a specific method of communication on a specific topic or matter, then it is usually lawful and acceptable. Prior consent to specific methods of communication is especially important if the society plans to make phone calls, because this will allow the society to call numbers registered with the Telephone Preference Service without committing a breach of the rules.
According to ICO “implied consent can also be valid consent in some situations – in other words, if it is reasonable from the context to conclude that the person consents, even if they have not said so in as many words.” For instance, if a person provides their personal contact details on an application form to purchase community shares, this implies consent to further communications about the share offer and subsequent share ownership.
The principle of implied consent may also extend to other methods of obtaining personal contact details, such as sign-in sheets at public meetings, signatories to a local petition, or participating in surveys, as long as it is made clear that these personal details will be used for direct marketing purposes. Such notices should be prominently displayed and not hidden in small print.
The clearest way of obtaining consent is to include an unticked opt-in box on marketing materials, including websites. These are preferable to opt-out boxes which, even if they are pre-ticked, might be deemed to be confusing and hard to understand. The use of indirect, third-party consent, where a person has consented to their personal details being passed on to third parties, is not allowed under the privacy regulations for electronic communications in the form of emails, texts or automated calls.
Consent to direct marketing communications does not last forever. There are no prescribed time limits for consent, but it is deemed to be linked to the specific topic or matter. In the case of a community shares offer, consent is linked to a particular offer and does not automatically extend to new offers made by the same society at a later date. Direct marketing materials should always include information on how to cancel or unsubscribe from the communications.
The burden of proof that consent has been given is borne by the organisation not the individual, so it is important that societies keep records of all consents it obtains.
If you have any questions or suggestions for new information you would like to find in the Handbook, contact the team by email at firstname.lastname@example.org