The University maintains a number of mailing or contact lists for the purposes of getting in touch with students, staff, and customers. A number of these are for essential communications about assessment, access to premises and other day-to-day matters. A second type of mailing list is where the University contacts individuals to inform them of postgraduate courses, events, or commercial offers. Like the other personal data processed by the University, this data is subject to the UK GDPR and the Data Protection Act 2018.
This second type of mailing is defined as ‘direct marketing' and is subject to an additional legal requirement: the Privacy and Electronic Communications or “PECR”.
Direct marketing emails – even if the University has a different legal basis under GDPR to process the data, PECR requires “opt-in” consent to send direct marketing emails. If an individual has purchased our products or services and not opted out of further marketing communications, then we can contact them about similar products and services under what is called the “soft opt-in”.
Telephone communications – The University cannot make marketing calls to any number listed on the Telephone Preference Service (TPS) unless that person has specifically consented to receive calls from us. The University can call a number if it is not listed on the TPS, with certain conditions. If you are considering a direct marketing campaign, please consider the following questions:
- How did we obtain the contact details? •Have we provided a privacy notice explaining what we will do with the data?
- Do we have a record of ‘opt-in’ consent that we can demonstrate for this marketing? (See below for definition of ‘valid consent’)
- Will we need to undertake a Data Protection Impact Assessment (DPIA)?
- If we will be calling individuals, have we screened the data against the TPS and any internal ‘do not call’ lists we have?
- If we are using a third party to carry out the campaign,do we have a formal contract in place?
- If we are going to rely on “soft opt-in”, did we give the individual the chance to opt-out at the time we collected the details?
In order to be valid, the consent needs to be:
- 'freely given' - it must be as easy to withdraw consent as to provide. It must be obtained separately from other terms and conditions.
- 'specific and informed' - an individual must be able to withdraw consent easily at any time. It also means consent should be unbundled from other terms and conditions
- a clear affirmative action - We must be able to demonstrate that an individual said “yes” or ticked a box. No pre-ticked boxes or inferences from silence or no response.