data protection guidelines
DESCRIPTION
Data Protection Guidelines: Email Do's and Don'tsTRANSCRIPT
Data Protection Guidelines: Email Do's and Don'ts
Gary DavisDeputy Data Protection Commissioner
Irish Internet Association28th October 2009
Presentation Outline• Marketing – what do people think? • Data Protection – what is it?• Direct Marketing – the Rules• Best Practice
50
35
28
20
20
14
11
10
10
Personal Experience of Privacy Invasion
Received unsolicited post, addressedto you personally
Yes%
Received unsolicited text messages fromcommercial organisations
Received unsolicited emails from commercialorganisations
Had excessive personal information soughtfrom business/public sector organisations
Had a virus/spyware on personal computer
Disclosures of your personal informationto others without your agreement
Had information, images or footage of youposted on the internet without your consent
Had personal information being withheldfrom you without explanation
Inappropriate access to personal informationheld about you within an organisation
Any experience
65%
35
29
28
23
27
21
28
23
41
45
43
43
33
34
46
52
12
14
9
9
8
6
8
7
4
4
4
3
2
2
4
2
20082005
Not at all happy
(1)
The post
E-mail/the internet
The telephone to your home
SMS/Text messages(to your mobile phone)
Not very happy
(2)
Very happy
(4)
Fairly happy
(3)
8 9
16 22
30 37
13 16
Don’t Know‘08 ‘05
Attitude Towards Unsolicited Mail or Offers…
% %
Unhappy
(%)
Unsolicited mail via telephone or post remain the approaches the public most dislike. However, irritation with text or e-mail contact has significantly increased since 2005.
76
74
71
66
60
55
74
75
No notEntitled
%
6
6
5
6
7
21
46
71
71
71
70
58
40
22
YesEntitled
%
Don’tKnow
%
To get a copy of any information about you heldby any organisation
To have any inaccurate information aboutyou corrected/deleted
To have your name removedfrom junk mail lists
To have your telephone number removedfrom direct marketing lists
To have any of your medical records deleted
To claim compensation through the courts ifpersonal information held about you is misused
To get personal information about other people
23
23
23
24
35
39
32
Q.7 – Awareness of Rights
Complaints to DPC 2008
• 1031 formal complaints• Many more enquiries dealt with informally
* Mainly electronic (SMS etc). Direct Marketing accounted for 57% of complaints in 2007
TYPE %
Direct Marketing*
35
Access Rights 30
Disclosure 16
Accuracy 2
Other 17
Unsolicited Marketing – DPC Annual Report Case Studies• Unsolicited Text Messages (12/2005;
5/2006 – deletion of database ordered)• Unsolicited Faxes (20/2008)• Unsolicited e-mails (8/2008; 17/2008 –
database deleted and marketing suspended)
• “Cold-Calling”/Failing to respect right to “opt-out” including via NDD (11/2005 (prosecution); 1/2006; 2/2006; 4/2007 – order to suspend marketing; 11/2008)
• Postal Marketing (15/2007: supermarket)
Case Studies 2008 : Direct Marketing• 123.1e (insurance)• Interactive Voice Technologies• Buy-as-you-Fly• Celtic Water Solutions• Matrix Internet• Dell • 2 Cases where we found in favour of DC
Presentation Outline•Marketing – what do people
think? •Data Protection – what is it?
•Direct Marketing – the Rules•Best Practice
Data Protection: a Human Right
• Part of Right to Personal Privacy• Personal Privacy: necessary in a
Democratic Society (but not absolute)• Un-enumerated right under Irish
Constitution• Explicit right under European
Convention on Human Rights: ECHR Act 2003
EU & Irish Legislation• Data Protection
Directive 95/46/EC• Electronic Privacy
Directive 2002/58/EC
• EUROPOL etc
• Data Protection Acts 1988 & 2003
• EC Electronic Privacy Regulations 2003 (SI 535/2003) and 2008 (SI 526/2008)
• Corresponding Acts• Good Friday Agreement• Disability Act 2005
Rights and Obligations• Rights of “data subject” (= identifiable,
living individual) to control the use of their “personal data” (very broad definition)
• Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”)
The Data Protection Rules1. Fair obtaining &
processing• Consent
2. Specified purpose3. No disclosure
• unless “compatible”
4. Safe and secure
5. Accurate, up-to-date6. Relevant, not
excessive7. Retention period8. Right of access
Presentation Outline•Marketing – what do people
think? •Data Protection – what is it?•Direct Marketing – the Rules
•Best Practice
Direct Marketing Legislation
• The Data Protection Acts 1988 and 2003 Mainly Section 2
• SI 535 of 2003 European Communities (Electronic Communications Networks and Services) Data Protection and Privacy) Regulations as amended by SI 526 of 2008 Mainly Regulation 13 (Unsolicited
Communications)
• Other Legislation: Consumer Protection, E-Commerce, Financial Regulation etc
Direct Marketing Definition• “direct marketing” includes direct mailing
other than direct mailing carried out in the course of political activities by a political party or its members, or a body established by or under statute or a candidate for election to, or a holder of, elective political office;
Direct Marketing – the Golden Rule of Consent• Only market willing customers• Strong Irish customer resistance to “junk
mail” or “spam”• Failure to respect consumer choice is
against the law Criminal offence where electronic means
used
email• Non- Customers (Individuals)
Recipient must have opted-in to receipt of message from you
Consent given to third party marketing etc not acceptable. The consent must be informed and explicit
Email must include the name of sender Email must include valid and cost free means to
opt-out Opt-in to send email must be in the last 12 Months
or refreshed within that period
e-mail Continued• Customer (Individuals)
You must have told the customer that you intend to use their email address for this purpose and provided an opportunity to object at the point of collection
Email must include the name of sender Email must include valid and cost free means to opt-out Consent to send email must be in the last 12 Months or
refreshed within that period Email must only relate to your own Similar or Related
Services
email continued• Businesses
Do not need opt-in consent Must respect any opt-out request Email must include the name of sender Email must include valid and cost free means to
opt-out
Penalties
• Electronic mail Criminal Offence: €5,000 per message, up to
10% of turnover 350 prosecutions gone or going through
Courts
Presentation Outline•Marketing – what do people
think? •Data Protection – what is it?•Direct Marketing – the Rules•Best Practice
Best Practice (1)• Treat Consumer with Respect
Respect their right to be “let alone”
• Marketing that respects the Consumer’s preferences is more likely to be successful
• The more intrusive the marketing, the more likely Consumer will be upset
• Don’t abuse public information
Best Practice (2)• Our Guidance (
http://www.dataprotection.ie/viewdoc.asp?DocID=905&ad=1)
• Keep a record of any consent on which you are basing your direct marketing emails. Without it you cannot prove that you have a consent and onus is placed on sender
• Have a foolproof method of respecting opt-out requests
Conclusion• Do tell the recipient at the
time of collection that you intend to use their email details to market them and either get their opt-in or allow them to opt-out
• Do identify yourself and provide a valid means of opt-out in each message
• Do keep a record of the consent for sending the message
• Don’t buy third party marketing databases
• Don’t send any messages where you have had no contact for over 12 months
• Don’t ignore requests to opt-out
• Don’t attempt to put in place a “difficult” means of opting out
DPC Contact DetailsOffice of the Data Protection CommissionerCanal HouseStation RoadPortarlingtonCo LaoisPhone: LoCall 1890 252231
057 8684800Fax: 057 8684757Email: [email protected]: www.dataprotection.ie