Data Protection and Freedom of Information Update

News

The Information Commissioner's Office ("ICO") has published new guidance on consent to direct marketing ("Guidance").

The Guidance focuses on the issue of what constitutes valid consent from an individual to receiving direct marketing communications. Without consent, the ICO may take enforcement action.

The requirements for valid consent are set out in the Data Protection Act 1998 ("DPA") and the Privacy and Electronic Communications Regulations ("PECR"). An organisation may only send direct marketing communications when they have obtained an individual's consent that is:

Specific - consent needs to be specific to the organisation and to the form of communication being sent, e.g. by email or text;
Freely given - there must be a genuine choice as to whether to give consent or not. For example, consent cannot be a pre-requisite to placing an order;
Involves an action signifying agreement - there must be a positive expression of choice. A failure to opt-out cannot signify consent, unless it is part of a wider process such as signing up to a service; and
Informed - it must be clear to the individual what they are consenting to. For example, including consent in small print that is difficult to locate will not suffice for compliance with the PECR.
The Guidance provides essential information on the ICO's interpretation of these rules.

The ICO's recommended best practice and the clearest way for organisations to obtain consent, is to provide individuals with an unticked opt-in box. An opt-in box provides an individual's positive affirmation of their consent to receiving marketing emails. Whether or not an organisation uses an opt-in box or not, the key consideration is whether or not the individual will understand that their actions will be taken as consent; and exactly what they are consenting to.

Implied consent is permissible, but it must still adhere to the requirements of the DPA and the PECR. For example, implied consent would be permissible where a individual has provided a postal address when purchasing goods. In those circumstances, it would be obvious that consent had been given to use the address for the purposes of delivery. However, implied consent should not be obtained as part of a privacy policy that is hard to find, rarely read, lengthy or difficult to understand.

Consent that was originally obtained by a third party (i.e. indirect consent) appears hard to justify on a strict interpretation of the PECR, which requires that the customer has notified the sender that they consent to messages from that organisation. The ICO accepts that indirect consent may be valid where the consent is clear and specific enough. In the ICO's view, the individual must understand that the details would be passed on to a particular organisation and that they were giving consent to receiving communications from that third party organisation. It therefore appears unlikely that organisations may continue asking for an individual's consent to receive messages from 'selected third parties.'

Organisations are also advised to consider how long ago the consent was obtained, although there is no fixed time limit after which consent will automatically expire. How long an organisation can continue to rely on consent will depend on the context and the individual's expectations. As a rule of thumb, the ICO advised that organisations should not rely on indirect consent given more than six months prior to sending out a marketing communication. There can be exceptions to this rule where, for example, an individual would expect to receive seasonal marketing emails.

Organisations can go further to ensure compliance with the PECR by providing opt-in boxes for each type of marketing communication (i.e. email marketing, text message marketing, etc.)

Organisations who engage in direct marketing must devote resources to proper due diligence and, in each case, check how and when consent was obtained, by whom, and what the individual was told they would receive.

Recent Decisions

Case Ref: FS50482286
Public Authority: Wirral Metropolitan Borough Council

The complainant requested a copy of a document relating to a 'whistleblower' at Wirral Borough Council (the "Council").

The Council initially relied on sections 32 (court records) and 40(2) (personal information) of the Freedom of Information Act 2000 (the "FOIA") not to release the information. However, during the course of the Commissioner's investigation, the Council decided not to rely on section 32 and released the information. However, it maintained its reliance on section 40(2) and redacted names in the document.

The Commissioner decided that the Council had breached section 10(1) of the FOIA, as it did not provide a response to the complainant within the required 20 working days from the receipt of the request.

Case Ref: FS50499610
Public Authority: Independent Parliamentary Standards Authority

A request was made for legal advice held by the public authority, in relation to the recoupment of capital gains on MPs' second homes, following the decision to discontinue the practice of subsidising mortgage interest payments on those properties.

The Commissioner decided that the public authority was entitled to withhold the legal advice on the basis of section 42(1) FOIA.

Case Ref: FS50485894
Public Authority: Ministry of Defence

The complainant requested information relating to an incident in Cherbourg Marina in September 2011. The Ministry of Defence (the "MoD") disclosed some information within the scope of the request, but withheld the remainder, citing the exemptions under sections 31 (law enforcement), 40 (personal information) and 42 (legal professional privilege) FOIA.

During the course of the Commissioner's investigation, the MoD clarified that it also considered that section 36 (prejudice to effective conduct of public affairs) was engaged.

The Commissioner agreed that the MoD correctly withheld information by virtue of sections 31, 36, 40 and 42.