I've just had reason to revisit the ICO guidance on use of employee data for
marketing purposes. I have to say that on this occasion, I find it even
more confusing and contradictory than my last visit!
From: The Employment Practices DP Code Part 2: Employment Records
Opening gambit on page 28 Section 7
"They [employers] may market their own products or services, or those of
other organisations such as insurance companies and charities which they
believe might be of interest to their workers. Workers have a right not to
have their personal data used for this purpose"
In notes and examples it goes on to state...
"If your organisation uses workers' details for advertising or marketing you
should explain this fully at the outset, making clear what personal details
will be used. You should give workers a clear opportunity to object and
respect any objections."
"An objection might be received ... This arrangement is often described as
offering an 'opt-out'."
OK that's pretty straight forward principle 1, 2 and section 11 stuff. It
then goes on ...
"The disclosure of workers' details for marketing requires express approval
from each individual, for example by the worker sending an e-mail to the
human resources department indicating agreement. This is often described as
an 'opt-in'."
If by "express approval", the guidance means 'informed consent' (not under
duress) then I suggest that this would already have been achieved by the
employee joining the organisation, particularly where the use of their data
has been 'fully explained' and an opt-out provided.
"The positive indication of consent is required because the disclosure of
workers' information is intrusive and could amount to a breach of the
employer's duty of confidence unless consent is obtained"
I agree that a 'positive indication' is required before one can demonstrate
reliable consent, so why is this second (apparently higher level) of consent
required. The employer already has consent, as signified by the employee
entering into a contract of employment.
"This is often described as an 'opt-in'."
These are very dangerous and ambiguous terms. Is this suggesting that a
contract of employment, with detailed fair processing information and an
opportunity to OPT-OUT of the direct marketing uses of personal data would
NOT be sufficient to allow employers to market products an services to their
employees?
The final straw ... the guidance goes on to state in S.7 (4) that ...
"In any event, enclosing details of particular offers within a communication
that they will receive anyway, for example in a pay-slip, is acceptable as
long as the offer includes an explanation of how to object.
So, a 'host mailing' is NOT considered to be a 'disclosure' of personal data
for the purpose of direct marketing, and contrary to the guidance given just
two bullet points above, you do NOT need to "explain this [use of their
data] fully at the outset, making clear what personal details will be used",
just give them an opt-out box.
Any suggestions?
Company Profiles Helping you stay InfoLegal
Duncan Smith
Principal Consultant
[log in to unmask]
mobile: +44(0)777 556 8180
<http://www.plaxo.com/signature> Signature powered by Plaxo
<http://www.plaxo.com/signature> Want a signature like this?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|