data protection guidelines
DESCRIPTION
Data Protection Guidelines: Email Do's and Don'tsTRANSCRIPT
![Page 1: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/1.jpg)
Data Protection Guidelines: Email Do's and Don'ts
Gary DavisDeputy Data Protection Commissioner
Irish Internet Association28th October 2009
![Page 2: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/2.jpg)
Presentation Outline• Marketing – what do people think? • Data Protection – what is it?• Direct Marketing – the Rules• Best Practice
![Page 3: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/3.jpg)
50
35
28
20
20
14
11
10
10
Personal Experience of Privacy Invasion
Received unsolicited post, addressedto you personally
Yes%
Received unsolicited text messages fromcommercial organisations
Received unsolicited emails from commercialorganisations
Had excessive personal information soughtfrom business/public sector organisations
Had a virus/spyware on personal computer
Disclosures of your personal informationto others without your agreement
Had information, images or footage of youposted on the internet without your consent
Had personal information being withheldfrom you without explanation
Inappropriate access to personal informationheld about you within an organisation
Any experience
65%
![Page 4: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/4.jpg)
35
29
28
23
27
21
28
23
41
45
43
43
33
34
46
52
12
14
9
9
8
6
8
7
4
4
4
3
2
2
4
2
20082005
Not at all happy
(1)
The post
E-mail/the internet
The telephone to your home
SMS/Text messages(to your mobile phone)
Not very happy
(2)
Very happy
(4)
Fairly happy
(3)
8 9
16 22
30 37
13 16
Don’t Know‘08 ‘05
Attitude Towards Unsolicited Mail or Offers…
% %
Unhappy
(%)
Unsolicited mail via telephone or post remain the approaches the public most dislike. However, irritation with text or e-mail contact has significantly increased since 2005.
76
74
71
66
60
55
74
75
![Page 5: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/5.jpg)
No notEntitled
%
6
6
5
6
7
21
46
71
71
71
70
58
40
22
YesEntitled
%
Don’tKnow
%
To get a copy of any information about you heldby any organisation
To have any inaccurate information aboutyou corrected/deleted
To have your name removedfrom junk mail lists
To have your telephone number removedfrom direct marketing lists
To have any of your medical records deleted
To claim compensation through the courts ifpersonal information held about you is misused
To get personal information about other people
23
23
23
24
35
39
32
Q.7 – Awareness of Rights
![Page 6: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/6.jpg)
Complaints to DPC 2008
• 1031 formal complaints• Many more enquiries dealt with informally
* Mainly electronic (SMS etc). Direct Marketing accounted for 57% of complaints in 2007
TYPE %
Direct Marketing*
35
Access Rights 30
Disclosure 16
Accuracy 2
Other 17
![Page 7: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/7.jpg)
Unsolicited Marketing – DPC Annual Report Case Studies• Unsolicited Text Messages (12/2005;
5/2006 – deletion of database ordered)• Unsolicited Faxes (20/2008)• Unsolicited e-mails (8/2008; 17/2008 –
database deleted and marketing suspended)
• “Cold-Calling”/Failing to respect right to “opt-out” including via NDD (11/2005 (prosecution); 1/2006; 2/2006; 4/2007 – order to suspend marketing; 11/2008)
• Postal Marketing (15/2007: supermarket)
![Page 8: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/8.jpg)
Case Studies 2008 : Direct Marketing• 123.1e (insurance)• Interactive Voice Technologies• Buy-as-you-Fly• Celtic Water Solutions• Matrix Internet• Dell • 2 Cases where we found in favour of DC
![Page 9: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/9.jpg)
Presentation Outline•Marketing – what do people
think? •Data Protection – what is it?
•Direct Marketing – the Rules•Best Practice
![Page 10: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/10.jpg)
Data Protection: a Human Right
• Part of Right to Personal Privacy• Personal Privacy: necessary in a
Democratic Society (but not absolute)• Un-enumerated right under Irish
Constitution• Explicit right under European
Convention on Human Rights: ECHR Act 2003
![Page 11: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/11.jpg)
EU & Irish Legislation• Data Protection
Directive 95/46/EC• Electronic Privacy
Directive 2002/58/EC
• EUROPOL etc
• Data Protection Acts 1988 & 2003
• EC Electronic Privacy Regulations 2003 (SI 535/2003) and 2008 (SI 526/2008)
• Corresponding Acts• Good Friday Agreement• Disability Act 2005
![Page 12: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/12.jpg)
Rights and Obligations• Rights of “data subject” (= identifiable,
living individual) to control the use of their “personal data” (very broad definition)
• Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”)
![Page 13: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/13.jpg)
The Data Protection Rules1. Fair obtaining &
processing• Consent
2. Specified purpose3. No disclosure
• unless “compatible”
4. Safe and secure
5. Accurate, up-to-date6. Relevant, not
excessive7. Retention period8. Right of access
![Page 14: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/14.jpg)
Presentation Outline•Marketing – what do people
think? •Data Protection – what is it?•Direct Marketing – the Rules
•Best Practice
![Page 15: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/15.jpg)
Direct Marketing Legislation
• The Data Protection Acts 1988 and 2003 Mainly Section 2
• SI 535 of 2003 European Communities (Electronic Communications Networks and Services) Data Protection and Privacy) Regulations as amended by SI 526 of 2008 Mainly Regulation 13 (Unsolicited
Communications)
• Other Legislation: Consumer Protection, E-Commerce, Financial Regulation etc
![Page 16: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/16.jpg)
Direct Marketing Definition• “direct marketing” includes direct mailing
other than direct mailing carried out in the course of political activities by a political party or its members, or a body established by or under statute or a candidate for election to, or a holder of, elective political office;
![Page 17: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/17.jpg)
Direct Marketing – the Golden Rule of Consent• Only market willing customers• Strong Irish customer resistance to “junk
mail” or “spam”• Failure to respect consumer choice is
against the law Criminal offence where electronic means
used
![Page 18: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/18.jpg)
email• Non- Customers (Individuals)
Recipient must have opted-in to receipt of message from you
Consent given to third party marketing etc not acceptable. The consent must be informed and explicit
Email must include the name of sender Email must include valid and cost free means to
opt-out Opt-in to send email must be in the last 12 Months
or refreshed within that period
![Page 19: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/19.jpg)
e-mail Continued• Customer (Individuals)
You must have told the customer that you intend to use their email address for this purpose and provided an opportunity to object at the point of collection
Email must include the name of sender Email must include valid and cost free means to opt-out Consent to send email must be in the last 12 Months or
refreshed within that period Email must only relate to your own Similar or Related
Services
![Page 20: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/20.jpg)
email continued• Businesses
Do not need opt-in consent Must respect any opt-out request Email must include the name of sender Email must include valid and cost free means to
opt-out
![Page 21: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/21.jpg)
Penalties
• Electronic mail Criminal Offence: €5,000 per message, up to
10% of turnover 350 prosecutions gone or going through
Courts
![Page 22: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/22.jpg)
Presentation Outline•Marketing – what do people
think? •Data Protection – what is it?•Direct Marketing – the Rules•Best Practice
![Page 23: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/23.jpg)
Best Practice (1)• Treat Consumer with Respect
Respect their right to be “let alone”
• Marketing that respects the Consumer’s preferences is more likely to be successful
• The more intrusive the marketing, the more likely Consumer will be upset
• Don’t abuse public information
![Page 24: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/24.jpg)
Best Practice (2)• Our Guidance (
http://www.dataprotection.ie/viewdoc.asp?DocID=905&ad=1)
• Keep a record of any consent on which you are basing your direct marketing emails. Without it you cannot prove that you have a consent and onus is placed on sender
• Have a foolproof method of respecting opt-out requests
![Page 25: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/25.jpg)
Conclusion• Do tell the recipient at the
time of collection that you intend to use their email details to market them and either get their opt-in or allow them to opt-out
• Do identify yourself and provide a valid means of opt-out in each message
• Do keep a record of the consent for sending the message
• Don’t buy third party marketing databases
• Don’t send any messages where you have had no contact for over 12 months
• Don’t ignore requests to opt-out
• Don’t attempt to put in place a “difficult” means of opting out
![Page 26: Data Protection Guidelines](https://reader036.vdocument.in/reader036/viewer/2022062511/54c945454a79596d718b45e1/html5/thumbnails/26.jpg)
DPC Contact DetailsOffice of the Data Protection CommissionerCanal HouseStation RoadPortarlingtonCo LaoisPhone: LoCall 1890 252231
057 8684800Fax: 057 8684757Email: [email protected]: www.dataprotection.ie