Appendix 3
Privacy and Electronic Communications Regulations Direct Marketing Compliance Check Template
This Checklist aims to assist organisations proposing change to marketing arrangements to investigate whether their project complies with the requirements of the Privacy and Electronic Communications Regulations 2003 (PECR). The Regulations are designed to be technology neutral, so will apply to most electronic communications.
I BASIC INFORMATION – New or existing Project, System, Technology or Legislation
1. Organisation and Project
| Organisation | |
| Branch / Division | |
| Project |
2. Contact Position and/or Name, Telephone Number and Email Address.
(This should be the name of the individual most qualified to respond to questions regarding the PIA)
| Name, Title | |
| Branch / Division | |
| Phone Number | |
3. Description of the Program / System / Technology / Legislation (Initiative) being assessed.
If this is a change to an existing project, system, technology or legislation, describe the current system or program and the proposed changes.
4. Purpose / Objectives of the initiative (if statutory, provide citation).
5. What are the potential privacy impacts of this proposal?
6. Do you intend to send direct marketing messages by electronic means such as by telephone, fax, email, text message and picture (including video) message or by using an automated calling system?
Yes No
If yes, then you will need to complete this Checklist
IMPORTANT NOTE
‘direct marketing’ means ‘the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals’.
(Data Protection Act 1998 section 11)
7. Do you intend to send direct marketing messages only using Bluetooth?
Yes No
If yes, answer question 8, then go to Part III: PECR Marketing Compliance – Conclusions
IMPORTANT NOTE
The PEC Regulations only apply to messages sent over a public electronic communications network and Bluetooth messages are not sent using such a network.
(PECR 2003 section 2)
8. Do you intend to process personal data in order to send your direct marketing?
Yes No
If yes, then you will also need to complete the Data Protection Checklist
IMPORTANT NOTE:
‘Personal data’ means data which relate to a living individual who can be identified:
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
(Data Protection Act, section 1)
9. Are your direct marketing communications going to be aimed at individual subscribers or corporate subscribers?
Individual Corporate Both
If Individual or Both continue with Section II, if Corporate go to Section III
IMPORTANT NOTE
The PEC Regulations apply different rules to individual subscribers and corporate subscribers, although some rules apply to both. Where personal data is used the Data Protection Act 1998 always applies.
10. Your direct marketing communications should provide the recipient with information to make effective use of their rights as regards direct marketing communications. Describe the information to be provided and the mechanism by which it will be provided, particularly where the information provision is not via the same communication method as the direct marketing communication.
IMPORTANT NOTE
The e-Commerce Regulations 2002 require that the recipient of a e-Commerce service, including direct marketing, must be provided, in a form and manner that is easily, directly and permanently accessible certain information including:
the name of the service provider
the geographic address at which the service provider is established
the details of the service provider, including his email address, which make it possible to contact him rapidly and communicate with him in a direct and effective manner
The Regulations do not prescribe how the requirement to make information “easily, directly and permanently accessible” should be met.
II INDIVIDUAL SUBSCRIBERS
1. Are your marketing communications directly invited or unsolicited?
Directly Invited Unsolicited
2. By what mechanism have subscriber details been obtained?
How do you determine whether the details have been provided with the intention that you should send the subscriber direct marketing communications
IMPORTANT NOTE
If your marketing communications are directly invited (solicited) by the individual subscriber to whom they are sent, i.e. they have asked you to send them marketing communications then many of the PEC Regulations do not apply.
3. If you are to use an Automated Calling System for marketing communications do you have the prior consent of the subscriber?
Yes No
4. If you have the prior consent of the subscriber, how do you audit and verify the accuracy of your subscriber records? How will you address withdrawal of consent?
IMPORTANT NOTE
In order to use Automated Calling Systems for marketing communications to individual subscribers you must have prior consent. Prior consent on the other hand means that the subscriber has given some positive indication of intention; this does not necessarily require a tick box "opt-in" e.g. if the subscriber has clearly indicated their consent to the purposes and to the receipt of marketing communications in some other fashion i.e. clicking on an “Accept” button at the end of a marketing notice.
5. If you are to use faxes for marketing communications do you have the prior consent of the subscriber?
Yes No
6. If you have the prior consent of the subscriber, how do you audit and verify the accuracy of your subscriber records? Does your company currently subscribe to the Fax Preference Service? How will you address withdrawal of consent or a subscriber override of the FPS registration?
IMPORTANT NOTE
In order to use faxes for marketing communications to individual subscribers you must have prior consent, and check with the FPS on a regular basis unless the subscriber has notified you that such communications can be sent ‘for the time being’.
7. If you are to use live voice telephone for marketing communications have you been previously notified not to call certain subscriber numbers?
Yes No
8. How do you audit and verify the accuracy of your subscriber records? Does your company currently subscribe to the Telephone Preference Service? How will you address future “Do not call” requests, or a subscriber override of their TPOS registration?
IMPORTANT NOTE
In order to use live voice telephone calls for marketing communications to individual subscribers you must honour subscriber “Do not Call” requests, and check with the TPS on a regular basis unless the subscriber has notified you that such communications can be sent ‘for the time being’.
9. If you are to use e-mail/SMS for marketing communications do you have ‘opt-in consent’ of the subscriber?
Yes No
10. If you do not have ‘opt-in consent’, can communications be permitted under the ‘soft opt in’ test
Yes No
11. How do you collect, audit, and verify the accuracy of your opt-in subscriber records?
12. If ‘soft opt-in’ is to be used, provide details of how this will be recorded and verified and describe how opt-out mechanisms will be provided
IMPORTANT NOTE
In order to use e-mail/SMS for marketing communications to individual subscribers you have the opt-in consent of subscribers OR’ meet the soft-opt-in test:
Contact details are obtained during negotiation or sale of goods or services to the recipient;
AND
marketing is conducted by the same entity as previous dealings with the individual;
AND
marketing relates to "similar products and services";
AND
an opt-out mechanism is provided at the point of data collection and is provided with each new communication.
III CORPORATE SUBSCRIBERS
1. Are your marketing communications directly invited or unsolicited?
Directly Invited Unsolicited
2. By what mechanism have subscriber details been obtained? How do you determine whether the details have been provided with the intention that you should send the subscriber direct marketing communications
IMPORTANT NOTE
If your marketing communications are directly invited (solicited) by the corporate subscriber to whom they are sent, i.e. they have asked you to send them marketing communications then many of the PEC Regulations do not apply.
3. If you are to use an Automated Calling System for marketing communications do you have the prior consent of the subscriber?
Yes No
4. If you have the prior consent of the subscriber, how do you audit and verify the accuracy of your subscriber records? How will you address withdrawal of consent?
IMPORTANT NOTE
In order to use Automated Calling Systems for marketing communications to corporate subscribers you must have prior consent.
5. If you are to use faxes for marketing communications have you been previously notified not to call certain subscriber numbers?
Yes No
6. If you have the prior consent of the subscriber, how do you audit and verify the accuracy of your subscriber records? Does your company currently subscribe to the Fax Preference Service? How will you address future “Do not fax” requests? or a subscriber override of the FPS registration?
IMPORTANT NOTE
In order to use faxes for marketing communications to corporate subscribers you must honour subscriber “Do not Fax” requests, and check with the FPS on a regular basis unless the subscriber has notified you that such communications can be sent ‘for the time being’.
7. If you are to use live voice telephone for marketing communications have you been previously notified not to call certain subscriber numbers?
Yes No
8. How do you audit and verify the accuracy of your subscriber records? Does your company currently subscribe to the Telephone Preference Service? How will you address future “Do not call” requests?
IMPORTANT NOTE
In order to use live voice telephone calls for marketing communications to corporate subscribers you must honour subscriber “Do not Call” requests, and check with the TPS on a regular basis unless the subscriber has notified you that such communications can be sent ‘for the time being’.
9. If you are to use e-mail/SMS for marketing communications to corporate subscribers, describe what measures will you take if corporate subscribers request to opt-out from future e-mails, or override their TPS registration?
IMPORTANT NOTE
There are currently no consent requirements applicable to the sending of e-mail/SMS marketing communications to corporate subscribers. However, it is good practice to provide and opt-out mechanism.
IV PECR DIRECT MARKETING COMPLIANCE – CONCLUSIONS
Please provide a summary of the conclusions that have been reached in relation to this project’s overall compliance with the Direct Marketing provisions of the PECR. This could include indicating whether some changes or refinements to the project might be warranted.
____________________ (Proponent) Date: ___________
____________________(Data Protection Officer) Date: ___________