Your SlideShare is downloading. ×
Data Protection Guidelines
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Data Protection Guidelines

360
views

Published on

Data Protection Guidelines: Email Do's and Don'ts

Data Protection Guidelines: Email Do's and Don'ts

Published in: Business

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
360
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Data Protection Guidelines: Email Do's and Don'ts Gary Davis Deputy Data Protection Commissioner Irish Internet Association 28th October 2009
  • 2. Presentation Outline
    • Marketing – what do people think?
    • Data Protection – what is it?
    • Direct Marketing – the Rules
    • Best Practice
  • 3. Personal Experience of Privacy Invasion Received unsolicited post, addressed to you personally Yes % Received unsolicited text messages from commercial organisations Received unsolicited emails from commercial organisations Had excessive personal information sought from business/public sector organisations Had a virus/spyware on personal computer Disclosures of your personal information to others without your agreement Had information, images or footage of you posted on the internet without your consent Had personal information being withheld from you without explanation Inappropriate access to personal information held about you within an organisation Any experience
  • 4. 2008 2005 Not at all happy (1) The post E-mail/the internet The telephone to your home SMS/Text messages (to your mobile phone) Not very happy (2) Very happy (4) Fairly happy (3) Don’t Know ‘ 08 ‘ 05 Attitude Towards Unsolicited Mail or Offers… % % Unhappy (%) Unsolicited mail via telephone or post remain the approaches the public most dislike. However, irritation with text or e-mail contact has significantly increased since 2005. 76 74 71 66 60 55 74 75 16 13 37 30 22 16 9 8
  • 5. No not Entitled % Yes Entitled % Don’t Know % To get a copy of any information about you held by any organisation To have any inaccurate information about you corrected/deleted To have your name removed from junk mail lists To have your telephone number removed from direct marketing lists To have any of your medical records deleted To claim compensation through the courts if personal information held about you is misused To get personal information about other people Q.7 – Awareness of Rights 32 39 35 24 23 23 23
  • 6. Complaints to DPC 2008
    • 1031 formal
    • complaints
    • Many more enquiries
    • dealt with informally
    • * Mainly electronic (SMS etc). Direct Marketing accounted for 57% of complaints in 2007
    TYPE % Direct Marketing* 35 Access Rights 30 Disclosure 16 Accuracy 2 Other 17
  • 7. Unsolicited Marketing – DPC Annual Report Case Studies
    • Unsolicited Text Messages (12/2005; 5/2006 – deletion of database ordered)
    • Unsolicited Faxes (20/2008)
    • Unsolicited e-mails (8/2008; 17/2008 – database deleted and marketing suspended)
    • “ Cold-Calling”/Failing to respect right to “opt-out” including via NDD (11/2005 (prosecution); 1/2006; 2/2006; 4/2007 – order to suspend marketing; 11/2008)
    • Postal Marketing (15/2007: supermarket)
  • 8. Case Studies 2008 : Direct Marketing
    • 123.1e (insurance)
    • Interactive Voice Technologies
    • Buy-as-you-Fly
    • Celtic Water Solutions
    • Matrix Internet
    • Dell
    • 2 Cases where we found in favour of DC
  • 9. Presentation Outline
    • Marketing – what do people think?
    • Data Protection – what is it?
    • Direct Marketing – the Rules
    • Best Practice
  • 10. Data Protection: a Human Right
    • Part of Right to Personal Privacy
    • Personal Privacy: necessary in a Democratic Society (but not absolute)
    • Un-enumerated right under Irish Constitution
    • Explicit right under European Convention on Human Rights: ECHR Act 2003
  • 11. EU & Irish Legislation
    • Data Protection Directive 95/46/EC
    • Electronic Privacy Directive 2002/58/EC
    • EUROPOL etc
    • Data Protection Acts 1988 & 2003
    • EC Electronic Privacy Regulations 2003 (SI 535/2003) and 2008 (SI 526/2008)
    • Corresponding Acts
    • Good Friday Agreement
    • Disability Act 2005
  • 12. Rights and Obligations
    • Rights of “ data subject ” (= identifiable , living individual) to control the use of their “ personal data ” (very broad definition)
    • Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “ data processors” (“ A person who processes personal data on behalf of a data controller”)
  • 13. The Data Protection Rules
    • Fair obtaining & processing
      • Consent
    • Specified purpose
    • No disclosure
      • unless “compatible”
    • Safe and secure
    • Accurate, up-to-date
    • Relevant, not excessive
    • Retention period
    • Right of access
  • 14. Presentation Outline
    • Marketing – what do people think?
    • Data Protection – what is it?
    • Direct Marketing – the Rules
    • Best Practice
  • 15. Direct Marketing Legislation
    • The Data Protection Acts 1988 and 2003
      • Mainly Section 2
    • SI 535 of 2003 European Communities (Electronic Communications Networks and Services) Data Protection and Privacy) Regulations as amended by SI 526 of 2008
      • Mainly Regulation 13 (Unsolicited Communications)
    • Other Legislation: Consumer Protection, E-Commerce, Financial Regulation etc
  • 16. Direct Marketing Definition
    • “ direct marketing ” includes direct mailing other than direct mailing carried out in the course of political activities by a political party or its members, or a body established by or under statute or a candidate for election to, or a holder of, elective political office;
  • 17. Direct Marketing – the Golden Rule of Consent
    • Only market willing customers
    • Strong Irish customer resistance to “junk mail” or “spam”
    • Failure to respect consumer choice is against the law
      • Criminal offence where electronic means used
  • 18. email
    • Non- Customers (Individuals)
      • Recipient must have opted-in to receipt of message from you
      • Consent given to third party marketing etc not acceptable. The consent must be informed and explicit
      • Email must include the name of sender
      • Email must include valid and cost free means to opt-out
      • Opt-in to send email must be in the last 12 Months or refreshed within that period
  • 19. e-mail Continued
    • Customer (Individuals)
      • You must have told the customer that you intend to use their email address for this purpose and provided an opportunity to object at the point of collection
      • Email must include the name of sender
      • Email must include valid and cost free means to opt-out
      • Consent to send email must be in the last 12 Months or refreshed within that period
      • Email must only relate to your own Similar or Related Services
  • 20. email continued
    • Businesses
      • Do not need opt-in consent
      • Must respect any opt-out request
      • Email must include the name of sender
      • Email must include valid and cost free means to opt-out
  • 21. Penalties
    • Electronic mail
      • Criminal Offence: €5,000 per message, up to 10% of turnover
      • 350 prosecutions gone or going through Courts
  • 22. Presentation Outline
    • Marketing – what do people think?
    • Data Protection – what is it?
    • Direct Marketing – the Rules
    • Best Practice
  • 23. Best Practice (1)
    • Treat Consumer with Respect
      • Respect their right to be “let alone”
    • Marketing that respects the Consumer’s preferences is more likely to be successful
    • The more intrusive the marketing, the more likely Consumer will be upset
    • Don’t abuse public information
  • 24. Best Practice (2)
    • Our Guidance ( http://www.dataprotection.ie/viewdoc.asp?DocID=905&ad=1 )
    • Keep a record of any consent on which you are basing your direct marketing emails. Without it you cannot prove that you have a consent and onus is placed on sender
    • Have a foolproof method of respecting opt-out requests
  • 25. Conclusion
    • Do tell the recipient at the time of collection that you intend to use their email details to market them and either get their opt-in or allow them to opt-out
    • Do identify yourself and provide a valid means of opt-out in each message
    • Do keep a record of the consent for sending the message
    • Don’t buy third party marketing databases
    • Don’t send any messages where you have had no contact for over 12 months
    • Don’t ignore requests to opt-out
    • Don’t attempt to put in place a “difficult” means of opting out
  • 26. DPC Contact Details
    • Office of the Data Protection Commissioner
    • Canal House
    • Station Road
    • Portarlington
    • Co Laois
    • Phone: LoCall 1890 252231
    • 057 8684800
    • Fax: 057 8684757
    • Email: [email_address]
    • Website: www.dataprotection.ie