Privacy and Electronic Communications Regulations (PECR): personal liability introduced

There are strict rules surrounding direct marketing which apply to commercial and not-for-profit organisations. These rules are outlined in the Privacy and Electronic Communications Regulations 2003 (“PECR”). If an organisation is found to be in breach of PECR, the Information Commissioner’s Office (ICO) has the power to issue the organisation with a civil monetary penalty (“CMP”) of up to £500,000. How can that affect schools and school management?

PECR was recently amended in line with the Government’s response to the Department for Digital, Culture, Media and Sport’s consultation ‘Tackling Nuisance Calls and Messages’. It was concluded that financial penalties should be issued to the officers of organisations which are responsible for breaching PECR to ensure these individuals are held accountable. PECR was duly amended in December 2018 to give the ICO the power to issue personal fines of up to £500,000 to these officers. An ‘officer’ may include a director, manager, secretary or other similar officer of the organisation or any person purporting to act in such; or where the affairs of the organisation are managed by its members, a member.

What is direct marketing?

Direct marketing means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals. This includes promoting an organisation’s aims and ideals. Academy trusts need to be aware of the rules surrounding direct marketing, particularly when sending out any promotional, campaigning or fundraising materials.

Are schools required to comply?

Academy trusts must ensure they comply with PECR when sending unsolicited direct marketing messages by electronic means (i.e. where the message has not been specifically requested). This includes telephone calls, faxes, emails, text messages and other forms of electronic message. If the message has been actively requested by an individual, then the academy trust does not need to worry about complying with PECR, however it should still provide general information such as contact information for the academy trust.

Key examples of when an academy trust will be required to comply with PECR would be if messages are sent to parents asking for support/ donations for a school fundraising activity; if a school is campaigning for a change and wishes to engage parents and other persons in the local area; or if a school wishes to promote a new after-school club it can offer to its pupils.

In practice, fundraising activities may not be carried out by the Academy Trust itself but by a separate legal entity, such as a PTA. The fact that the fundraising is being carried out by a different legal entity (such as a PTA which is a separate registered charity) is unlikely to release the academy trust from its obligations under PECR, as it may be found to be an ‘instigator’ under the regulations. The academy trust should therefore ensure that any fundraising activities are dealt with in line with PECR.

In order to be compliant with PECR, academy trusts must ensure they have consent from those they send direct marketing messages to. The consent must cover both the academy trust and the type of communication the academy trust wants to use. In order to be valid consent, an individual must give a clear positive action signalling consent and must fully understand that are providing consent to the academy trust. Examples of valid consent will include ticking a box, clicking an icon or sending an email. The academy trust must also ensure that the individual has received the academy trust’s privacy notice prior to giving consent. The privacy notice should refer to the fact the academy trust intends to use the individual’s personal data for direct marketing purposes. Once consent has been received, the academy trust should keep a clear record of this so it can demonstrate compliance with PECR.

The ICO is most likely to take action against an organisation which persistently ignores people’s objections to its marketing; sends mass emails or texts without consent; or fails to screen those it contacts with marketing material against the Telephone Preference Service. Although it is unlikely that an academy trust would engage in such exercises, they are required to comply with PECR as outlined above and should carefully consider whether they are compliant. In light of the recent amendment to PECR, academy trusts should ensure staff and senior figures are aware of the rules surrounding direct marketing and warn them of the risks associated with breaching its rules.

The law and practice referred to in this article has been paraphrased or summarised. It might not be up-to-date with changes in the law and we do not guarantee the accuracy of any information provided at the time of reading. It should not be construed or relied upon as legal advice in relation to a specific set of circumstances.

The Legal 500 - The Clients Guide to Law Firms

Investors in People logo

UK Chambers logo

Best Companies - One to watch logo