Date updated: Wednesday 29th February 2012

The DPA provides that certain conditions must be met before personal can be held, used or disclosed, or dealt with in any way.  The easiest and safest way to meet these conditions is to obtain consent.  But consent must be “freely given, specific and informed”, and it cannot be inferred from a failure to respond to a general communication.  In some cases the consent must be expressly given, eg in relation to sensitive personal data or transfer to a non-EEA country.  In any event the consequences of not consenting have always to be clear.

If personal data is to be used for direct marketing purposes there must be an “opt-out” or “opt-in” process depending on which applies.  Consent may be withdrawn at any time but is not of retroactive effect.

There are particular requirements for marketing by means of “electronic mail” whereby unsolicited messages may not be sent to individuals.  A failure to indicate objection (the “opt-out”) approach will probably not be treated on its own as the valid giving of consent.  The best practice is to obtain positive consent and confirm it with either an opportunity to unsubscribe or requesting a reply to the confirmation.

It is worth reviewing any “consent statements” and procedures that you use regularly, to ensure that they cover the uses to which you are putting the personal data that you hold, and update these as and when necessary.  The more specific you can be, the better, but this should be balanced against the need to ensure that you cover every possible use you will make of the data, so in some cases, a more general statement may be appropriate.  You should also review your registration with the ICO, and ensure that the description of purposes is fully up to date.

On the flip side, if you are in receipt of unsolicited mail, the first port of call should be the company sending it, but if that does not resolve the issue, then a complaint can be made to the Information Commissioner.