Xcina Blog

Halfords fined for sending nearly 500,000 unsolicited marketing emails

A recent fine of £30,000 levied by the ICO against Halfords, after an investigation found it had sent unsolicited marketing emails to nearly 500,000 people and new guidance from the Department of Health and Social Care which outlines its expectations for how secure data environments should be utilised going forward in order to access NHS health and social care data.

Read the full analysis by Natasha King, Data Protection Consultant at Xcina Consulting for a look at what happened and why it matters, in this week’s issue of In Perspective, 

Marketing email or service message? ICO fines Halfords over unwanted marketing emails

What happened

  • The Information Commissioner’s Office (ICO) has fined Halfords £30,000 for sending 498,179 unsolicited marketing emails to people without their consent.
  • The fine was issued under the Privacy and Electronic Communications Regulations (PECR), which sits alongside the UK GDPR and gives people specific privacy rights in relation to electronic communications and restricts the way organisations can carry out unsolicited direct marketing.
  • According to the ICO, Halfords came to its attention following complaints from individuals in relation to an email they had received in July 2020 about a ‘Fix Your Bike’ government voucher scheme.
  • The scheme allowed people to use a voucher worth up to £50 towards the cost of repairing a bike in any approved retailers or mechanics in England.
  • However, the ICO judged that Halfords’ email implied a direct connection with the Government scheme, emphasising the service provided by Halfords and encouraging individuals to redeem the voucher in its stores.
  • This email was sent to customers who had already opted out of receiving marketing communications from Halfords in the past. The email contained a disclaimer stating, “This is a service message and does not affect your marketing opt-in status”.
  • The ICO investigation found that Halfords intentionally targeted individuals for which it knew it did not hold consent to contact for marketing purposes, on the mistaken basis that the email was a ‘service message’, rather than direct marketing.
  • Direct marketing rules under PECR do not apply to genuine service messages (communications containing important and necessary administrative or customer service information) sent to applicable consumers.
  • However, the ICO warn that if a service message includes any promotional material aimed at customers (e.g. to encourage them to buy extra products or services or to renew contracts that are coming to an end), it will fall within the scope of direct marketing, meaning that both GDPR and PECR requirements will need to be carefully considered.

Why it matters

  • Halfords is not the first company that has failed to navigate the fine line between service messages and direct marketing. A host of other companies, including Virgin Media, Amex and EE, have previously misjudged this distinction and suffered monetary penalties and reputational damage as a result. 
  • This particular case serves as a warning that even a small number of complaints about an organisation’s marketing practices can spark regulatory action. Halfords confirmed that 3,700+ people took up the opportunity to claim the voucher and there were only 7 complaints arising from the marketing messages.  Despite the relatively small fine imposed by the ICO, it is important to keep in mind that this is just the beginning. For many businesses, the reputational impact of a regulatory fine for data protection violations will be immediate, particularly given the fact that such contraventions often spark the attention of the media, as it did with Halfords.
  • It’s significant to note that the UK government has announced plans to increase the maximum fine for PECR violations to the same level that applies under the UK GDPR (up to a maximum of £17.5 million or 4% of annual global turnover) as part of its proposed post-Brexit data protection reforms. This will significantly increase the risks to organisations that fall foul of direct marketing requirements.
  • A further point to note is that over 90% of the ICO’s enforcement actions over the last year related to PECR contraventions. In a statement earlier this year, the ICO reiterated its intention to maintain its enforcement trend against organisations that misuse personal information for marketing purposes.
  • Direct marketing activities are often complex and go far beyond contacting customers to promote the brand. Equally, the need to comply with both the GDPR and PECR can make direct marketing rules seem like a legal minefield. Businesses should keep in mind the following:
    • If your email promotes the sale of goods, services or organisational ideals, it will automatically constitute marketing.
    • If the message purely contains information about the goods and services which the customer has bought, it constitutes a service message.
    • General branding, logos or straplines in service messages do not count as marketing.
    • The ICO has produced direct marketing guidance, which explains the GDPR and PECR rules on direct marketing. It can be viewed here.
    • Always seek advice from a data protection professional within your company before you engage in a marketing campaign or consider seeking external specialist advice where necessary.

DHSC publish guidelines on secure data environments for NHS data

What happened

  • The Department of Health and Social Care (DHSC) has released secure data environment policy guidelines this month, setting out its expectations for how secure data environments are to be used to access NHS health and social care data going forward.
  • The new standards were developed in response to the DHSC’s ‘Data saves lives’ policy published earlier in the year, which identified that secure data environments would become the default way for NHS and adult social care organisations to provide access to patient data for research and analysis purposes.
  • The new guidelines lay out 12 specific rules for using secure data environments and are intended to build on the commitments made in the data saves lives strategy. They also outline future plans for the secure data environments policy, including a public and patient engagement campaign starting in the Autumn 2022 and the creation of additional technical guidance by the end of 2022.
  • According to the DHSC, secure data environments are “data storage and access platforms, which uphold the highest standards of privacy and security,” and that such environments “allow approved users to access and analyse data without the data leaving the environment.”
  • Through secure data environments, organisations can control:
    • who can become a user to access the data
    • the data individual users can access
    • what users can do with the data in the environment
    • the information that users can remove from the environment.

Why it matters

  • The guidelines take into account the ‘Five Safes framework’ developed by the Office for National Statistics, which is widely regarded as representing best practice in data protection.
  • They include:
    • safe settings – the environment must prevent inappropriate access, or misuse
    • safe data – information must be protected and treated to protect confidentiality
    • safe people – individuals accessing the data must be trained, and authorised, to use it appropriately
    • safe projects – research projects must be approved by data owners for the public good
    • safe outputs – summarised data taken away must be checked to make sure that it protects privacy
  • The guidance notes that a variety of users across the NHS, academia and charity sectors will benefit from improved access to NHS health and social care data in secure data environments.
  • NHS Digital is already piloting a national secure data environment scheme, which provides approved researchers from certain organisations with timely and secure access to NHS health and social care data.
  • There are plans to expand this pilot in time, with the aim that all data held nationally is managed through a secure data environment when used for research and planning purposes.
  • You can read the guidelines in full here.  DHSC note that they will continue to develop the guidelines in the coming months with key stakeholder groups.

We’d love to hear from you

Natasha is an experienced privacy professional with a proven ability to implement and manage successful data protection compliance programmes. Prior to joining Xcina Consulting, Natasha gained extensive knowledge and experience in dealing with complex privacy challenges across various sectors including the insurance industry, healthcare, education, and local government. She is a member of the International Association of Privacy Professionals (IAPP), holding a CIPP/E accreditation and is a certified BCS Practitioner in Data Protection.

To discuss how the areas highlighted in this post, or any other aspect of risk management, information governance or compliance impact your business, speak with our team, tell us what matters to you and find out how we can help you navigate complex issues to help you deliver long term value.

If you have any questions or comments, or if there’s anything you would like to see covered, please get in touch by emailing Xcina Consulting at info@xcinaconsulting.com. We’d love to hear from you.

Natasha King

Data Protection Consultant

Speak to me directly by Email, or
Telephone: +44 (0)20 3745 7826

Subscribe to Updates

Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

Subscribe >>