GDPR - GPC - Blog 5
Texts and E-mails
As mentioned in Blog 4, texts and e-mails need to be considered in their own right.
There are two laws that apply, GDPR Article 22 and the Privacy and Electronic Communications Regulations (PECR)2, full title; The Privacy and Electronic Communications (EC Directive) Regulations 2003, and as usual derived from European law. These were derived to deal with spam mails and texts but unfortunately their definition of “marketing” overlaps with some things we GPs do.
Marketing, what marketing? We can’t moan about GP in your pocket type services flogging pointless tests to the bed hoppers of London but at the same time use our patient’s e-mails and mobile numbers to message them about activities such as your PPG, Newsletter, Fitness clubs or in-house physio, because I am afraid this represents “marketing”.
Direct care messaging
Collecting and using email addresses for direct medical care such as; appointment reminders, test results, annual review/vaccination invitations, responses to E-Consults etc is part of direct care. Anything else is not and is marketing. So, if any communication is not about the individuals specific problems or diagnoses or the management of their conditions then its marketing. The direct care messages are lawful under the old DPA and the new GDPR. Under DPA it was “implied consent”, under GDPR Articles 6(1)(e) and 9(2)(h) provide legal cover. So, this is allowed pro and retrospectively. For direct care messaging you do not have to consent or re-consent anyone.
So what about non direct medical care communications?
You mean “marketing”? See above, if its not personal individual communication about their direct care its marketing. This means PPG meetings, distributing minutes of meetings, elections, coffee mornings, mothers and toddlers groups, newsletters, meeting the team meetings, announcements about opening of new services, notifications about closing services, lobbying your MP, fighting your closure etc. All the latter count as marketing and you cannot send out text messages or e-mails to individuals unless you have their consent to do so. Articles 6(1)(e) and 9(2)(h) do not apply and only the consent articles can, Articles 6(1)(a) and 9(2)(a) under GDPR and then separately PECR applies. What this means is that to send out electronic communications for marketing you must have the individuals consent. Under GDPR consenting is a rigorous and tightly defined process that needs to be properly recorded and easily reversible, see my blog on the same.
Err but what about the thousands of patients that Mr Hunt has been encouraging us to sign up for On-line Access and the PPG that we’ve been struggling to keep afloat? Do they all have to be re-consented?
Thankfully no. There is the “soft opt in”. Basically, if you are already communicating with patients for these things, it is assumed they have consented, you do not have to re-consent. But you do have to offer them the opportunity to opt out.
So, its only the new patients / clients / subscribers?
Correct, in future if you want to send them blurb mails or tiresome texts then you’ve got to have a process for actively and positively consenting them beforehand, presumably during registration, and a mirror process that must be equally easy for that consent to be withdrawn.
What about paper letters?
PECR does not apply to non-electronic communications, but GDPR does. To send a letter you have to process the patient’s data. So, you’d have to consent them under GDPR to send out non direct care paper mailings.
To re-cap you won’t have to re-consent existing patients whose mobiles and e-mails you are already using for any purpose. New patients will have to be prior and properly GDPR consented if you want to send them any non-direct care communications. All patients need to have the same options to opt out and should be informed of them.
Final word (and more words)1 lies with the ICO says “You must not send marketing emails or texts to individuals without specific consent.”