Legitimate Interest Assessment

Part 1: Purpose Test

You need to assess whether there is a legitimate interest behind the processing.

–      Why do you want to process the data?

–      What benefit do you expect to get from the processing?

–      Do any third parties benefit from the processing?

–      Are there any wider public benefits to the processing?

–      How important are the benefits that you have identified?

–      What would the impact be if you couldn’t go ahead with the processing?

–      Are you complying with any specific data protection rules that apply to your processing (e.g. profiling requirements, or e-privacy legislation)?

–      Are you complying with other relevant laws?

–      Are you complying with industry guidelines or codes of practice?

–      Are there any other ethical issues with the processing?

DTR Medical processes the contact details of the following categories of data subject for the purposes of direct marketing and providing updates and newsletters:

  • Individuals who have subscribed to updates and newsletters via DTR’s website (‘Subscribers’);
  • Existing Customers;
  • Health Care Professionals (including Consultants, GPs and their Secretarial Staff)

DTR obtains the personal data of these categories of data subject either directly (via a subscription or purchase) or from two 3rd parties who provide DTR with a database of contact details for the Health Care Professionals identified above.

DTR wishes to process this personal data in order to send direct marketing material, newsletters and updates to these individuals, in order to grow the business. DTR considers this to be a legitimate business interest.

DTR medical provides sterile single-use instruments to the health care sector and would argue that there is a wider public benefit from Health Care Professionals being aware of DTR’s products and their availability for purchase. If DTR could not provide direct marketing material, newsletters and updates to the categories of data subject identified this would limit their access to DTR’s products and limit their ability to access information about the innovations, developments and new products provided by DTR.

DTR’s privacy notice includes a section for subscribers to newsletter and updates and a section on direct marketing which clearly indicates the ability of the individual to object to receiving direct marketing at any time and provides a link to enable the individual to do so.

In addition, each communication that is sent which contains direct marketing includes an unsubscribe link enabling the individual to unsubscribe and discontinue the direct marketing from DTR. DTR maintains a suppression list of individuals who have unsubscribed and ensures that those individuals do not receive further direct marketing from DTR.

DTR relies upon the ‘soft-opt in’ available under the Privacy and Electronic Communications Regulations 2003 in relation to Subscribers and Existing Customers.

In relation to the Health Care Professionals, the contact details are obtained from two 3rd party sources Wilmington Healthcare Ltd and SpecialistInfo. DTR considers that on the basis that the contact details provided in relation to the Health Care Professionals are corporate contact details (i.e. NHS email addresses etc.) and would be considered to be ‘corporate subscribers’ and outside the scope of the Privacy and Electronic Communication Regulations 2003. Nevertheless, individuals whose personal data is included on the Wilmington Healthcare Ltd databases have consented to the sharing of their data with selected healthcare organisations (which includes DTR) for the purposes of receiving promotional information. They also have the ability to adjust their preferences in this regard through their online log-in.

Part 2: Necessity Test

You need to assess whether the processing is necessary for the purpose you have identified.

–     Will this processing actually help you achieve your purpose?

–      Is the processing proportionate to that purpose?

–      Can you achieve the same purpose without the processing?

–      Can you achieve the same purpose by processing less data, or by processing the data in another more obvious or less intrusive way?

Processing the personal data of Subscribers, Existing Customers and Health Care Professionals will enable DTR to market its products, inform these individuals about innovations and developments and grow its business.

DTR considers that the processing is proportionate to that purposes. An unsubscribe option is provided to each individual in relation to each marketing communication sent, allowing them to opt out of receiving further marketing information. Their details are then retained on a suppression list to prevent them from receiving further marketing material from DTR and they are removed from mailing lists.

Without processing the personal data of Subscribers, Existing Customers and Health Care Professionals in this way there is no alternative method of sending marketing material to these categories of individuals.

Part 3: Balancing Test

You need to consider the impact on individuals’ interests and rights and freedoms and assess whether this overrides your legitimate interests.

First, use the DPIA screening checklist. If you hit any of the triggers on that checklist you need to conduct a DPIA instead to assess risks in more detail.

Nature of the Personal Data
–      Is it special category data or criminal offence data?

–      Is it data which people are likely to consider particularly ‘private’?

–     Are you processing children’s data or data relating to other vulnerable people?

–      Is the data about people in their personal or professional capacity?

No special category or criminal offence data is being processed. The personal data would not be considered to be private, indeed in most instances it is personal data that is publicly available from NHS Trusts and other sources. The personal data processed does not relate to children or vulnerable people, it is restricted to Health Care Professionals and those working in the Health Care sector.
Reasonable Expectations
  • Do you have an existing relationship with the individual?
  • What’s the nature of the relationship and how have you used data in the past?
  • Did you collect the data directly from the individual? What did you tell them at the time?
  • If you obtained the data from a third party, what did they tell the individuals about reuse by third parties for other purposes and does this cover you?
  • How long ago did you collect the data? Are there any changes in technology or context since then that would affect expectations?
  • Is your intended purpose and method widely understood?
  • Are you intending to do anything new or innovative?
  • Do you have any evidence about expectations – eg from market research, focus groups or other forms of consultation?
  • Are there any other factors in the particular circumstances that mean they would or would not expect the processing?
DTR has an existing relationship with the Subscribers are the Existing Customers. They provide their personal data directly when subscribing to newsletter and updates (via the website) or by making a product purchase (also via the website).

In relation to the personal data of Healthcare Professionals obtained from 3rd party sources. The privacy notices of the 3rd Parties provide that their personal data will be shared with selected healthcare organisations for the purposes of providing promotional information.

DTR’s privacy notice includes sections on processing personal data for the purposes of providing newsletters, updates and direct marketing material. These sections provide information to the individuals about how they can object to the processing of their personal data for these purposes.

Likely Impact
–      What are the possible impacts of the processing on people?

–      Will individuals lose any control over the use of their personal data?

–      What is the likelihood and severity of any potential impact?

–      Are some people likely to object to the processing or find it intrusive?

–      Would you be happy to explain the processing to individuals?

–      Can you adopt any safeguards to minimise the impact?

DTR does not consider that there would be any likely impact upon the individuals from the processing of their personal data in this way. If they wish to object to the processing DTR’s privacy notice provides them with the method to do so, in addition an unsubscribe option is included in relation to each communication sent. These methods combined provide the individual with the ability to opt out of marketing communications at any time. DTR explains the processing of personal data to individuals in the privacy notice.
Can you offer individuals an opt-out?

 

Yes / No

Making the Decision

This is where you use your answers to Parts 1, 2 and 3 to decide whether or not you can apply the legitimate interests basis.

Can you rely on legitimate interests for this processing?

 

Yes / No

We are able to rely on legitimate interest for this processing as all recipients of DTR Medical marketing material have either signed up via the website or given their professional contact details to a 3rd party who have sold these on to DTR. Tailored information is sent out to recipients because it is products that is deemed they will have a legitimate interest in. Any explicit unsubscribe requests are noted and dealt with accordingly. When updating mailing lists DTR Medical does not re-add anyone who has unsubscribed.

 

LIA completed by:

Edward Sheppard

Date:

9th October 2019

 

0
Basket