Guidance for staff working with external and internal mailing lists This guidance is intended for all University staff who maintain and use mailing lists. It is important to distinguish between mailing lists used to send communications for: Marketing: sending information seeking to persuade someone to buy something or to promote your aims, even for a not-for-profit body. Services: messages which are essential for the service you are providing (service news, updates, newsletters, announcements, …). It is also important to distinguish between mailing lists used to communicate: Externally: sending communications to individuals from outside the University. Internally: sending communications to staff and students. When you maintain and use a mailing list, you must always have a legal basis. There are different requirements for mailing by paper and electronic mailing and for marketing messages and service communications. Privacy of emails Ensure that you do not reveal the names and email addresses used for the email distribution to the recipients – use ‘bcc’, not ‘cc’. Also, for email lists, it is best practice that the email originates from a genuine verifiable @ed.ac.uk address rather than one created by an external third party. External mailing lists External mailing lists in paper format If your mailing list is used to send communications in paper format to individuals external to the University, you do not need to obtain consent. Instead, the legal basis is ‘legitimate interest’. You must, however, provide recipients with the opportunity to easily and effortlessly opt out of receiving the communication in every letter. This can be a phone number or an email address. External mailing lists in electronic format If you send emails to individuals external to the University, you must distinguish between sending communications to private individuals and to business contacts. Business contacts (“B2B”) Business contacts are individuals who can be considered as representatives of their company, organisation or institution, such as students or academics from another university, or professionals from all sectors. For B2B communications you can use “legitimate interest” as an appropriate legal basis and will not have to ask for consent. However, you must provide the option to opt out in every communication, for example through an ‘unsubscribe’ link in the footer of the email. Private individuals If you send emails to private individuals, then you must have obtained consent. This consent can be through people actively signing up to receive a newsletter through your website, by ticking a box when registering online for an event, or signing up to a mailing list during an event. If an existing mailing list exclusively or mostly contains private individuals who have not actively subscribed but have been added to the list for another reason, then you must request consent and remove those who don’t reply from the list. Renewing consent Consent does not last forever and after an appropriate period of time must be refreshed. From the nature and content of the communications you must assess and determine an appropriate length of time after which you will re-consent subscribers. This could be anything between 2 and 5 years. Always provide the option to opt out in every communication, for example through an ‘unsubscribe’ link in the footer of the email. “Soft opt-in” If the individual has bought something from you such as a product or a service, or attended a paid event, or is or has been in negotiation with you about buying a service, product or attending a paid event, then you do not need their consent to send emails to them about similar products, services or events as long as you give them the option of opting out of receiving marketing emails when you obtained their email address, and you provide an opt out or ‘unsubscribe’ option every time you send an email. Suppression lists If someone asks you not to send them marketing emails then you must stop but you also must retain their email address for the purpose of ensuring they do not receive marketing emails from you again. This is known as a “suppression list” and the legal basis for maintaining the list is ‘legitimate interest’. Mixed lists If your mailing list contains both B2B contacts and private individuals, a pragmatic, risk-assessed approach is recommended. If you have obtained valid consent originally, then you will not have to ask subscribers to re-consent. If you have not obtained consent from the private individuals, conduct a risk assessment to determine whether continuing to send emails is likely to cause offence or distress or whether receiving the emails are in the individuals’ interest and/or to their benefit. Always provide the option to opt out in every communication, for example through an ‘unsubscribe’ link in the footer of the email. Internal mailing lists Most internal mailing lists will be in electronic format. You need to distinguish between lists used for essential business and mailing lists used for other purposes Essential business mailing lists Essential business mailing lists will include information such as changes to lecture theatres for students, information about student assignments, information about facilities such as a lack of heating or power failure in certain buildings, or University closure due to snow. These mailing lists can be University-wide, School- or Deanery-specific, or programme-specific. Due to the nature of the information contained within these emails, subscription is mandatory and an option to unsubscribe cannot be given. The legal basis for these emails is the ‘contract’ the University has with its students and staff provide a service. Other mailing lists Other mailing lists may include non-essential information about, for example, events in a School, Deanery or research centre, or career opportunities for students. Because staff members and students are considered to be business contacts, you do not need consent to send these emails, the legal basis for these emails is ‘legitimate interest’. For non-essential emails, always provide the option to opt out in every communication, for example through an ‘unsubscribe’ link in the footer of the email. You should maintain a suppression list to ensure you don’t send any further emails to staff and students who have opted out. Mixed content If internal mailing lists include both essential and non-essential information, then they are treated as though they only contained essential information as the importance of providing this type of information overrides the requirement to provide the option to opt out of non-essential communications. For these, no ‘unsubscribe’ link is required.