Records Management

Mailing lists and data protection

Guidance for staff working with external and internal mailing lists.

This guidance is intended for all University staff who maintain and use mailing lists.

It is important to distinguish between mailing lists used to send communications for:

  • Marketing: sending information seeking to persuade someone to buy something or to promote your aims, even for a not-for-profit body.
  • Services: messages which are essential for the service you are providing (service news, updates, newsletters, announcements, …).

It is also important to distinguish between mailing lists used to communicate:

  • Externally: sending communications to individuals from outside the University.
  • Internally: sending communications to staff and students.

When you maintain and use a mailing list, you must always have a legal basis. There are different requirements for mailing by paper and electronic mailing and for marketing messages and service communications.

Legal basis for processing guidance

Privacy notices

Whether communication is internal or external, electronic or paper, you must always ensure that recipients receive a privacy notice.

For electronic mailing lists, this can be met either with a link, or by including the entire privacy notice in the footer of all emails. For mailing by paper, you can also provide a link or you can print part of the privacy notice in the footer of the letter and provide a link to the remainder. That way, you will have complied with Data Protection Law fairness and transparency requirements by enabling both new recipients and existing subscribers easy access to the privacy notice at any time.

Privacy notice guidance

Privacy of emails

Ensure that you do not reveal the names and email addresses used for the email distribution to the recipients.

Also, for email lists, it is best practice that the email originates from a genuine verifiable @ed.ac.uk address rather than one created by an external third party.

External mailing lists

External mailing lists in paper format

If your mailing list is used to send communications in paper format to individuals external to the University, you do not need to obtain consent. Instead, the legal basis is ‘legitimate interest’.

You must, however, provide recipients with the opportunity to easily and effortlessly opt out of receiving the communication in every letter. This can be a phone number or an email address.

External mailing lists in electronic format

If you send emails to individuals external to the University, you must distinguish between sending communications to private individuals and to business contacts.

Business contacts (“B2B”)

Business contacts are individuals who can be considered as representatives of their company, organisation or institution, such as students or academics from another university, or professionals from all sectors. For B2B communications you can use “legitimate interest” as an appropriate legal basis and will not have to ask for consent. However, you must provide the option to opt out in every communication, for example through an ‘unsubscribe’ link in the footer of the email.

Private individuals

If you send emails to private individuals, then you must have obtained consent. This consent can be through people actively signing up to receive a newsletter through your website, by ticking a box when registering online for an event, or signing up to a mailing list during an event.

If an existing mailing list exclusively or mostly contains private individuals who have not actively subscribed but have been added to the list for another reason, then you must request consent and remove those who don’t reply from the list.

Renewing consent

Consent does not last forever and after an appropriate period of time must be refreshed. From the nature and content of the communications you must assess and determine an appropriate length of time after which you will re-consent subscribers. This could be anything between 2 and 5 years.

Always provide the option to opt out in every communication, for example through an ‘unsubscribe’ link in the footer of the email.

“Soft opt-in”

If the individual has bought something from you such as a product or a service, or attended a paid event, or is or has been in negotiation with you about buying a service, product or attending a paid event, then you do not need their consent to send emails to them about similar products, services or events as long as you give them the option of opting out of receiving marketing emails when you obtained their email address, and you provide an opt out or ‘unsubscribe’ option every time you send an email.

Suppression lists

If someone asks you not to send them marketing emails then you must stop but you also must retain their email address for the purpose of ensuring they do not receive marketing emails from you again. This is known as a “suppression list”. 

Mixed lists

If your mailing list contains both B2B contacts and private individuals, a pragmatic, risk-assessed approach is recommended. If you have obtained valid consent originally, then you will not have to ask subscribers to re-consent. If you have not obtained consent from the private individuals, conduct a risk assessment to determine whether continuing to send emails is likely to cause offence or distress or whether receiving the emails are in the individuals’ interest and/or to their benefit.

Always provide the option to opt out in every communication, for example through an ‘unsubscribe’ link in the footer of the email.

Email service provider

The University uses dotdigital (formerly known as dotmailer) for email marketing lists. Advice on how to use the University's Dotdigital account is available from Communications & Marketing.

Communications and Marketing Dotdigital guidance: University login required

Internal mailing lists

Most internal mailing lists will be in electronic format.

You need to distinguish between lists used for essential business and mailing lists used for other purposes

Essential business mailing lists

Essential business mailing lists will include information such as changes to lecture theatres for students, information about student assignments, information about facilities such as a lack of heating or power failure in certain buildings, or University closure due to snow. These mailing lists can be University-wide, School- or Deanery-specific, or programme-specific. Due to the nature of the information contained within these emails, subscription is mandatory and an option to unsubscribe cannot be given. The legal basis for these emails is the ‘contract’ the University has with its students and staff provide a service.

Other mailing lists  

Other mailing lists may include non-essential information about, for example, events in a School, Deanery or research centre, or career opportunities for students.

Because staff members and students are considered to be business contacts, you do not need consent to send these emails, the legal basis for these emails is ‘legitimate interest’.

For non-essential emails, always provide the option to opt out in every communication, for example through an ‘unsubscribe’ link in the footer of the email.  You should maintain a suppression list to ensure you don’t send any further emails to staff and students who have opted out.

Mixed content

If internal mailing lists include both essential and non-essential information, then they are treated as though they only contained essential information as the importance of providing this type of information overrides the requirement to provide the option to opt out of non-essential communications.

For these, no ‘unsubscribe’ link is required.

Mailing list service

For internal mailing lists use Sympa, the mailing list service supported by Information Services.

Information Services mailing list guidance

About this guidance

Version control

Author/editor

Date

Edits made

1

Data Protection Officer

May 2018

Initial edit

2 Data Protection Officer February 2019 Added in links to guidance on University supported mailing list services
3 Deputy Information Compliance Manager February 2019 Corrected grammatical error, link text and added version control table.
4 RASO April 2019 Updated dotmailer to dotdigital