This guidance has been reviewed by the Health and Care Information Governance Panel, including the ICO and NDG.

The panel exists to simplify information governance guidance. Have we done a good job? Let us know at datapolicyhub@nhsx.nhs.uk.

What is and isn’t direct marketing?

DM image.jpg

Direct marketing is the communication of any advertising or marketing material to an individual. Direct marketing is not restricted to profit making and includes promoting aims or ideals (for example, fundraising). Direct marketing can be communicated in any way, for example by phone, letter, email or text.

The majority of communications that health and care organisations send to individuals will not be direct marketing, but some communications could be considered direct marketing. The law restricts the way organisations can carry out direct marketing. It is therefore important that you read and understand this guidance. It will help you decide whether the communication you wish to send is direct marketing or not.

The ICO has produced wider guidance on for the public sector. This guidance specifically considers the rules on direct marketing in the context of health and care communications. It includes some case studies at the end.



Guidance for patients and service users

Most communications that you receive from your health and care professional will not be direct marketing. You should only receive messages from them that you would reasonably expect to receive.

For instance, you might receive information from healthcare professionals about things to do with your care. This could be about your treatment, information about amended opening hours for a GP practice or notification that your prescription is ready to collect.

You may also be asked for feedback on parts of your healthcare experience, which helps the NHS improve what it does. Sometimes you may be invited to participate in research which has been reviewed by an NHS Research Ethics Committee. The Health Research Authority (HRA) provides further information about how information is used for research and your choices.

Unless you have previously agreed to it (given your consent), you should not receive a direct marketing message, such as asking for donations to the hospital charity. You have the right to object to any direct marketing message and this must be respected. It should also be easy for you to withdraw your consent, for example, by clicking a link to unsubscribe in an email.


Guidance for healthcare workers

When communicating with patients and service users, you need to consider whether the communication is direct marketing or not. This is because where a direct marketing communication is sent by electronic mail or text, you will need the consent of the individual prior to sending that communication.

Most communications that people receive from their healthcare professionals, will not be direct marketing. If you are a public authority and your messages are necessary for your task or function, these messages are not direct marketing. To decide whether a communication is direct marketing, you should consider whether the communication is necessary for your organisation’s task or function.

Messages and communications about the following overarching purposes would be seen as necessary for your organisation's task and function, so are NOT direct marketing:

  • Individual care or treatment
  • Service communications such as amended opening hours for a GP practice or notification that a prescription is ready to collect
  • Messages seeking feedback on a service with the aim of service improvement
  • Communications about research participation from organisations whose tasks and functions include the conduct of health and social care research

The following specific examples are part of your task and function so are NOT direct marketing:

  • Sending appointment reminders or letters to patients or service users or their representative if they have one
  • Sending invites to attend screening programmes, such as cervical screening or vaccination programmes
  • Sending eligible registered patients or service users communications letting them know that flu vaccinations are available
  • Sending registered patients or service users an electronic communication alerting them to a business change, for example, new opening hours
  • Notifications informing the patient or service user their prescription is ready for collection from the pharmacy
  • Alerting patients or service users to a new clinic that is relevant to their health condition, for example, a nurse informing a smoker during a consultation of a new smoking cessation clinic
  • GP practices contacting relevant patients to promote a reminder service for flu vaccines where the individual has been identified as someone for whom the vaccination is appropriate for their healthcare
  • Notifying a patient of their quarterly clinical review for their health condition
  • Sending a text asking for feedback on the service provided, for example, friends and family test with the aim of improving service delivery
  • A GP practice or hospital trust sending a message to an individual to inform them about a health or social care research project they may be eligible to participate in

The following uses ARE considered direct marketing. It would be difficult to see how these would be part of an organisation’s task and function:

  • A text sent by the health or care provider to a patient or service user, to let them know of a service offered by a commercial company, such as a new gym is opening.
  • A hospital trust contacting a patient following treatment to ask if they would be willing to donate to the hospital charity.
  • An optician contacting their customers to inform them of a special offer on prescription sunglasses.
  • A Patient Participation Group inviting patients to a charity event to raise money for medical equipment.
  • Sending communications about a hospital trust’s fundraiser where the message is not directed at a named patient or service user. For example, it is addressed to a household but their personal data from the hospital system is used to select them.

If a message includes any promotional element which is not related to the task or function of the organisation, then the whole message will be considered direct marketing. Therefore, if you do want to send any promotional message which is not related to your task and function, you should send this separately to messages which are part of your task and function.

Data protection

In all cases, regardless of whether a communication is considered direct marketing or not, it is important to ensure that the UK GDPR and data protection legislation are complied with.

A patient or service user should not be surprised when contact is made or by the nature of the service. They should also be clear about how their information is being used and shared. This may be via:

  • transparency information or notices on your organisation’s website or on premises
  • information provided to the patient or service user when they first come into contact, or register, with your organisation or service
  • information provided to the patient or service user prior to attending the first session of the new service or offer, or upon arrival, for example, reading material given to the patient or service user

Transparency information should also make patients and service users aware of their right to object to the processing of their personal data. Where an individual objects to direct marketing, their data must not be further used or shared for that purpose.

You should also take into account any guidance issued by your registrant or professional body regarding the marketing and promotion of your services.

For help, advice or support, contact your information governance professional, or Caldicott Guardian. In social care settings that are unlikely to have Caldicott Guardians, you should contact senior staff who are on duty or on call.


Guidance for IG professionals

Privacy and Electronic Communications Regulations (PECR)

PECR sets out the rules for sending direct marketing messages by electronic means. The Data Protection Act 2018 definition of direct marketing covers any means of communication. However, PECR rules only apply to specific types of electronic communications. Examples of these are phone calls, emails, text messages, in-app messaging, push notifications. PECR requires consent only where direct marketing communications are sent by electronic mail. PECR does not apply to communications regarding an organisation’s task and functions.

Data Protection Act 2018/UK GDPR

The Data Protection Act 2018 defines direct marketing as:

“the communication (by whatever means) of advertising or marketing material which is directed to particular individuals.”

This includes promoting the aims or ideals of not-for-profit organisations. So it is important that health and care organisations understand what is and isn’t considered marketing in relation to services.

Communications which are not directed specifically at a person would not be seen as direct marketing, as they are not targeted at a particular individual. An example would be a leaflet drop of local homes advertising a new health or care service. However, material would still be considered to be direct marketing if personal data is processed as part of the process, but then their name is removed from the resulting communication.

As a public authority, if your messages are necessary for your task or function, these messages are not direct marketing. You don’t need to comply with the marketing rules in PECR, although you will need to comply with UK GDPR.

If you cannot demonstrate that your communication to an individual is necessary for your task and function, it may be direct marketing. If this is the case, the PECR marketing rules apply as well as the UK GDPR.

If you are relying on consent to comply with PECR and UK GDPR in sending an electronic direct marketing message, that consent must meet the UK GDPR consent requirements. It must be informed, specific, freely given, and have an unambiguous indication of the person’s wishes. Consent must be as easy to withdraw as to give, and can be withdrawn at any time.

It is important to remember that the UK GDPR and data protection legislation will always apply to the processing of personal data. This is regardless of whether a communication is considered direct marketing. This includes ensuring that communications are fair and transparent and it is clear that individuals have the right to object.

Is there a right to object?

If a promotional message is classed as direct marketing, under the UK GDPR individuals have an absolute right to object to marketing. This means you must stop processing their data for this purpose. You may, however, keep a record of the objection on a suppression list of individuals who do not wish to receive direct marketing.

If direct marketing messages are being sent to an individual on the basis that they gave consent to receive these messages, it is important that individuals are given clear information about how they may withdraw their consent, unsubscribe or opt-out of marketing. An easy way to withdraw consent should be offered, for example, including a link in the body of an email. Direct marketing communications should not be sent to anyone who has opted out or withdrawn their consent.

Individuals can also object to messages sent by your organisation even where these are within your task and function. However, if you can demonstrate compelling legitimate grounds to continue sending the messages, you can do so provided you can explain the reasoning to the person who has objected. In most cases, it would be difficult to demonstrate compelling legitimate grounds which override the objection from the data subject. For example, health and care organisations should respect a person’s wish not to receive appointment reminders. However, in some narrow circumstances, compelling legitimate grounds may be demonstrated. For example, continuing to send public health messages relating to communicable disease critical to the safety of the population of a local area.

If you receive an objection request, you should usually respond to the individual within one month. See the ICO’s guidance on the right to object for further information.

Recruitment to research

The NHS and universities are public authorities. The NHS Constitution states that the NHS is required to conduct research. This is to improve the current and future health and care of the population. Similarly, university charters state that the purpose of the university is to advance education through teaching and research. Thus, the NHS and universities conduct research as part of their task and function. Messages necessary for undertaking that research, including to inform individuals of the opportunity to be involved in that research, are therefore not direct marketing.

In some circumstances, the NHS and universities may decide to rely on consent, rather than public task, under the UK GDPR. This would be to communicate with individuals regarding research opportunities, for example, in permission-to-contact research databases. Using UK GDPR-compliant consent does not, in and of itself, mean the activity is direct marketing. Where UK GDPR-compliant consent is relied on to send communication messages about research, the individual must be able to withdraw that consent at any time. Other rights under UK GDPR must also be met.

Messages from the NHS or universities about opportunities to participate in research are not direct marketing, so you don’t need to comply with the marketing rules in PECR. You must still comply with the UK GDPR and the common law duty of confidentiality. Health Research Authority (HRA) guidance sets out how to comply with the UK GDPR when processing personal data for research purposes. The guidance also provides information on meeting the common law duty of confidentiality.

The NHS and universities are expected to include information about the use of data in their corporate transparency information. NHS organisations are expected to link from their corporate information to the HRA’s information. This ensures that all NHS patients have access to consistent information about the use of their health records in research.

In some circumstances, public authorities may conduct research in partnership with other organisations which are not public authorities. For example, a hospital trust may be conducting research run by a pharmaceutical company. In these circumstances sending communications regarding the research fits with the hospital trust’s public task or function and is not direct marketing.

When a hospital trust sends messages to individuals about research, it supports the principle of data minimisation, which is important for UK GDPR compliance. This is because it avoids transferring data to other parties such as private organisations involved with the health and social care research. It is an important aspect of fairness that communications regarding opportunities to be involved in research conducted locally come from a trusted and expected source. Where other means of communication are used, then the consequences to these principles of data minimisation need to be considered.

The right to object to being contacted about research

The right to object to direct marketing is absolute. Informing people about the opportunity to participate in research is not direct marketing but organisations are unlikely to have compelling legitimate grounds to continue sending the messages. People should therefore be given the opportunity to object to communications that inform them of the opportunity to be involved in health and social care research.

Further information on the right to object is available from the ICO. It is important to note that the right to object to being contacted about research, is distinct from how the right to object under the UK GDPR applies, when someone is participating in research. HRA guidance sets out how the right to object is limited when processing personal data for individuals participating in research.

You should consider the choices people have about being contacted regarding opportunities to take part in research. Where the contacting of potential participants relies on consent, for example, in a permission-to-contact database, clear opportunities to withdraw from the register should be provided. It should be noted that where individuals have given explicit consent, it should be clear that this consent would overrule any national data opt-out or other opt-out only in relation to the data and purpose of the consent.

Where the contact relies on s251 support, the national data opt-out will be applied. You should also consider whether further steps are necessary. For example, targeted communications through a medical charity website relating to the research which reminds the targeted population of their choices.

Safeguards in research communication

Direct communication about any research projects which seek to involve potential research participants identified in the context of, or in connection with, their past or present use of NHS and adult social care services (including participants recruited through these services as healthy volunteers) will require a favourable NHS Research Ethics Committee (REC) opinion. This will include communications about all specific research projects that involve collection of information or tissue from any past or present users of NHS and adult social care.

It is a requirement of a favourable REC opinion that such communications are not promotional in nature. Guidance within the Integrated Research Application System (IRAS) states that recruitment material should be restrained in tone, and that care should be taken not to over-emphasise potential benefits or make other inducements.

Case studies

All case studies assume that the above requirements have been met and that wider compliance with data protection and the duty of confidentiality has been applied, for example, ensuring transparency.

Invites for screening

A GP practice notices a decline in the uptake of cervical screening during the COVID-19 pandemic. A text is sent via an automated system to all women who are eligible, and overdue, for screening. This would not be considered direct marketing because it is a service message so part of the GP practice’s task and function.

Invites and reminders for vaccines

A GP practice is giving COVID-19 vaccines to patients in the local area. This includes vaccines to patients who are not directly registered at the GP practice. Local practices should have informed their own patient cohort of the COVID-19 vaccine rollout and how this might work, such as going to another local GP surgery to receive the vaccine. The text informing them of the rollout and how to get involved will look like it has come from their registered GP practice.

For patients who are eligible but do not take up the vaccine offer at that point, reminders will be sent from a national system, inviting them to book a vaccine appointment. These texts are not direct marketing, regardless of whether they come from the GP or national system, because the invite relates to individual care.

Seeking feedback from patients and service users

A hospital trust uses the Friends and Family Test (FFT) to seek feedback on its orthopaedics clinic. It sends a text to all patients that have attended an appointment, or been discharged, asking them for their overall feedback on their experience of the clinic. It also asks them if they would recommend the clinic to their friends and family. The aim is to improve services where necessary and will be used by the hospital to make information available about its services including the percentage score of those people who would recommend them. These messages are not direct marketing because it is seeking feedback on how to improve care services that a patient has received. Genuine market research is not considered direct marketing.

Raising awareness of new clinics

A new smoking cessation clinic has been set up by the public health team at the local authority. The team wants to prioritise patients that would benefit most from the clinic. The team has a list of qualifying criteria, for example, patients living in a particular postcode with certain conditions who have tried and failed in the past to stop smoking.

The team asks local GP practices to identify patients registered with them that meet the criteria, raise awareness of the new clinic, and inform patients how to join. The GP can identify suitable patients from their list and contact them as requested. This is not direct marketing because the purpose aligns with the GP’s task and functions. The patient would also have a reasonable expectation that, due to their health conditions, the GP may contact them to inform them about a new service that they may benefit from.

The public health team can provide information materials for GP practice waiting rooms or information for their website to advertise the new clinic. This is not direct marketing because the materials are not directly aimed at an individual person but at anyone that sees them and who subsequently makes contact.

Patient Participation Group

The Patient Participation Group (PPG) of a GP practice wants to support improvements to the services. It designs a survey to send to the registered patients. A link to the survey is sent by the GP practice to the registered patients. This is not direct marketing because it relates to service improvement, which is part of the GP practice’s task and function.

Market research for new GP clinic

A GP practice emails its registered patients to ask them to complete a survey. The survey asks if they are likely to take up an offer of a COVID vaccine, in order for the GP practice to set up a clinic. As this is genuine market research, it would not be considered direct marketing.

Care home and iPads

A care home needs to quickly stop loved ones visiting its residents due to the COVID-19 pandemic. iPads arrived at the care home that day to allow residents to talk to their loved ones.

The care home sends a text to all its contact list, to update them on the change and let them know the good news about the iPads. This is not seen as direct marketing because the care home is informing their residents’ contacts that there is a change in service/operational delivery, so it’s a service message.

However, if the care home was also using this communication as an opportunity to tell relatives they could buy an iPad from them this would be considered direct marketing. This is because alongside the communication about the change in service/operational delivery, they are potentially looking to make a commercial sale or profit. This would be an incompatible purpose to the aim of the care home.

Social prescribing and health and wellbeing offers

In some cases, it may be clinically appropriate for a patient to be prescribed a 6 month membership to a local gym.

A GP referred a patient to a gym for six months following a consultation to discuss this. This was not direct marketing because the activity relates to the patient’s health or care needs. It was another way of helping to treat a particular condition (in the same way a drug may be prescribed).

To increase membership numbers, the gym also contacts local GP practices to inform them of their presence, and to offer a free session and discounted rates to those who might clinically benefit. It approaches the GP practice, and asks if they would be willing to text patients letting them know about this deal. This would be considered direct marketing so it would not be appropriate to send the texts without the consent of patients.

Research: example 1

A research project is set up in which GP practices and ambulance trusts are study sites in the study which is run by a university.

The study sites seek to communicate with NHS patients to tell them about research relating to their recent care episode. In this study, patients are contacted by telephone by the GP practices and the ambulance trusts, who provide information about the study so the individual can decide whether they want to take part. The trust, GP practice and the university conduct research as part of their task and function. Therefore, the GP practices and ambulance trusts can contact people whose details they hold by telephone, where this is necessary for undertaking that research and this is not direct marketing.

Research: example 2

An NHS hospital trust is a site for a clinical trial which is run by a pharmaceutical company. The study site seeks to communicate with NHS patients, and healthy volunteers, to tell them about research into a new blood test to detect cancer, so they can decide if they want to take part. The local trust site sends emails to potential participants informing them about the study, so they can decide if they want to take part. The hospital trust is required to conduct research as part of its task and function. Therefore, they can contact people by email where this is necessary for undertaking that research and this is not direct marketing.

Additional safeguards in research

Clinical trials recruiting NHS patients require NHS REC review. When researchers apply for NHS REC review, the transcript that will be used in a telephone call, or the template for an email that will be sent to communicate information about the trial to eligible participants is reviewed. The REC review specifically considers the approach and materials to be used to inform people about the research. This is to ensure that the communication about the research comes from a trusted and expected source. The REC also checks that it is restrained in tone and does not over-emphasise potential benefits or make other inducements. Research taking place through NHS organisations is also reviewed through HRA and HCRW approval, which assesses the compliance of the study with UK GDPR, and information governance requirements, on behalf of each NHS organisation.

DM image.jpg