Royal Mail Consultation: Changes to Postal Schemes to reflect new data protection legislation

Transcription

1 Royal Mail Consultation: Changes to Postal Schemes to reflect new data protection legislation Published: 27 February 2018 Responses required by: 26 March 2018

2 Summary 1. Postal Schemes set out the terms and conditions for consumers and business customers who use Royal Mail s services but do not hold an individual contract with Royal Mail. This includes customers who use stamps, on-line postage, franking meters or some credit accounts to pay for our services Under Section 89 of the Postal Services Act 2000 (as amended) (the 'Act'), Royal Mail can create Schemes. Before making any changes to the Schemes, we formally consult our customers and all relevant stakeholders With this document, we are proposing a change to reflect new data protection legislation - the EU General Data Protection Regulation (GDPR) - in the Schemes. 3 The new requirements come into force on 25 May 2018 in the UK. This change affects the following schemes: UK Post Scheme January 2017 (the 'UK Scheme'), Overseas Letter Post Scheme January 2017 (the 'Overseas Scheme'), Franking Letters and Parcels Scheme 2017 (the 'Franking Scheme'). 4. In terms of next steps, this consultation will close on 26 March We will evaluate all responses before we finalise our decision. One month prior to the new Schemes becoming live, we will publish them in the London, Edinburgh and Belfast Gazettes. 4 We intend for the new Schemes to go live in May Introduction 5. Certain Royal Mail products or services have the charges, terms and conditions detailed in documents called Schemes. These Schemes are published under the Postal Services Act 2000 and mean that it is not necessary for Royal Mail to have individual contracts with each and every customer purchasing these products or using these services. 6. Occasionally, we need to update our Schemes. Changes can result from reforms to Royal Mail policies and procedures, rules governing the safe transit of items, the introduction of new products and services, as well as changes to national and international legislation. 7. In this consultation, we are proposing a change to the Schemes to reflect new data protection legislation. The new legislation enhances individuals rights with regards to their personal data and is also designed to harmonise data privacy laws across Europe amongst other things. Proposed Change 8. Royal Mail takes the protection of our customers personal data very seriously. We already have a range of measures in place to achieve this, including storing data in a secure 1 All Postal Schemes are available here: 2 Royal Mail is undertaking this consultation in accordance with the requirements set by our regulator, Ofcom. We are required to notify Ofcom of the proposed changes to the Schemes under Section 89A (1) of the Act. Ofcom does not approve the Schemes, but they do have the power under Section 89A of the Act to direct us to modify them. 3 The UK currently relies on the Data Protection Directive 95/46/EC, implemented in the UK under the Data Protection Act GDPR replaces the Data Protection Act For further information, see here: 2

3 manner. We are also required to ensure that any personal data held is relevant and obtained lawfully. 9. On 25 May 2018, new legislation comes into force in the UK. This new legislation is the EU General Data Protection Regulation (GDPR). 5 It provides people more say over what companies can do with their data. This includes, amongst others, the right to be forgotten, which enables an individual to request the deletion or removal of personal data. It is also designed to harmonise data privacy laws across Europe and to protect all EU citizens data privacy. Tougher fines have been introduced for non-compliance and breaches. For businesses like Royal Mail Group, handling and storing customer data on our systems means we must be compliant with the regulations, both current and future. 10. We believe that this new legislation, designed to protect the rights of our customers, needs to be reflected in the Schemes. We therefore propose to add new text into each Scheme to make it clear to our customers that where they provide Royal Mail with personal data, we will process that personal data in accordance with the new data protection legislation. The proposed legal text for the UK Scheme is set out below. The proposed legal text for both the Franking and Overseas Schemes is available in Annex A. UK Scheme Legal text Your information Where we supply services to you under this Scheme, we are the controller of the personal data we process in providing services to you. Where you supply personal data to us so we can provide services to you, and we process that personal data in the course of providing services to you, both you and we will comply with our obligations imposed by the Data Protection Legislation and you will not cause us to contravene the Data Protection Legislation. Where you have provided the personal data of a third party to us, you warrant that you have lawful grounds, such as their consent, to do so and that we are entitled to process that personal data to provide services. From time to time we may be obliged by our Regulator to provide it with certain information about you, including your name and address. Further information about how we use your personal data is set out in our Privacy Policy at Please read this Privacy Policy carefully. The terms "personal data", "controller", "processing" and "supervisory authority" shall all have the same meaning as in the Data Protection Legislation and the term "process" shall be construed accordingly. Data Protection Legislation means (1) the Data Protection Act 1998; the Data Protection Directive (95/46/EC) and the Privacy and Electronic Communications Directive (2002/58/EC); (2) after 25 May 2018, Regulation (EU) 2016/679 of the European Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (3) any guidance, directions, determinations, codes of practice, orders, notices or demands issued by any competent supervisory authority or other competent authority, any other applicable data protection laws or regulations and judgments of any court of law, tribunal or regulatory body as amended, extended, re-enacted or replaced from time to time, and (4) the Regulation on Privacy and Electronic Communications, when in force. 5 The UK currently relies on the Data Protection Directive 95/46/EC, implemented in the UK under the Data Protection Act GDPR replaces the Data Protection Act

4 11. The legislation provides better protection and clarity for our customers and we therefore believe this change is fair and reasonable. We do not anticipate any customer detriment to come from this addition to the Schemes. Consultation question 12. We are interested in the views of stakeholders on whether you consider the proposed changes to each Scheme are fair and reasonable? If not, please explain why. Next steps 13. Stakeholders are asked to respond by 26 March Responses should be made by post or by to: James Fletcher Royal Mail 100 Victoria Embankment London EC4Y 0HQ address - James.Fletcher@RoyalMail.com 14. Please provide a completed cover sheet with the response available in Annex B. We may publish responses, in full, or in part on our website. If you would like your response or parts of your response to remain confidential, please indicate this on the cover sheet. 15. Following the conclusion of this consultation, we will evaluate all responses before we reach a final decision on the changes. We will give one month notice by publishing in the London, Edinburgh and Belfast Gazettes. We aim for the new Schemes to take effect in May This will take the form of a formal notification 6 to Ofcom and Consumer Advocacy Bodies and publication of that notification on our website. Finally, we will make relevant changes to literature and websites as we consider necessary. 6 Made under Designated Universal Service Provider (DUSP) Regulatory Condition

5 Annex A This annex contains the proposed legal text for both the Franking and Overseas Schemes. Franking Scheme Your information In providing a Licence to a User, under this Scheme, Royal Mail is the controller of the personal data that Royal Mail processes in providing the Licence. Where a User supplies personal data to Royal Mail so that Royal Mail can provide the Licence to the User, and Royal Mail processes that personal data in the course of providing the Licence to the User, both the User and Royal Mail will comply with their respective obligations imposed by the Data Protection Legislation and the User will not cause Royal Mail to contravene the Data Protection Legislation. Where the User has provided the personal data of a third party to Royal Mail, the User warrants that the User has lawful grounds, such as the third party s consent, to do so and that Royal Mail is entitled to process that personal data to provide the Licence. From time to time Royal Mail may be obliged by its Regulator to provide the Regulator with certain information about the User, including the User s name and address. Further information about how Royal Mail may use a User s personal data is set out in the Royal Mail Privacy Policy at Please read this Privacy Policy carefully. The terms "personal data", "controller", "processing" and "supervisory authority" shall all have the same meaning as in the Data Protection Legislation and the term "process" shall be construed accordingly. Data Protection Legislation means (1) the Data Protection Act 1998; the Data Protection Directive (95/46/EC) and the Privacy and Electronic Communications Directive (2002/58/EC); (2) after 25 May 2018, Regulation (EU) 2016/679 of the European Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (3) any guidance, directions, determinations, codes of practice, orders, notices or demands issued by any competent supervisory authority or other competent authority, any other applicable data protection laws or regulations and judgments of any court of law, tribunal or regulatory body as amended, extended, re-enacted or replaced from time to time, and (4) the Regulation on Privacy and Electronic Communications, when in force. Overseas Scheme Your information Where we supply services to you under this Scheme, we are the controller of the personal data we process in providing services to you. Where you supply personal data to us so we can provide services to you, and we process that personal data in the course of providing services to you, both you and we will comply with our obligations imposed by the Data Protection Legislation and you will not cause us to contravene the Data Protection Legislation. Where you have provided the personal data of a third party to us, you warrant that you have lawful grounds, such as their consent, to do so and that we are entitled to process that personal data to provide services. 5

6 From time to time we may be obliged by our Regulator to provide it with certain information about you, including your name and address. Further information about how we use your personal data is set out in our Privacy Policy at Please read this Privacy Policy carefully. The terms "personal data", "controller", "processing" and "supervisory authority" shall all have the same meaning as in the Data Protection Legislation and the term "process" shall be construed accordingly. Data Protection Legislation means (1) the Data Protection Act 1998; the Data Protection Directive (95/46/EC) and the Privacy and Electronic Communications Directive (2002/58/EC); (2) after 25 May 2018, Regulation (EU) 2016/679 of the European Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (3) any guidance, directions, determinations, codes of practice, orders, notices or demands issued by any competent supervisory authority or other competent authority, any other applicable data protection laws or regulations and judgments of any court of law, tribunal or regulatory body as amended, extended, re-enacted or replaced from time to time, and (4) the Regulation on Privacy and Electronic Communications, when in force. 6

7 Annex B Cover sheet for response to a Royal Mail consultation. BASIC DETAILS Consultation title: Changes to Postal Schemes to reflect new data protection legislation Name of respondent: Representing (self or organisation/s): Address (if not received by ): CONFIDENTIALITY Please tick below what part of your response you consider is confidential, giving your reasons why Your name Your job title Your Organisation Your whole response Part of your response If there is no separate confidential annex, which parts?. If you want part of your response, your name or your organisation not to be published, can Royal Mail still publish a reference to the contents of your response (including, for any confidential parts, a general summary that does not disclose the specific information or enable you to be identified)? YES/NO (please delete as appropriate) DECLARATION I confirm that the correspondence supplied with this cover sheet is a formal consultation response that Royal Mail can publish, subject to any declaration in the confidentiality section. If I have sent my response by , Royal Mail can disregard any standard text about not disclosing contents and attachments. Royal Mail may like to publish responses for the purposes of transparency. If your response is non-confidential (in whole or in part) and you are happy for us to publish your response once the consultation has ended, please tick here. Name: Signed (if hard copy): Date: 7