Steps Along The Way Ltd
Legitimate Interests Assessment

Author(s)
Guy Collins - Web Developer

Date
29/01/2024

Context
Processing UK teacher at school data for B2B marketing purposes.

Background

Trading and Organisation

Steps Along The Way Ltd has been trading for 6 years. We have 6 employees. We have supported over 1500 clients.

Description of activities

Motional was founded in 2017 in response to the growing need to provide more accessible tools and support for time-pressured educators to better support the Emotional Wellbeing & Mental Health of the young people in their care.

At Motional, our mission is simple – to positively impact all children by helping schools implement a Whole School Approach to Emotional Wellbeing & Mental Health.

A) Identifying a Legitimate Interest

Article 6(1) f of the GDPR states:

“Processing shall be lawful only if and to the extent that at least one of the following applies: (…)

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child…”

So, in order for us to rely on the grounds of legitimate interest to legally process personal data we need to ensure that the interests or fundamental rights and freedoms of the data subject are not out-weighed by our legitimate interest in processing their personal data. We also need to consider the “reasonable expectations” of the individual, based on their relationship with us when making the assessment.

1. The Processing Operation

The processing operation that relates to the GDPR definition of personal data entails the collection and storage (primary processing) of these pieces of data of UK school staff:

• First Name
• Last Name
• Job Role(s)
• School email address (e.g. firstname.lastname@school.org)
• School Name
• School Postcode
  

and then the use of this data to broadcast educational information and marketing messages (secondary processing).

Whilst we absolutely accept that these pieces of data are considered ‘personal’ data under the GDPR, as they were under the current Data Protection Act, it is worth mentioning at this early stage that under the current e-Privacy Directive in terms of marketing, the schools who provide their teachers with the email service are considered corporate subscribers because schools are businesses and/or government organisations. The Information Commissioners Officer has published a Direct Marketing Guide (Direct marketing 20180306 Version: 2.3) which clearly states:

“Business-to-business texts and emails

142. These rules on consent, the soft opt-in and the right to opt out do not apply to electronic marketing messages sent to ‘corporate subscribers’ which means companies and other corporate bodies e.g. limited liability partnerships, Scottish partnerships, and government bodies. The only requirement is that the sender must identify itself and provide contact details.” (Direct marketing 20180306 Version: 2.3 page 44, point 142)

145. In addition, many employees have personal corporate email addresses (e.g. firstname.lastname@org.co.uk), and individual employees will have a right under section 11 of the DPA to stop any marketing being sent to that type of email address.”

Our processing of this data falls into two main types of processing – primary processing and secondary processing.

Primary Processing (Collection and Storage)

The data was, and is, collected from:

• Lead generation forms on our Website (explicit consent given)
• Teachers we have met at shows and events, who have given their consent.
• Campus / Sprint Education data.
• Account users of Motional.

Our data is stored within the Campus / Sprint Education CRM or Mailcoach email CRM.

With every electronic communication we send we include a footer with a link to our Privacy Notice which informs them that their data has been collected and why.

Secondary Processing

This data is then used for our marketing campaigns.

Email Marketing and Information Campaigns

In relation to email marketing campaigns, the recipients are selected based on their role of responsibility, school type, and location of the school, and their at-school emails.

The emails are uploaded to our secure broadcasting platform Campus from where the email is broadcasted. Sometimes we add the individual’s name to the email subject or body to increase engagement. New users of the Motional platform are uploaded to the MailCoach platform - this data is used to educate or promote new features that might be useful for enhancing use and impact of using the Motional platform.

Suppression

Clicking unsubscribe, will add the user to a suppression list, to not be included in future email marketing campaigns.

2. The Purposes of the Processing Operation

The processing operation is required to achieve a number of lawful business objectives and the processing operation centres around holding a comprehensive and up-to-date database of schools and UK school staff to enable us:

To send relevant marketing and communication notices to the schools and school staff (corporate subscribers) by email sometimes to the school generic address personalised with the teacher names, e.g. admin@school.org F.A.O John Smith and sometimes to the teacher’s at-work school email account.

AND/OR

To log email opens and clicks against teacher emails that fulfil that criteria.

AND/OR

Some personal data is held in suppression lists when a school staff member requests to stop receiving our communications. This is to ensure we are meeting our obligations under the current Data Protection Act, ePrivacy Directive, and GDPR. We use the suppression lists to check if the individual is registered on them before contacting them.

3. Processing for Specific Organisational Objectives

The processing is necessary to meet our core organisational objective. Without the processing the following would not be achievable:

Provide schools with knowledge and a potential cost-effective platform to implement a Whole School Approach, with the aim of positively impacting all children's Emotional Wellbeing & Mental Health.

5. Processing In Line With the GDPR, ePrivacy Directive, and Other National Legislation

The processing is in line with the GDPR, ePrivacy Directive, and other national legislation. The purpose really distils down to the ability to process data subjects’ at-work personal data to allow the administration of educational information and direct marketing. The GDPR clearly states that:

 “… The processing of personal data for direct marketing purposes may be regarded as carried out for legitimate interest.” (The GDPR http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN Recital 47)

We must ensure that the interests and the fundamental rights and freedoms of the data subjects are not overridden by the legitimate interest of us, the data controller, and we take into consideration the reasonable expectations of the data subjects, and their relationship with us.

“The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.” (The GDPR http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN Recital 47)

Furthermore, the current ePrivacy Directive states that, via corporate subscribers, teachers may be emailed without consent, and the ICO recommends that an opt out is provided in each email, and that individual employees, whose business email address incorporates personal data (e.g. fistname.lastname@company.co.uk) must be able to exercise their individual opt-out rights.  Emails must also identify us, and contain our contact details.

And finally, it is perfectly legal to post marketing and information to corporate subscribers.

So, it is reasonable to say that we have a legitimate interest under the GDPR to process school staff at-work data for marketing purposes to fulfil an activity (marketing to corporate subscribers) that the current ePrivacy Directive states as legitimate and legal too.

Bearing in mind all of the above it is necessary for us to conduct tests and document the following, in order that we demonstrate compliance and ensure transparency:

• A necessity test which will explore why the processing of school staff at-work data is important to us, and whether there is an alternative way of achieving the objectives.
• A balancing test where our legitimate interests are examined and compared to the interests and fundamental rights and freedoms of the data subjects.
• Further implemented safeguards that we place on the data.

B) The Necessity Test

This is where we’ll explore why the processing of school staff at-work data is important to us, and how ‘necessary’ it is we use legitimate interest as the legal ground for processing personal data.

1. Why the Processing Activity is Important to us

The processing activity is important to us, the controller, on a number of levels:

It provides us with a nucleus by which we trade; our employees’ livelihoods rely on it; it enables us to meet our organisational objectives, both business-critical and elective; there is an important element of public interest in what we do (school budgets are mostly public funded).

3. Alternative Ways of Achieving the Objectives and Why Legitimate Interest Has Been Chosen as the Lawful Method for Processing

Under the GDPR there are six lawful methods one can use to legally process personal data. They are:

“1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

(The GDPR -
http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN Article 6.1(a-f).

6.1 (b, c, d, e) are written off immediately as they are not appropriate.

Regarding 6.1 (a)

There are two strands to the discussion around why we don’t consider consent as a valid alternative to legitimate interest. Firstly, we would find it incredibly hard to meet the standard for consent and we believe that we have a compelling reason to rely on legitimate interest as our basis for lawful processing.

In the ICO’s Draft GDPR Consent Guidance they discuss alternatives to consent and they state:

“Private-sector organisations will often be able to consider the ‘legitimate interests’ basis in Article 6(1)(f) if they find it hard to meet the standard for consent and no other specific basis applies…”

(Consultation: GDPR consent guidance (The Information Commissioner’s Office) page 16).

If we were to seek the explicit consent of every school staff member to include them in our database it could obliterate the database with many school staff members simply not opting in, not because they object to what we do, but simply because it requires them to perform an affirmative action to do so. Teachers are already busy people and to require them to tick more boxes could be considered an unreasonable expectation. The general public already have a negative opinion of marketing, and teachers will very often not realise how valuable and integral to the education system our communications are until they have actually received them. Also, trying to achieve opt in via postal marketing would be incredibly expensive [(we simply couldn’t afford to do it)]; there is a huge disconnect between hard-copy calls-to-action in front of a teacher on their desk and then them taking the time to visit a specific URL and provide consent digitally. It’s simply too onerous.  

It should be noted that we have not received a single serious complaint (either official or unofficial) from any school staff member and in that light we consider the effort to obtain unambiguous opt in consent (the only other potential legal method of the six that could be appropriate) to be disproportionate, expensive, and could lead to a huge loss of business. There is a precedent that school staff are used to receiving information from us.

It is important to note that many of our data subjects have already made their at school data available in the public domain. In some cases they have done this voluntarily (for state schools, if they are not considered ‘key personnel’ and for private schools generally), and others (‘key personnel’), are legally obliged to make their personal data available to the public because, for state schools, the establishment they work at is a public authority. The Freedom of Information Act means each state school must produce a publication scheme, which outlines the information they must make routinely available to the public. This is because it is in the public interest because these people hold and spend public money.

The Information Commissioner’s Office released a series of documents to state schools surrounding the Freedom of Information Act 2000 called ‘Definition document for the governing bodies of maintained and other state-funded schools in England/Wales/’ Version 3 20130822’. It clearly states that the state school must publish:

“The address, telephone number, email address and website for the school together with the names of key personnel.”

https://ico.org.uk/media/for-organisations/documents/1235/definition-document-schools-in-england.pdf, page 3

https://ico.org.uk/media/for-organisations/documents/1236/definition-document-schools-in-northern-ireland.pdf, page 3

https://ico.org.uk/media/for-organisations/documents/1240/definition-document-schools-in-wales.pdf, page 3

and regarding Higher Education Colleges:

“If possible, named contacts should be given in addition to contact phone numbers and email addresses, via the college.”

https://ico.org.uk/media/for-organisations/documents/1131/definition-document-colleges-of-further-education.pdf, page 3

Other schools like independent schools voluntarily make their information available and it might therefore be assumed that schools publish the contact details of individual members of staff in some part to allow them to directly receive information during their working day.

Furthermore the ICO states that schools must differentiate between personal information that individuals would expect to be treated as private and confidential (whether or not legally classified as sensitive personal data) and personal data information they can make freely available. They use an example of the head teacher’s identity as personal information that everyone would expect to be made publicly available (which we do process). However, the head’s home phone number would usually be regarded as private information [(which we do not process)].

“You also need to differentiate between personal information that individuals would expect to be treated as private or confidential (whether or not legally classified as sensitive personal data) and personal information you can make freely available.  

Example: the head teacher’s identity is personal information but everyone would expect it to be publicly available. However, the head’s home phone number would usually be regarded as private information.”

Report on the data protection guidance we gave schools in 2012 (Information Commissioner’s Office https://ico.org.uk/media/for-organisations/documents/1132/report_dp_guidance_for_schools.pdf, page 4

C) The Balancing Test

It is our legal responsibility to conduct a balancing test where our legitimate interests are examined and compared to the interests and fundamental rights and freedoms of our data subjects. In order for us to rely on the legitimate interest ground for legally processing the data we will need an outcome (covered in section E of this assessment) that shows that our legitimate interests do not outweigh the interests, fundamental rights, and freedoms of the data subjects.

1. Would the individual expect the processing activity to take place?

There are a number of factors to consider when ascertaining if the school staff would expect the processing activity to take place:

Information and marketing materials relating to their job, at their place of work

It is perfectly reasonable to expect to receive information about your job, whether that is information about the job itself, or whether it is about products and services that relate wholly to your job, at your place of work, either through the post, or to your work email account.

The data is already publicly available

School staff know that their data is already published in the public domain on their school website (as a legal requirement in most cases for state schools) and on government databases and so to expect to receive information from organisations and people that want to contact them is a reasonable expectation.

State school teachers are public servants

State school staff understand that they are public servants who are in charge of budgets, paid for by the UK tax payer, that are to be spent on products, services, and resources that broaden the educational experience of their pupils, and help raise teaching and learning standards, and ultimately the capabilities of the UK population. To receive information in line with this which may help them spend that money more effectively is reasonable and useful.

An unworkable alternative

School staff are aware that the alternative to receiving information about their job role at work is for all that information to be sent to the school office (the legal person) where it would then need to be disseminated by a single person or group of people – a time-costly exercise that has been the bane of the school office for years. School staff would not want to have to revisit this unworkable situation.

A responsible approach

We have been sending relevant information to school staff and schools for over 5 years now and have not ever received a single serious complaint - this is due to the strict adherence to marketing best practices that we employ. If a teacher requests to be unsubscribed it is done instantly (despite the ICO stating that they expect it to be done within 28 days of receiving the objection for direct marketing (e.g. email) and within two months for postal communications.

Direct marketing 20180306 Version: 2.3 page 8, point 12

2. Is the processing likely to negatively impact the individual’s rights?

We take the rights of individuals incredibly seriously and we do no processing that negatively impacts any individual’s rights. We do not process any sensitive data (or ‘special data’ as it called by the GDPR). The GDPR classes ‘sensitive data’ as:

“… racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation…”

The GDPR http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN Article 9.1 (Processing of special categories of personal data)

Furthermore the messages we deliver to the individual would never negatively affect their rights. We simply broadcast information about education, and the marketing of our educational products and services.

3. Is the processing likely to result in unwarranted harm or distress to the individual?

The processing will not result in unwarranted harm or distress to the individual, the data is not of a sensitive nature and the data is already published in the public domain. In addition, the individual has the option to unsubscribe.

4. Would there be a prejudice to the Data Controller if processing does not happen?

If the processing was not able to happen then our business would cease to exist in its current form and consequently our 6 members of staff would have their livelihoods put at great risk.

5. Is the processing in the interests of the individual whose personal data it relates to?

Yes, we believe the process to be in the interests of the school staff as the information we broadcast enables them to improve the Emotional Wellbeing & Mental Health of their students.

6. Are the legitimate interests of the individual aligned with the party looking to rely on their legitimate interests for the processing?

In many ways the legitimate interests of the individuals are certainly aligned with ours – we are both, in part, working towards a better education system whereby schools have access to the best quality and value educational products and services they need to help run their school and improve teaching and learning; especially considering in doing so they are spending public money, in most cases.

Therefore we believe that the processing is to the benefit of both the individual, and to society on the whole.

7. What is the nature of the data to be processed? Does data of this nature have any special protections under GDPR?

The nature of the personal data we process is non-sensitive.

8. Would the processing limit or undermine the rights of individuals?

The processing doesn’t limit or undermine the rights of the individuals. There are enough compensating controls in place to ensure that the rights of school staff are more than adequately protected. They are given the opportunity to opt out from every communication we send them.

We process no sensitive data, nor do we process any ‘at-home’ data, meaning the data subject’s right to privacy at home is not breached. Currently, under law, schools are considered corporate subscribers so it is perfectly legal to send marketing to teachers without their consent.

9. Has the personal information been obtained directly from the individual, or obtained indirectly?

The information is obtained by lead generation forms on our website and from Campus / Sprint Media school data.

The GDPR does not preclude us from gathering the data in this way and indeed it outlines the responsibilities of the data controller if this approach is taken in Article 14, which we adhere to.

We are obliged to send the individual a data collection and fair processing notice in which we identity who we are, and how we can be contacted; why we are processing the data, and our legal basis for doing so; what data we are processing; how long the data will not be stored for; what our legitimate interests are; that the individual may request that we erase their personal data and withdraw their consent at any time; that the individual may lodge a complaint with the ICO if they feel our processing is unlawful; and from where we obtained the data.

10. Is there any imbalance in who holds the power between the organisation and the individual?

Because the relationship between us and the individuals is non-commercial there is no imbalance in who holds the power between us and them. Other than providing the individual’s relevant information about our product, there is no power on either side. It should also be noted that the individuals do have a choice regarding the processing of their personal information.

11. Is it likely that the individual may expect their information to be used for this purpose?

It is very likely that the individual would expect to receive information about educational issues, and products and services that is pertinent to their job role at their place of work. If any individual does not expect their information to be used for the purposes outlined they are able to opt out of the processing at any point going forward as links are provided in each and every email we send to them going forward.

12. Could the processing be considered intrusive or inappropriate? In particular, could it be perceived as such by the individual or in the context of the relationship?

It is unlikely that our data processing would be considered intrusive by any reasonable individual. To be intrusive it would need to cause disruption or annoyance and the data processing we undertake is unlikely to do either of these things. It is worth briefly exploring the concept of ‘disruption’ and ‘annoyance’ – the messages that we broadcast to teachers are either postal or email, neither of which disrupt the teacher’s day as opposed to other disruptive messages they may receive from different platforms like telephone calls during teaching time, marketing text messages, push notifications from social media, and also fax marketing (which actually costs the school money as they need to supply the paper and ink to print the marketing). From a school’s point of view, on a scale of disruptiveness, these are considered at the serious end of the scale whereas at the other end of that scale the school staff can engage with the messages we send them on their own terms, and in their own time, and of course choose not to engage with them at all if they so wish; by disposing of the post, deleting the unread email, or marking it as junk, as well as, of course, opting out.

Regarding the concept of ‘annoyance’, whilst we accept that some people do find marketing annoying this is not a reaction we have found from our data subjects. We also ensure that the communications we send are incredibly relevant to the data subjects as well as giving them the opportunity to opt out with every piece of communication we send.

13. Is a fair processing notice provided to the individual, if so, how? Are they sufficiently clear and up front regarding the purposes of the processing?

Our Data Collection and Fair Processing Notice is linked to from our Privacy Policy, available on each and every email the individual receives from us.

16. Can the individual, whose data is being processed, control the processing activity or object to it easily?

The individuals can control the processing activity and object to it very easily. They are able to opt out of the processing by clicking on the link contained in every email they receive from us going forward.

17. Can the scope of the processing be modified to reduce/mitigate any underlying privacy risks or harms?

The processing we do is limited to just what is absolutely necessary. No processing at all occurs that isn’t outlined in this document.

We have identified no serious privacy risks or harms in the scope of the processing.

D) Safeguards and Compensating Controls

Very few safeguarding and compensating controls are actually needed. We only process very basic personal at-work data. Most of the compensating controls that are implemented are a legal requirement under the GDPR e.g. providing the data subject a data collection notice when their data is collected, and honouring their right to object to the processing, and to opt out.

Data security is paramount to us and regarding the safeguarding controls we implement from a data security point of view, as mentioned above, we store it within the Campus or Mailchoach platforms.

E) Outcome of the Assessment

Does Steps Along The Way Ltd Have a Legitimate Interest to Process School Staff At-Work Data?

The outcome of this assessment is that Steps Along The Way Ltd possesses an incredibly compelling legitimate interest to process the following personal at-work data of school staff:

• First Name
• Last Name
• Job Role(s)
• School email address (e.g. firstname.lastname@school.org)
• School Name
• School Postcode

We have outlined several business-critical, and non-business critical, lawful, business objectives.

We have outlined why the processing is important to not only us but have also highlighted a broader public interest in that public money is spent wisely and effectively by schools. We have also explored how our legitimate interests align with the schools themselves in helping them reduce the administrative burden associated with the dissemination of information and marketing from one central point and explained why it is much less of an administrative burden if the information goes straight to the relevant person.

We have also considered the other five grounds through which we could lawfully process personal data and have written some of them off as immediately inappropriate, but also we’ve articulated why consent, for example, is not a ground we could realistically rely on.  

Concurrently we have examined our current legal basis for what we do under the current ePrivacy Directive, which is also backed up by the ICO’s guidance on direct marketing, which states that it is legitimate to send information and marketing to school staff members without consent, as they are considered corporate subscribers. In order for us to be able to continue to perform this legal activity there is a legitimate need to ‘process’ it.

Are Steps Along The Way Ltd’s Legitimate Interests Outweighed by the Interests, Rights and Freedoms of the Data Subjects?

We have conducted a thorough balancing test where we have examined the interests, rights and freedoms of the data subjects and balanced them against our legitimate interests. We have concluded that our legitimate interests are not outweighed by the interests, rights and freedoms of the data subjects.

We possess a very strong legitimate interest as already described and do not process any personal data that is considered ‘special’ or ‘sensitive’. The data we do process is already in the public domain. We have been careful to ensure we do not undermine the rights of the data subject by providing them with a Data Collection and Fair Processing Notice. The data subjects can easily object to, or opt out of, our processing which, if they do their data is suppressed or deleted immediately with no questions. Finally the processing we do is as non intrusive as possible and takes into account their job role and the age range they teach. We have also examined the likelihood of them expecting the processing to take place, how it benefits them and the educational sector as a whole, and also how their legitimate interests align, in many ways, with ours.