Ensuring practice text messages do not breach PECR and GDPR legislation

In addition to the Data Protection Act 2018, there is another piece of legislation that regulates how we communicate with patients and other members of the public, especially when it comes to communications for marketing purposes.

This legislation is known as the Privacy and Electronic Communications Regulations (PECR). Further information on this legislation is available from the ICO website (What are PECR? | ICO). In this legislation, the definition of ‘marketing’ covers the promotion of aims and ideals as well as the sale of products and services, and in order to send these types of communication, whether, via text, email or letter, you must have explicit consent from the individual for them to receive this.

There have been a couple of recent incidents reported to the IG team where some practices have sent SMS messages to their patients with content that could be construed as marketing and is, therefore, was in breach of PECR (as explicit consent has not been provided by the recipients specifically for receipt of this type of information). Below are some examples of messages that could be construed as marketing:

“We can now offer our patients the option of private physio sessions, please contact us for prices”.

“Please consider using the practice dispensary as the surgery depend on the income this generates in order to operate efficiently”

“Encourage your friends and family to register here for first-class service and easy access to clinicians”

SMS messages you send to patients should contain information relating to their direct health care or to the running of the practice (e.g. change in opening hours, flu clinic available etc) only.