The ICO has published initial details of the fines handed to the Royal Society for the Prevention of Cruelty to Animals (RSPCA) and British Heart Foundation (BHF).
The charities’ approach to wealth screening; data / tele-matching and data sharing triggered the fines.
The ICO exercised considerable discretion to significantly reducing the fines – in recognition of the impact that the expected £250,000 and £180,000 would have had on the charities, their beneficiaries and their supporter. The RSPCA was fined £25,000, and the BHF £18,000.
The full details will be realised by the ICO on Friday 9th December. Protecture will be providing a detailed analysis of these; in the meantime, our initial take on what we know already:
(1) Lack of transparency appears the biggest issue
The ICO’s “Charity fundraising practices” page notes the lack of transparency as the key aspect of non-compliance with regards to wealth and legacy screening: “Donors are oblivious to this practice. If [they] don’t know it’s happening, [they] can’t object.” In the press release, the ICO notes the charities “secretly screened millions of their donors.”
With the data sharing, the information provided to individuals – about the sharing of their data with “similar organisations” – was found to be vague; individuals’ were not provided with enough information to make a decision about whether to share their data or not.
The lack of fair processing – required by the first principle of the Data Protection Act – therefore appears key.
It will be interesting to see whether the ICO focuses solely on this area of compliance (as it does on the “Charity fundraising practices” page) or whether they also bring in the lawfulness of the processing (i.e. the issue of whether consent is the only way to legitimately undertake wealth screening). The ICO makes reference to individuals being “…unable to consent” and the charities lacking consent to undertake wealth screening, despite (as all DPA nerds know) legitimate interests (when balanced against the interests of the individual) being an equally valid schedule 1 condition as consent.
(2) Expect enquiries – and start reviewing your privacy notice now
The ICO’s “Charity fundraising practices” page is telling anyone concerned to:
(a) Contact the Fundraising Regulator who has previously made clear they will expect charities to try and respond to queries directly in the first instance.
(b) Read your privacy notices to learn what you are doing with their information and if these are unclear or vague, they should expect more information from you.
(c) Make a Subject Access request to you for all the personal information you hold on them.
Action: Assess where you can (and cannot) explain what data you hold; what any codes or references mean, and where data came from, so you are ready to explain to an individual as best you can any data they might not have expected you to be holding.
(3) Data and tele-matching – is there good practice?
It will be interesting to see what specifically the ICO notes as the area of non-compliance: the press release only cites two examples, and no specifics relating to the RSPCA or BHF. The two examples can be interpreted differently, for example:
Using an existing “email address to track down a postal address” is wrong: the person did not provide their postal address; they do not expect to be contacted via that channel and so it seems unfair that you have tracked it down and are then using it for direct marketing.
However, the example where the charity has given an “old phone number” – and (let us presume) has consent to use that for direct marketing (i.e. there is an established relationship with the individual) then the exercise of trying to “trace a new one” could be seen as an attempt to keep the data accurate, up to date and adequate for your purposes (as required by principles three and four).
(4) Volumes involves were significant, as was the period of non-compliance
For all three activities, the numbers of records involved were in the hundreds of thousands, several hundred thousand or several million. And the activities have been going on for six years or more.
These are likely to be contribute to the ICO’s assessment of the impact on individuals.