First fundraising data protection fines – secrecy and sharing at the heart of poor practice

The ICO has published initial details of the fines handed to the Royal Society for the Prevention of Cruelty to Animals (RSPCA) and British Heart Foundation (BHF).

The charities’ approach to wealth screening; data / tele-matching and data sharing triggered the fines.

The ICO exercised considerable discretion to significantly reducing the fines – in recognition of the impact that the expected £250,000 and £180,000 would have had on the charities, their beneficiaries and their supporter. The RSPCA was fined £25,000, and the BHF £18,000.

The full details will be realised by the ICO on Friday 9th December. Protecture will be providing a detailed analysis of these; in the meantime, our initial take on what we know already:

(1)    Lack of transparency appears the biggest issue

The ICO’s “Charity fundraising practices” page notes the lack of transparency as the key aspect of non-compliance with regards to wealth and legacy screening: “Donors are oblivious to this practice. If [they] don’t know it’s happening, [they] can’t object.” In the press release, the ICO notes the charities “secretly screened millions of their donors.

With the data sharing, the information provided to individuals – about the sharing of their data with “similar organisations” – was found to be vague; individuals’ were not provided with enough information to make a decision about whether to share their data or not.

The lack of fair processing – required by the first principle of the Data Protection Act – therefore appears key.

It will be interesting to see whether the ICO focuses solely on this area of compliance (as it does on the “Charity fundraising practices” page) or whether they also bring in the lawfulness of the processing (i.e. the issue of whether consent is the only way to legitimately undertake wealth screening). The ICO makes reference to individuals being “…unable to consent” and the charities lacking consent to undertake wealth screening, despite (as all DPA nerds know) legitimate interests (when balanced against the interests of the individual) being an equally valid schedule 1 condition as consent.

(2)    Expect enquiries – and start reviewing your privacy notice now

The ICO’s “Charity fundraising practices” page is telling anyone concerned to:

(a) Contact the Fundraising Regulator who has previously made clear they will expect charities to try and respond to queries directly in the first instance.

Action: Ensure frontline staff have a clear message to handle enquiries on this issue – even if they simply acknowledge the enquiry and can say that a statement or updated Privacy Policy is imminent (see below).

(b) Read your privacy notices to learn what you are doing with their information and if these are unclear or vague, they should expect more information from you.

Action: Review your privacy policy and approach to fundraising and more broadly, direct marketing. Be clear about the different purposes for which you want to collect and use personal information, and what the lawful basis is for each of these. Make clear whether you engage suppliers – to undertake wealth screening and/or tele-appending or matching – and if so, what measures you take to select suppliers.

(c) Make a Subject Access request to you for all the personal information you hold on them.

Action: Assess where you can (and cannot) explain what data you hold; what any codes or references mean, and where data came from, so you are ready to explain to an individual as best you can any data they might not have expected you to be holding.

(3)    Data and tele-matching – is there good practice?

It will be interesting to see what specifically the ICO notes as the area of non-compliance: the press release only cites two examples, and no specifics relating to the RSPCA or BHF. The two examples can be interpreted differently, for example:

Using an existing “email address to track down a postal address” is wrong: the person did not provide their postal address; they do not expect to be contacted via that channel and so it seems unfair that you have tracked it down and are then using it for direct marketing.

However, the example where the charity has given an “old phone number” – and (let us presume) has consent to use that for direct marketing (i.e. there is an established relationship with the individual) then the exercise of trying to “trace a new one” could be seen as an attempt to keep the data accurate, up to date and adequate for your purposes (as required by principles three and four).

(4)    Volumes involves were significant, as was the period of non-compliance

For all three activities, the numbers of records involved were in the hundreds of thousands, several hundred thousand or several million. And the activities have been going on for six years or more.

These are likely to be contribute to the ICO’s assessment of the impact on individuals.