The latest investigation by the Daily Mail into the use of publicly-available personal information has hit the headlines. This time, the activities of university alumni and development teams is under the spotlight.
Sadly, it’s the same mixture of issues first aired into the conduct of charities back in late 2016. The article has the same, slightly confused, bundling and conflating of issues: the use of external “wealth screening companies” and “investigators;” a perceived lack of “consent” and “permission;” and references to “data protection statements”.
Protecture first wrote on the subject of using publicly-available personal information for fundraising purposes back in February 2017, following the ICO’s fines for charities and the publication of their guidance on the issue.
The three key issues from the article are summarised below:
1. Privacy Information (Transparency)
The key area of concern is transparency – or the lack of it. The ICO’s press release notes:
“Profiling individuals for a fundraising campaign itself is not against the law, but failing to clearly tell people that you’re going to do it, is.”
If you want to take the basic personal information you collect or currently hold, and use it to search for (or link it to) other personal information about the person for any reason,* you need to tell them.
How you tell them is largely down to you – the ICO’s Transparent Code notes you have discretion on how you get across to an individual, the large amount of privacy information the GDPR requires.
But the ICO is clear – you need to actively inform them; a passing reference to a long, detailed privacy notice will not do the job. Why? Because people need to know, up front, about the additional things you will do with their personal information. People are unlikely to expect wealth screening if they are simply an ex-student, or donating £10 a month.
If you believe otherwise – i.e. that they all do expect it – then it is open to you to argue that with the ICO and the courts, should a student complain that they were not sufficiently informed.
2. Consent or Legitimate Interests (Lawful Basis)
You need a lawful basis to process personal information. There are six in the current Data Protection Act, which are repeated in the GDPR.
People are unlikely to consent to being screened, so you can look to legitimate interests. However, this is not a magic bullet. You need to undertake an assessment, weighing up your interests in using their personal information against the level of intrusion into the privacy rights and expectations of the individual. These assessments will be different depending on the volume, nature and extent of personal information you (or the third party company you engage) seek to rely on. For example, using data you hold, or that has been generated by the student during their interactions with you, is one thing; searching and extracting data from the business-to-business social platform Linkedin is another. Searching 20 sources of data, including friendship circle and donations to other organisations, is another.
The ICO notes there is a line at which legitimate interests can be stretched too far and consent would be needed – deciding if you think you stay on the right side of that line is down to you.
Protecture subscribers have access to our Legitimate Interests Assessment Tool.
The ICO’s guidance is clear, that it is not necessary to wealth screen data in order to take a £10 donation or send alumni newsletters. The screening is a separate activity – a separate purpose – and therefore needs its own lawful basis.