We now have the full details of the RSPCA and British Heart Foundation fines. They have promoted the Charity Commission and the Fundraising Regulator to issue a joint alert about compliance with data protection law.
The actions you should take now:
“Immediately cease any activity without explicit consent described and set out by the ICO notices of 5 December 2016 as being in breach of data protection law”
Three activities were under scrutiny by the ICO. They can all be undertaken in compliance with the law – the key issue is whether your current approach is compliant, and if not, what actions you can take to make them compliant in the future:
(1) Data sharing – a lack of consent
The Code of Fundraising Practice has already been updated to address this issue (at Section 6.5). The fines reinforced this, with the ICO confirming “Charities that wish to share/sell their marketing lists with other organisations must ensure that their donors were made aware of this when the personal details were collected and that specific consent to pass on the details were obtained.”
Importantly, the ICO has also clarified what “specific consent” means in practice: a higher standard of consent was, it turns out, there all along in the current DPA.
The current DPA has always been silent on what consent means. Attendees at our recent webinars and seminars will know we have been stressing that those looking for guidance on consent should turn away from loose, “lower” standards (the “implied” consent approach) and instead focus on the definition in the Directive. The ICO has stated the very same:
“The DPA implements European legislation (Directive 95 / 46 / EC) aimed at the protection of the individual’s fundamental right to the protection of personal data. The DPA must be applied so as to give effect to that Directive” and“consent must be freely given, specific and informed, and involve a positive indication signifying the data subject’s agreement.” 
Also, you should not confuse or conflate being transparent with obtaining consent. Telling people what you will do with their information is one thing. Whether you then also need to seek their agreement to do those things is a related, but separate matter. The ICO was clear that:
“Informing individuals…is neither freely given nor specific and does not amount to a positive indication of consent.” 
Any activity that requires consent should cease unless you obtained consent to the standard defined by the DPA (i.e. the Directive). And if you did, this should stand you in good stead for the coming GDPR. If you did not, or have doubts, then now is the time to consider re-engaging with individuals to clarify their consent.
(2) Wealth screening – a lack of transparency
The ICO did not say that consent was required to undertaken wealth screening. The fines focus solely on the unfairness of not sufficiently informing individuals about the possibility that their personal information will be used for the purpose of wealth screening.
“Supporters have not been provided with sufficient information to enable them to understand what would be done with their personal data in terms of screening and thereby to enable them to make informed decisions on whether or not they wished to object to such screening.” 
This reflects Schedule 2 of the DPA – consent is one means of processing personal data in compliance with Principle 1; but equally as valid is relying on your legitimate interests – i.e. to strike an appropriate balance between your (and your beneficiary’s) legitimate interests, so long as you consider and do not unduly harm the rights and freedoms or legitimate interests of the individuals.
The RSCPA and BHF also breached Principle 2 of the DPA – because they did not inform individuals about the additional use of their personal information for the purpose of wealth screening:
“…the [RSPCA / BHF have] contravened DPP2. The processing of personal data for the purpose of wealth screening is not compatible with the purposes explained in the [RSPCA’s / BHF’s] fair processing notices.” 
The ICO is making very clear that the lack of transparency by the RSPCA and BHF was key. Transparency is critical – it must be front and centre. Without transparency, individuals are denied the chance to use their legal right to object to automated decision making and profiling, and more broadly, denied the ability to control what happens to their personal information:
Both organisations “…ought reasonably to have known that data subjects would be unlikely to infer from those terms [i.e. their privacy notices] that their personal data would be processed for the purposes of wealth screening.” 
“…by failing adequately to explain to data subjects how their personal data would be used, the [RSPCA / BHF have] deprived them of control and informed decision-making about their personal data to a significant extent.” 
Fair processing notices should be seen as opportunities to inform people what you intend to do with their personal information – so they are informed and, if they have a choice, can exert that choice; and if they have rights they can exert those rights should they wish. For example, the right to object to direct marketing and to object to profiling (which is due with the coming of the GDPR).
If you plan to wealth screen new donors:
- Ensure that your fair processing notice(s) and privacy notice(s) fully inform people about your proposed use of their personal information for wealth screening. Explain why you do it and how you go about it.
If you wish to wealth screen existing donors (but have not previously informed them):
- Engage with them so they are fully informed about your plans.
You should be able to manage objections
- Your staff should be trained to handle any objections you received about using personal information for wealth screening.
You should have Trustees sign-off
- Your rationale for undertaking wealth screening – including any controls in place to ensure the appropriate balance between your (and your beneficiary’s) legitimate interests and the rights and interests of the donors – should be presented to your Trustees and agreed by them.
(3) Data and tele-matching
The process of trying to obtain items of personal information – which individuals have not already provided – was deemed in breach of the DPA transparency requirements (i.e. people were not told) and the consent requirements (people should have agreed to the charities trying to locate their personal information).
Conversely, if the charities had told people that they would be trying to locate information, and sought their agreement to do this, then the processing could have been compliant.
“Review and assess activities in the areas of data collection, storage and use to ensure it is compliant with data protection law – this should include reviewing fair processing statements to ensure they are explicit, clear, transparent and highly visible”
As noted above, the key issues of collecting consent to a sufficient standard, and being transparent, are critical to compliant fundraising.
Organisations should undertake an information audit to define and document the flow of personal information into, within, and out of their organisations.
“Review and assess current data governance systems and processes to ensure they are fit for purpose and evidence sufficient oversight, control, are operating and effective – this includes ensuring there is a clear framework of ownership and accountability in place”
Accountability is important with the DPA. It is central to the GDPR: organisations will be “responsible for…compliance with the Principles” and must “be able to demonstrate compliance with the principles.” Trustees and senior management must be able to point to the records – for example, of informed decisions made about levels of security; of processes followed; of training delivered – in order to ensure their organisation is compliant.
Organisations should ensure that their CEO and senior management are aware the law is changing to the GDPR – and that it will ‘go live’ on 25th May 2018. They should assess where the role of Data Protection Officer (DPO), or someone allocated responsibility for data protection compliance, should sit within their organisation’s structure and governance arrangements.
The DPO should have:
- sufficient seniority to ensure other roles within the organisation can be tasked with delivering the changes and reporting required to deliver compliance.
- sufficient independence to ensure there is no conflict of interest with their role.
- report to the highest level within the organisation.
Data protection breaches
The final points of the alert relate to the identification, management and reporting of data protection breaches.
Please see our previous research into the reporting of data protection breaches as serious incidents to the Charity Commission.
The critical issue is staff awareness:
- What constitutes a breach (i.e. it is not solely the loss of information and other security breaches; it can, for example, also relate to unfair or unlawful activities);
- How to report it at your organisation;
- What the internal process is for managing actual or suspected breaches,
- How to assess whether the incident should be reported to the ICO, charity commission and/or the individuals affected, and
- How to ensure lessons are learnt and improvements made where appropriate.
Organisations should send out an awareness message to all staff about how they expect staff to manage data protection breaches.
We are your DPO’s DPO. For those with responsibility for data protection compliance accross your organisation, we have our full Data Protection Officer Support service.
Whether it’s preparing for the GDPR, audit, training, policies, ad-hoc advice or DP impact assessments, our service supports you to deliver compliance.
Giving fundraisers the data protection and privacy knowledge they need. Our Fundraiser Focus + service provides you with the tools required to continue generating income in these times of unprecedented scrutiny and change.
We arm you with the latest knowledge and practical advice. We ensure you are empowered to make informed decisions so that everyone is confident that your handling of personal information is compliant – both now and in the future.