The UK Information Commissioner's Office (ICO) fined two charities in December for data protection breaches. Both charities paid the fines while publicly disagreeing with the ICO’s assessments. The way these fines have been reported in some quarters have implied that activities such as data screening, or appending phone numbers to donor records, are not permitted under UK legislation, which is not the case. The key issues were about transparency to donors, and about whether these activities came within the definition of the data holder’s ‘legitimate interest’ and so constituted ‘fair processing.’ The ICO further outlined its position on these issues at a conference last month, and is considering possible penalties for another eleven UK charities.
Charities in the UK have expressed concern about the judgmental tone of remarks made by the ICO representative about charities’ practices which the charities felt were inappropriate and misleading and which lead to headlines like this “The UK Information Commissioner’s office (ICO) has slammed a number of big-name charities, including the RSPCA and the British Heart Foundation, for 'wealth screening' donors. “
As the UK prospect research firm Prospecting for Gold commented last month: Wealth screening is not and never has been illegal. Nor is prospect research. The key is to make sure you meet the requirements of the Data Protection Act so you can lawfully undertake these activities.
And the Commissioner herself in her speech to the February conference said:
“Let me be clear. It’s not that the activity is against the law but failing to properly and clearly tell your donors that you’re going to do it, is.”
UK charities are also concerned that the ICO’s views on these issues do not necessarily agree with those of the NCVO, as expressed in their guidelines on charities’ relations with donors published in September 2016
How much of this debate is relevant for us here in Australia?
As in Australia, the UK data protection laws require that data holders inform their data subjects if they intend to append to their records information provided by third party suppliers or sourced from the public domain. If you look at your telco supplier’s privacy agreement you will probably find a statement like this: We may also collect personal information from other companies that are able to disclose it to us, if it's not practical to collect it from you. For example, we buy or obtain personal information from trusted sources to help us identify people who might be interested in hearing about our products. (Optus privacy statement).
At FR&C we remind clients in our written materials of this obligation to disclose: the relevant Australian Privacy Principle information can be found in APP 5 at https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/
What the ICO actually said
These are the links to the two penalties levied in December
This is the ICO’s page for the public about the practices they criticised
This is the ICO’s paper produced for the meeting they held with selected charities in February https://ico.org.uk/media/2013426/fundraising-conference-2017-paper.pdf
This is a recording of the Information Commissioner’s speech at the conference https://ico.org.uk/for-organisations/charity/
This is the link to the guidelines the ICO issued after the meeting
Some other good commentaries:
Factary’s posts on the situation here https://factary.com/category/fundraising-research/
And Chris Carnie’s blog here https://factary.com/category/chris-carnies-blog/
The UK Researchers in Fundraising Group’s newspage here http://www.institute-of-fundraising.org.uk/groups/sig-researchers/news/