A response to the ICO’s findings that RSPCA and British Heart Foundation broke data protection laws

December 15, 2016

The ruling by the Information Commissioner’s Office has sparked fierce, passionate debate and a lot of confusion across the charity sector. We have reviewed the detailed findings of the ICO and would like to clarify four areas where there is potential for unnecessary confusion:

Myth 1: Wealth-screening is illegal

The act of wealth screening is not illegal, rather it is the act of doing so without the individual’s knowledge that you are doing so and giving them the chance to opt-out (under the Data Protection Act 1998) or to opt-in (after 25 May 2018, when the General Data Protection Regulation comes into effect in the UK and across the EU).

The fact that a charity is wealth screening or wealth profiling should be stated in its Privacy Policy. It would also be good practice to state why the charity is doing so in order to help supporters and donors to understand why this activity is important. For example, “to help ensure that we approach you for support in a manner that fits your personal circumstances”.

Myth 2: Data appending is illegal

Again, the act of adding data to a record is not necessarily illegal, but there are conditions. The reason why the ICO objected to this activity is because:

  1. The data being appended were contact details;
  2. The charities then used those contact details to solicit money without any prior warning.

Had the charities contacted those individuals and first asked them if they could contact them using these new details, the individual would have had a chance to refuse or opt-out.

A good privacy policy will make it clear that you may engage in this activity – an even better privacy policy would expand this to include the fact that the charity may review publicly available information about an individual to help them gain a better understanding about their supporters.

Myth 3: We can’t share our data with third parties

Two charities were fined for selling their donor data to other charities so that they could also solicit them for donations. These charities likely did not state this clearly in their privacy policy, and in some cases, where individuals had opted out of their data being shared, the objection was ignored.

Charities can still work with third parties and should still ensure that a data contract exists with them – one that specifies that the third party will only use the data for the purpose you want to engage them for, that the data will be held securely and won’t be sold on.

However, the data processing that the third party undertakes for you needs to be part of your privacy policy. In other words, you can’t suddenly engage a third party to undertake a new form of processing for you without making this clear in your privacy policy.

Myth 4: Without consent, the charity won’t be able to take advantage of new forms of data processing

This may be true, to an extent, but there they may be able to use something called “data-anonymisation”:

The Data Protection and your privacy policy refer to personal data that could be used to identify a living individual. This includes data such as a full name, an email address, a social media link, or username. It could also include a full postal address or telephone number if used in conjunction with other data (e.g. a surname or first name). Therefore, consider if this data is relevant for this new form of processing. A lot of donor analytics or insight do not require this type of information, so if the personal data can be omitted from a process then it would be in the charity’s interest to do so. More detail has been provided by the ICO here.

Understanding the issues, the language for privacy policies, and more is a big topic. Graham-Pelton has experts in data, alumni relations, events, planning, and more. Don’t hesitate to contact us for help in planning and implementation.

– Christian Propper, Senior Consultant

Sign up for authentic, focused insights:

Comments are closed.

MA Business Web Design