In the first of a series of practical briefings prepared by Adrian Beney, More’s expert on data protection and regulatory matters, we look at the changing fundraising regulations and provide answers (where we can!) to some of your most common questions.
This, in light of:
The introduction of the EU’s new General Data Protection Regulation (GDPR) from 25 May 2018;
The fines issued to the RSCPA and the British Heart Foundation by the Information Commissioners Office (ICO)1 in December 2016 and to eleven more charities in April 2017.
Are we legally obliged to ask people to opt-in to hearing from us?
This can sometimes be framed as ‘consent’ or ‘opt-in only’ versus ‘legitimate interest’. In this uncertain environment, some charities, including the Royal National Lifeboat Institution (RNLI) and Cancer Research UK (CRUK), have decided to communicate only with people who have given them explicit consent to do so. But this will not be the only lawful way of processing people’s data after GDPR comes into effect, and won’t be mandatory. If you have well established supporter relationships you should be able to show that you can process data because it is in your organisation’s legitimate interest i.e. without obtaining consent–as long as it doesn't prejudice the individual’s fundamental rights and freedoms. Whether or not it does so can be most formally established by doing a Privacy Impact Assessment. However, at present the ‘legitimate interest’ route may be problematic for any organisation deemed to be a ‘public authority’ (see below).
Can we carry out wealth screening and prospect research?
The ICO has not said these activities are illegal without consent, although in a generic charity context they have claimed that it could be difficult to establish the fairness of such activities. (Note that ICO uses the term "wealth screening" to encompass all the activities which fundraisers usually call "prospect research."). ICO issued fines not because charities were doing prospect research, but because they (ICO) say the charities had not told people they were doing prospect research.
So, if your privacy notice clearly says that you do this, and that notice is easily available to donors and others, and especially if you have evidence to show that you've drawn it to their attention, then prospect research can be fair.
If enforcement action were taken, you would need to show what processes you had gone through to make sure people knew what you were doing, and how you had assessed the possible impact on them.
GDPR will require specifically that you could show you hadn’t “prejudiced the fundamental rights and freedoms” of the people whose data you had processed. But the good news is that if you can provide written evidence of your thought processes (i.e. ‘showing your workings’) and that you are acting fairly and openly then the activity should be capable of complying with the law.
What should our privacy notice cover?
GDPR requires detailed but clear and concise information in privacy notices. Various charities, including CRUK, are taking the opportunity to revise their notices and to change them from hard-to-read legalese into a compelling explanation of why entrusting a charity with your data is as important as entrusting them with your money or your time. The ICO has provided guidance on this.
We recommend that organisations conduct an audit of their data collection and processing activity, and then compare the results against their current privacy notice, revising it if needed. Organisations should also make plans to communicate the new notice to those people whose data is being collected and to those already on the database.
What about public authorities?
GDPR states clearly that public authorities may not rely on “legitimate interest” for “the performance of their tasks”. We do not yet know which organisations will be deemed public authorities for GDPR nor do we know whether the ICO has the power to decide this, or whether it will require legislation, nor whether the exclusion from legitimate interests applies to all processing by the public authority, or only its statutory duties. The ICO has promised some clarity, but we do not know when this may emerge.
We will be producing a separate briefing on the latest state of play for public authorities.
Can we use information that is already in the public domain?
The ICO argues that the use of publicly available data without consent is unfair if it has not been put into the public domain for the purpose for which you wish to use it. This covers, for example, Twitter and other social media, newspaper reports and data published by the previous government's Public Data project (e.g. Companies’ House and the Land Registry). This strikes at the heart of the use of publicly available data by all sorts of organisations, both commercial and in the not-for-profit sector. ICO’s view, which is based on a strict reading of Principle 2 of the Data Protection Act, has not been tested, so far as we are aware, in any court, but it is for now the view of the regulator.
In response, if you have a good privacy notice which has been communicated to people and, in particular, can demonstrate that your organisation has considered the impact on an individual of using this data for your purposes, it can at least act as a rationale for doing so and a defence should you be challenged. A key part of that defence would be to be able to show that people were not surprised, intruded upon or damaged by your use of their data.
How can we collect evidence?
The ICO has based a great deal of its regulatory advice on its assertions about what “people would expect”. It is clear from Freedom of Information requests that the evidence base for these assertions is thin. In response, a working group in the higher education sector formed by CASE and Universities UK is commissioning research into how university alumni and supporters expect their data to be processed. This should provide a more robust evidence base about the expectations of data use. We encourage all UK universities to take part in this research and to watch out for updates about it from CASE. In addition, the Institute of Fundraising has commissioned the University of Kent’s Centre for Philanthropy to produce a report for the wider charity sector on the expectations of major donors.
How can More help you?
We help organisations with audits of their data processes and privacy notice revision, as well as offering advice as to how to navigate through these changing circumstances. In the current environment, we recommend that the formal outputs from our work are cleared by client lawyers before relying upon them.
For further information contact Cameron Goodlad: cgoodlad@morepartnership.com or 01382 224 730.
Further guidance, on matters such as the question of public authorities, will follow shortly.
Disclaimer
This briefing provides guidance: it is not legal advice, for which you must seek out qualified advisers with relevant experience.
Download
A copy of this briefing is available to download from our Library.