On 9 December 2016, the ICO issued two Civil Monetary Penalty Notices ('CMP Notices') against the British Heart Foundation ('BHF') and the RSPCA, each being fined £18,000 and £25,000 respectively for alleged breaches of the DPA. This decision by the ICO came as a surprise to many charities, particularly as the issue of wealth profiling or screening in connection with fundraising was not mentioned in any detail at the outset of the ICO's investigations. For instance, if you look at the ICO Direct Marketing Guidance published in 2016, the word 'profiling' is mentioned only once and that is in relation to use of website cookies.
The published CMP Notices are similar in many respects so the main findings are summarised together below. Many in the sector are concerned about the way that the ICO have come to its conclusions. We share those concerns as the ICO's reasoning and legal basis for its decision to impose fines on the charities involved, does not appear to be particularly clear.
The three key practices the ICO focused on were:
- Wealth screening (or profiling) - where charities use wealth screening companies to determine how wealthy potential donors might be and assess their capacity to give;
- Data sharing - the ICO was particularly concerned that the RSPCA and BHF participated in a scheme called 'Reciprocate' (which is now defunct). This allegedly enabled participating charities to swap personal data relating to certain donors or perspective donors, including names, addresses, Gift-Aid statuses and donation amounts;
- Tele-appending/data matching - where charities use personal data about supporters to obtain other personal data about them from external sources. This may be to find missing data about supporters. Tele-matching is a type of data matching where a charity may use an external database (e.g. BT OSIS), to find telephone numbers of supporters. The ICO was particularly concerned that these individuals may have chosen not to provide that information.
The ICO concluded that these practices had been conducted in breach of the first data protection principle (that personal data is processed fairly and lawfully) and second data protection principle (data must be obtained for specified and lawful purposes). The two main problems were:
- Lack of 'Fair' Notice: In relation to the above activities, the ICO was of the view that the RSPCA and BHF's fair processing notices were unduly vague/ambiguous or did not sufficiently indicate what personal data may be processed for. It concluded that individuals 'would not have understood their data would have been used in this way'. On this last point, the ICO does not mention whether or not it conducted any study or used evidence to come to this conclusion; and
- Need for Specific, Informed Consent: Furthermore, the ICO also concludes that to share/sell data with third parties - as well as providing fair notice - an organisation would have had to obtain freely given, specific and informed consent of the data subject through a positive indication of their wishes. RSPCA's case was probably not helped by the additional problem that it had apparently inadvertently shared personal data of individuals who had expressly opted out. What is much less clear from the ICO's decision is whether such positive consent is required for data or tele-matching. There is passing reference to 'consent' of data subjects being required but the ICO does not explain whether this needs to be an opt-in or whether implied consent would be sufficient, provided the practice of data-matching or tele-matching is sufficiently described in a privacy notice and individuals given an opportunity to opt-out.
The ICO felt that these breaches of the DPA merited a financial penalty since the actions leading to them were deliberate and the breaches were sufficiently serious contraventions to cause substantial damage or substantial distress. This was apparently due to factors such as:
- the length of time over which that the contraventions took place (a number of years);
- the number of data subjects affected - it was alleged hundreds of thousands of names may have been shared on Reciprocate; and
- individuals - in the ICO's view - being affected in 'significant practical ways' including the financial impact and diversion of time arising from receiving additional marketing approaches.
The ICO's decision in relation to the BHF and the RSPCA led to the Charity Commission and the Fundraising Regulator issuing a joint alert. It reminds charity trustees that they are responsible for ensuring that their own charity has systems and processes in place to ensure compliance with data protection law. The joint alert recommended that charities take immediate steps, including a key pronouncement that charities should;
'...cease any activity without explicit consent described and set out in the ICO notices [in relation to BHF and RSPCA] as being in breach of data protection law'.
This particular statement has caused confusion to many in the sector, largely because it does not seem to recognise the fact that the ICO decision only appears to specify that explicit (i.e. 'positive') consent is needed for data sharing with other data controllers. Assuming that privacy notices are sufficiently clear and no data sharing is involved, it would seem that explicit consent is not required for a charity to profile or wealth screen donors. On data matching, pending further guidance from the ICO, the position is much less clear. While some limited 'matching' to check the accuracy of existing donor data may be acceptable, provided that fair notice is given to the data subject, using data or tele appending to obtain missing or incomplete supporter data from external sources, would appear to be legally risky, unless explicit donor consent was also obtained.
It also seems strange that the apparently more charity focused Direct Marketing Guidance (discussed below) did not mention profiling or tele appending/data matching as a significant issue, even in passing, particularly if the ICO wished to provide clarity to the sector to help organisations understand their responsibilities.
The ICO, Fundraising Regulator and Charity Commission have an 'educational event' planned for 21 February 2017 in Manchester at which guidance for charities will be issued. The hope is that some more clarity can be provided on these issues than recent regulatory notices and pronouncements arguably provide. To find out more, please click here.
The Charity Commission has also launched compliance cases into the RSPCA and BHF on the back of the ICO ruling which may or may not give rise to any further findings that trustees should be made aware of. Whatever the outcome, any fundraising charities who have not done so already should to ensure that data protection is near the top of their internal governance priorities.
The ICO published a press release on 30 January 2017 stating that it has issued a notice of intent to issue monetary penalties in respect of another unnamed 11 charities that were under investigation. This is stated to be on the back of the above CMP Notices against BHF and the RSPCA, so would ostensibly appear to be in relation to wealth screening activities, data sharing and data matching/tele appending activities. As the affected organisations have 28 days to respond to the ICO findings and make representations, final decisions on these would likely start to be published in the next 2-3 months.
The ICO has also stated that; '...there are no other outstanding investigations into charities as part of that operation' and that the ICO will now be; '...focusing its attention on ensuring compliance within the charity and fundraising sector', which seems to indicate that a line will be drawn on any new investigations (or surprise announcements) for the time being.