ICO fines - what are the legal implications for charities and fundraisers?
The recent Monetary Penalty Notices issued to BHF and the RSPCA by the ICO have understandably raised concerns and questions for charities and fundraisers about their implications for charitable fundraising moving forward.
The fines were imposed for breaches of the Data Protection Act 1998 (DPA) in relation to:
- data sharing through the Reciprocate scheme;
- wealth screening; and
- and data-matching (telephone matching).
The ICO found these practices to be in breach of the First Data Protection Principle of the DPA, which requires personal data to be processed fairly and lawfully. For processing to be fair, individuals must be informed of the purposes for which their personal data will be used. The crux of the ICO’s decision was that BHF and the RSPCA had not given supporters sufficient information that their data would be shared through Reciprocate, wealth screened or tele-matched. As such, it was not in their reasonable expectations that their data may be used this way and the lack of clarity meant that the supporters faced prejudice in exercising their rights (which we take to mean the right to opt-out of direct marketing or possibly the right to make a subject access request).
BWB and the Institute of Fundraising recently held two seminars on the legal implications of the fines, the slides and a video of which can be viewed here. We have also summarised below our responses to some of the queries that attendees of the seminars were most concerned about:
Q: Are data sharing, wealth-screening and data-matching always unlawful?
Whilst it is difficult to be sure of the ICO’s analysis of this, our view is that these activities can all be done in ways that are lawful. To achieve this, careful attention must be paid to:
a) the exact nature of the processing that is being carried out; and
b) what was communicated to individuals when they provided their data about how it may be used.
If individuals have been adequately informed that their data may be shared (and who with), wealth-screened or matched with other data and in certain circumstances an opt-out offered, then these practices are likely to comply with the First Data Protection Principle. It is not yet clear how detailed or granular this information needs to be. The more specific, and the more prominent the information is, the more likely it is to be compliant.
Q: Do we need consent to share data, wealth screen or data-match?
A: Not necessarily.
There are alternatives to consent to ensure that processing is fair. In particular, if processing is in an organisation’s ‘legitimate interests’, and such processing does not disproportionately prejudice the rights and freedoms or legitimate interests of the data subject, then it will be lawful to process the data without consent. In other words, a balance between the interests of the organisation and the rights of the individual must therefore be achieved.
If charities rely on the ‘legitimate interests’ condition for data sharing, wealth screening and data-matching, rather than consent, then individuals must still be informed in a sufficiently clear way and in certain circumstances an opt-out provided, then t these practices may be carried out, as discussed in response to question one above.
It is also important to note the additional obligations imposed under the Code of Fundraising Practice in relation to consent. Code number 6.5 bans the sale of personal data and requires explicit consent for sharing without payment.
Q: Will this change under GDPR?
Recital 47 of the General Data Protection Regulation explicitly states that the processing of personal data for direct marketing purposes may be regarded as carried out for a ‘legitimate interest’. The GDPR will however strengthen the need for clear information and also make it a requirement in certain circumstances (e.g. automated profiling) for a specific rather than a general opt-out to be provided.
Q: What does this mean for existing/ historic data?
A: If charities wish to continue the type of practices that were subject to the fines then it will be necessary to review the data protection statements that were provided to supporters at the time they provided their data (or in subsequent communications), to check whether they were adequately informed that their data may be used for these activities. If not, then it will be necessary to provide this information to them (in a way that is compliant with data protection law) before any further wealth screening or data matching is carried out.
Q: Will there be any further guidance issued?
A: The ICO, Fundraising Regulator and Charity Commission will be holding a Fundraising and Regulatory Compliance Conference on 21 February 2017, at which it plans to launch further guidance on consent.
Hannah Lyons, Associate, BWB
Melanie Carter, Partner, BWB
Disclaimer - the information contained in this blog is not intended to be a comprehensive guide or to be relied upon as legal advice. The content is necessarily of a general nature - specific advice should always be sought for specific situations.