The Fundraising and Regulatory Compliance Conference was jointly held by the Information Commissioner’s Office (ICO), Fundraising Regulator and Charity Commission. The aim of the conference was to set out the regulatory requirements and expectations for charities, fundraisers and boards under current and forthcoming data protection legislation.
In 2015 the ICO commenced a number of investigations into charities following media reports that some organisations had been engaging in unethical and/or illegal fundraising practices. In December 2016 the ICO announced that the RSPCA and the British Heart Foundation would be fined because of the way they had carried out wealth screening, tele-matching and data sharing. British Heart Foundation and RSPCA agreed to pay the fines but issued statements saying they were disappointed by the decision and disagreed with ICO’s findings. In January 2017 the ICO issued a statement saying that it had notified a further 11 charities of their intent to fine them. These charities have yet to be publicly named.
Data protection legislation
The Data Protection Act 1998 (DPA) controls how all personal information in the UK should be used by organisations, businesses or government. The Act is structured around eight data protection principles.
The General Data Protection Regulation (GDPR) is an EU piece of legislation that was approved in April 2016. It will be enforceable from 25th May 2018. All UK organisations must be compliant with the regulations by the time they come into force.
Key messages from each regulator
Information Commissioner’s Office
- Consent must be explicit. This means that it has to be freely given, informed and unambiguous
- Don’t spend time rallying against the DPA or use ‘we’ve always done it this way’ as a defence.
- The DPA is a principle based law, therefore it is not possible to produce a one size fits all piece of guidance which outlines what can and cannot be done by fundraisers. It is for charities to assess whether their practices comply with the Data Protection Act principles.
- If you hold data for one reason this does not give you licence to process it for a secondary reason without transparency or consent. This was referred to by the ICO as ‘invisible processing’.
- ‘Publicly available information is not fair game’. This means that data that is freely and publicly available, for example from Companies House or the edited electoral register, must still be processed transparently, with consent and in compliance with the principles of the DPA.
- Data protection is a matter for trustees and is not to be left to fundraisers alone. The ICO regulates data management but the Charity Commission regulates how trustees execute their responsibility.
- If your charity has a data protection breach it must tell the Charity Commission.
- The Charity Commission has produced a document outlining six key principles of fundraising for trustees.
The Fundraising Regulator
- The Charity Commission, Fundraising Regulator and Information Commissioner’s Office are all in agreement when it comes to data protection.
- The Fundraising Regulator’s role not to get in the way of charities fundraising, but to help them do it right.
- Charites have to be ready and compliant with GDPR from May 2018.
Key delegate questions/concerns
- Why has the ICO changed its stance on wealth screening?
The ICO said that they were previously unaware of the practice of wealth screening but had they been aware of it before, they would have reached the same conclusions.
2. Is it unlawful to conduct wealth screening?
Wealth screening in and of itself is not unlawful. However, it can be carried out illegally. If charities want to wealth screen they must inform the donor before starting the process.
3. Will any of the regulators produce guidance on how they would like organisations to wealth screen?
The ICO, Fundraising Regulator and Charity Commission have each produced some guidance on topics ranging from transparency to consent and privacy notices (links can be found in ‘further information’ section of this briefing). However, all three regulators were clear that the onus is on the charity to assess whether their processes comply with the DPA and GDPR using the framework that has been provided in guidance.
4. Could an exemption be made to the DPA for charities considering the unique nature of the purpose of their work?
The ICO was very clear that their job is to enforce the legislation not to make amendments to it.
5. Should charities self report?
All three regulators encouraged charities to contact them for help if they needed it. Rethink and The Children’s Society, both of whom presented best practice case studies, said they had received a lot of help from the ICO. The Direct Marketing Association was also cited as a source of support. The ICO said that it doesn’t want to have “take the regulatory stick out of the cupboard” at every opportunity.
Questions that all charity CEOs need to be able to answer
- Have your donors all given unambiguous, informed consent to their data being stored, used and processed by your charity?
- Is your organisation’s data protection policy compliant with the Data Protection Act 1998?
- Does your organisation need to do any additional work to ensure it will be compliant with the GDPR in May 2018?
- Is there management and board level oversight of data protection policies within your charity?
- Does your organisation wealth screen, tele-append data or share data with any third party?
Links to more information and guidance
Information about the event:
- The text of the speech given by the Information Commissioner’s speech at the conference
- Fundraising and regulatory compliance conference paper
Information about data handling and consent:
- ICO’s guidance on Privacy notices, transparency and control
- Fundraising Regulator’s guidance on Personal Information and Fundraising: Consent, Purpose and Transparency
- Six charity best practice case studies
- The Fundraising Regulator’s consent, purpose and transparency checklist
- The Fundraising Regulator’s consent self-assessment tool
- The Code of Fundraising Practice (there is currently an open consultation on the changes to the Code of Fundraising Practice).
- The Charity Commission’s key fundraising principles for trustees
- ICO’s guidance on the GDPR