Yesterday the ICO confirmed that it is fining two charities for breaches of data protection law. Well, that wasn’t quite the headline or tone of the language used. Instead it was ‘exploiting supporters’, ‘secretly screening’ and ‘disregard for people’s privacy.’
Pretty strong stuff. Compare that with the previous announcement on 29 November where a firm had been fined £100,000 for sending texts without permission. The language is quite different – “they must make rigorous checks to ensure the rules have been followed”, or “responsibility under law to check the people being sent them had specifically consented to receiving marketing texts.” No “exploitation” or “disregard” used in that case, but a clear explanation of the law and enforcement action. It is disappointing that an independent and serious regulator seemed to be trying to write the tabloid headlines for them.
Aside from the way that the ICO have chosen to talk about their adjudication, there are important issues to understand about how the decision was come to. Well, there would be if the ICO had actually released their full report detailing the investigation, identifying the legal problems and making absolutely clear what they believe the transgressions have been, and what others should do to avoid them. At the moment all we have are general principle-based statements around donors not being informed and so not having the opportunity to agree or object.
Limited details available
So, reading between the headlines, it seems that it isn’t that wealth screening or data sharing are deemed in themselves to be unlawful, but that the ICO are saying that donors have not been adequately informed that their data would be used for this purpose. Does this mean that all of this is essentially about adding a sentence or two in the right place in communication materials? Or charities needing to have updated their privacy policies?
That isn’t to belittle the importance of those steps. Of course donors need to know and be informed about how their information will be used and have the right opportunities to agree or not to this.
Fundraisers ‘left feeling their way in the dark’
But it makes a big difference as to how we can make sure that all charities get this right in the future. Again this is where we need better, clearer, and more consistent guidance from the ICO to our sector. As a regulator they need to be providing straightforward and unambiguous guidelines so that donors and charities alike are completely aware of the legal requirements and that all charities can be sure that they are going about their work lawfully. It is not enough for the ICO to just issue statements that donors need to be informed and be given the right choices. Charities need more detail on the ICO’s view of what lawful practice looks like: what form of words would have passed the test? When would someone have needed to give consent? Without this reassurance and clarity fundraisers are left feeling their way in the dark.
We will be working as best we can to get these answers as soon as we can – it is frustrating for all that we don’t have them now, and especially so when there are people who have legitimate concerns about how they do their jobs and future work. Clarity from the ICO, working with the Fundraising Regulator to ensure consistency across the regulatory bodies, is essential around this.
We know what this is not about. It is not about whether charities are special, trying to get around the rules, while looking for ways to ‘exploit’ donors. Every charity knows that it has to follow the law, and not only that, but the Code of Fundraising Practice requires that in many areas charity fundraising reaches a higher benchmark than the law sets. Charities have been banned from selling donors’ data; other sectors do it. We can only share supporters’ data with explicit consent; other organisations can do it on an opt-out basis. This isn’t about whether charities should have high standards and be working ethically. They should, and they do. And that means that if charities get it wrong, they should be held to account – but that also has to be accompanied by enough information to make sure they don’t get it wrong in the first place.
For some more information on Data Protection and a checklist on how to make sure your organisation is compliant have a look at our introductory information.
Daniel Fluskey is Head of Policy and Research at the Institute of Fundraising.