I recently attended an event on data protection in Bristol (New Data Protection and the implications for your charity), organised by the South West Development Directors’ Forum. The speakers were Stephen Dunmore, chief executive of the Fundraising Regulator, Ken Macdonald, head of regions at the Information Commissioner’s Office (ICO) and Gary Shipsey, managing director of protecture. It was very informative, and the answers Gary Shipsey gave to my questions were the most reassuring things I have heard about data protection as it relates to freelancers. Gary told me that if a freelancer is commissioned to undertake research for a charity, including information on identifiable individuals, the freelancer is acting as a data processor rather than a data controller. So long as the freelancer deletes the information after the research has been completed, there is no breach of the Data Protection Act. Nor would it be a breach of the GDPR. The charity would need to follow the guidelines. I have also been in touch with Tim Turner (ex ICO), who wrote “Fundraising and Data Protection – a survival guide for the uninitiated”. Tim has confirmed my understanding of the situation, pointing out that charities should have a contract with freelancers, making clear what they want freelancers to do with the data, how they want freelancers to secure it and so on. If there is no contract, that’s potentially a serious breach for which the (charity) data controller is liable. Perhaps the Institute of Fundraising could produce model contracts.
Of course, freelancers would still have to follow the guidelines, but it is useful to have this point clarified. Given the occasional reliance of some charities on the services of freelancers to augment their fundraising capacity, I think that it is essential that the discussion is widened to include freelancers and other suppliers. For example, if the research includes existing supporters, the charity would need to have informed the supporter(s) of this possibility e.g. via a privacy statement. In all events, the charity should inform the individuals as soon as is reasonable that they have been researched. All charities should be working on this in the run up to May 2018, when the GDPR comes into effect.
Gary was co-author of the Fundraising Regulator’s Guidance “Personal Information and Fundraising: Consent, Purpose and Transparency”, so he knows his stuff.
It’s hard paraphrasing something like this adequately in such a short summary, but I hope that other freelancers (and charities) take some comfort from this. That said, all freelancers should read the various guidelines that have been produced by the ICO, Charity Commission, Fundraising Regulator and others and prepare privacy statements, and improve their practise, as necessary.
At no stage have I heard anything reassuring about freelancers retaining data without getting the consent of the subjects. Does this represent the end of database screening as we have known it? Given the ICO’s preference for clearly expressed consent, will a supplier’s possible reliance on legitimate interest be sufficient for charities?
While this data protection business can be a little disconcerting, there are many good sources of helpful information. Most of the discussion at meetings on data protection that I have attended have (understandably) been aimed at charity employees. Freelancers and other suppliers also need to get up to speed. Hopefully these issues will be covered in the September event being organised by the Institute of Fundraising Consultants Special Interest Group.
Finbar Cullen, ResearchPlus
2,039 total views, 1 views today