Who: Information Commissioner’s Office (ICO)
Where: United Kingdom
When: 21 July 2015
Law stated as at: 12 August 2015
On 21 July 2015, the ICO launched an investigation into whether a number of charities and call centres have breached the Privacy and Electronic Communication Regulations 2003 (PECR) and the Data Protection Act 1998 (DPA).
The ICO’s investigation follows a series of events which call into question fundraising techniques used by charities. In May 2015, 92-year-old Bristolian poppy-seller Olive Cooke apparently committed suicide shortly after being overwhelmed by fundraising requests from charities. This sparked an undercover news investigation which reported that charities targeted vulnerable individuals and contacted people without their consent. Just a day after the findings of the undercover investigation were published, Oxfam suspended all operations with a call centre responsible for carrying out fundraising calls on its behalf.
In announcing the investigation, Christopher Graham, the Information Commissioner, stated on the BBC Radio 4’s Today programme that:
“The question of interest for us is: are charities trading in lists of generous people and are charities taking advantage of people’s generosity, or indeed just taking advantage of people full stop?
This is a boiler room operation, this is cold calling. We need to get to the facts.”
Why this matters:
All organisations carrying out direct marketing (either itself or using a third party) must comply with their obligations under the DPA and the PECR. This investigation by the ICO is a stark reminder that the legislation relating to direct marketing applies not only to commercial business but also to not-for-profit organisations and charities.
Further, to the extent that an organisation outsources its direct marketing activities to a third party (as is the case with a number of the charities in question), this investigation and surrounding events show the importance of having a robust data processing and service agreement in place with third party processors to ensure that the organisation (as data controller) retains control over the use of data and complies with its obligations under the DPA and the PECR.
Finally, the investigation demonstrates the significant detriment that an allegation of breach of privacy legislation can cause to an organisation’s reputation; this is in addition to the possibility of enforcement action and monetary penalties of up to £500,000. From April 2015, in respect of unsolicited direct marketing by phone, text, e-mail or fax message, the threshold for issuing monetary penalties under the PECR changed so that the ICO is now able to issue a penalty for any serious contraventions of the regulations relating to direct marketing, irrespective of whether substantial damage or substantial distress is shown.