Who: Information Commissioner’s Office (ICO)
Where: UK
When: December 2016
Law stated at: 19 January 2017
What happened:
In December the ICO announced that it had fined two major charities, the Royal Society for the Prevention of Cruelty to Animals (£25,000) and the British Heart Foundation (£18,000) for failing to handle donors’ personal data consistently with UK data protection laws.
The ICO’s investigation, one of a number it launched last year following media reports about the targeting of vulnerable charitable donors, found that the charities had breached the UK Data Protection Act (the DPA) in the following key ways:
Ranking donors based on wealth
What did the charities do? They engaged wealth management companies to analyse existing financial information they held about donors, such as names and addresses, dates of birth and the value and date of the last donation, against additional, publically-available information, such as income, property values and friendship circles.
Why did they do that? So that they could build a better picture of the financial means of supporters and more accurately target: (a) the most wealthy and valuable; and (b) the most likely to leave money in their wills (legacy profiling).
How did this breach the DPA? Neither charity had the consent of supporters to carry out these profiling activities. Consequently, they did not have a legal basis on which to use donors’ data for these purposes and supporters weren’t able to object to these practices.
Finding information about donors from other sources
What did the charities do? Where supporters chose not to provide a particular field of information, the charities engaged companies to find it out. For example, they used an old phone number to trace a new one or used an email address to track down a postal address.
Why did they do that? So that they could use the information obtained from alternative sources to contact supporters for donations.
How did this breach the DPA? According to the ICO, this activity cut across the right of individuals to choose what personal information they give to organisations. It also weakened the level of control that donors had about how often their original information was updated.
Data sharing
What did the charities do? They shared donor information with other charities through a scheme called Reciprocate.
Why did they do that? The charities were interested in getting details of other prospective donors, such as those that had donated to other charities
How did this breach the DPA? According to the ICO, the charities did not provide donors with enough information to make a decision to opt out of their data being shared in this way. In particular, the charities did not make it sufficiently clear which organisations they would share data with. As a result, donors were vulnerable to unwanted charity marketing from organisations who had no obvious link to the charities that originally held their data.
Why this matters:
The DPA is a demanding piece of legislation and imposes a large number of obligations on organisations. As these latest findings once again serve to demonstrate though, the key overriding obligation is to be up-front about how data is used and to only use information relating to an individual in a way that they would reasonably expect and is fair. Early warnings about the use of information are particularly vital where, as was the case here with wealth screening and open-source data mining, activities are likely to be unexpected or objectionable in the data subject’s opinion.The ICO’s findings are not just relevant to charities. It’s continued focus on fairness and transparency is significant for a range of organisations looking to succeed in the digital economy. Not least because the ICO is taking no prisoners when it comes to the issues of transparency – in its announcement the ICO was keen to stress that the fines could have been ten times as high in other situations.Against this background, organisations should consider (at the least):
Taking steps to address the recently updated ICO privacy notices code of practice (available here).
This guidance explains how communicating information to individuals in a clear and engaging way can help individuals feel informed and fairly treated. For example, the ICO expects organisations to explore the potential of new privacy-enhancing technologies (such as just-in time notices) and to embed the concept of privacy by design into standard business processes.
Reviewing how transparency and fairness obligations under the DPA will be strengthened by the General Data Protection Regulation (GDPR) which will come into effect on 25 May 2018.
The theme of transparency runs right through the GDPR and so the format, positioning, provision and content of privacy notices takes on new significance, especially where consent from data subjects is required before data processing can begin. For more information on the GDPR, its enhanced transparency requirements and how to comply, please see our guide to help kick off your GDPR compliance project here and an overview of the key aspects of the GDPR here.