The Information Commissioner’s Office uncovered major failings in the British Red Cross’s adherence to data protection regulations during an investigation into whether the charity breached Telephone Preference Service rules, according to correspondence obtained by Third Sector.
A letter to the Red Cross, dated 27 October 2015 and obtained under the Freedom of Information Act, shows that failings at the charity included not gaining specific consent for telephone calls to TPS subscribers; not having historically screened the charity’s call lists against the TPS; and not giving supporters a simple way of opting out of receiving marketing from the charity, which the ICO says is a "major failing on which we require you to take action".
The regulator concluded its investigation in February, but did not report the failings. Instead it publically praised the charity after it agreed to sign a "voluntary undertaking", which committed it to only calling potential donors if they had specifically opted in to receiving calls.
The letter, which was sent by Natasha Longson, the ICO’s enforcement manager, to an unknown representative of the charity, also says that the Red Cross had an understanding and interpretation of "warm donors" that was not recognised in law and criticised the charity for relying on direct marketing guidance from 2007 when the regulator had updated the guidance in 2013.
It also says that the charity was using tele-appending systems such as BT’s Operator Services Information System in order to obtain supporters’ phone numbers, which might not constitute fair and lawful processing under the Data Protection Act, and that it had been calling these individuals without specific consent.
The ICO also found fault with the Red Cross for the wording on a form it was using for face-to-face fundraising, saying it was problematic with regard to data collection, and it was concerned by the charity’s use of the Reciprocate programme run by the list broker ResponseOne to swap data.
Longson acknowledges in her letter that some of the charity’s failings had been addressed or were being reviewed, but says that the charity had only taken action because it had been prompted to do so by the ICO investigation.
She adds that the charity was nevertheless likely to be largely compliant with the law.
The ICO launched an investigation into the Red Cross and several other charities, including Macmillan Cancer Support, the NSPCC and Oxfam, after allegations were made in the Daily Mail newspaper that the fundraising agency GoGen had exploited loopholes in the Telephone Preference Service while working on their behalf. The investigations into Macmillan, the NSPCC and Oxfam are not expected to be completed until September.
The ICO told Third Sector in February that it had concluded its inquiry into the Red Cross on the same day that it was announced that the charity had signed the agreement with it, but rather than publish the findings of its investigation, it issued a press release that said: "A big part of our work is working with companies who want to get it right. British Red Cross is a good example of that. They’ve seen the benefits of not just following the law, but following best practice, and we’re pleased that we’ve been able to work with them on this."
Asked why the ICO did not make its findings public, a spokesman said: "Whilst there were areas of concern within British Red Cross’ procedures, the low level of complaints we received did not provide evidence that the law had been broken."
He said the publicity surrounding the investigation’s outcome of was in line with the ICO’s policy on communicating its regulatory activities, which is available here.
A spokeswoman for the Red Cross said: "The ICO review in February 2016 found that British Red Cross’s fundraising practices are compliant with the law and current guidance. We are committed to maintaining the highest standards in fundraising, which means continually improving our practices."