The story published last week by the Daily Mail about imminent enforcement action by the Information Commissioner’s Office against two leading UK charities, followed closely by the announcement and then details of enforcement action against the British Heart Foundation and the RSPCA from the ICO itself, have provoked strong feelings among the fundraising community. A number of articles, blog posts and tweets have been written in response, all unanimously condemning the enforcement action and presenting various perspectives in defence of the charities’ actions.
I can understand why the writers are angry: no one likes to feel that they are being attacked or criticised, and, after all, charities are doing good work that benefits society. However, by responding to this enforcement action with outrage, denial and indignation, the fundraising community is doing itself and the voluntary sector no favours.
It appears from many of the articles and comments by fundraisers so far that the main reason for their anger and hurt puzzlement over the enforcement action might stem from a number of erroneous assumptions and a lack of understanding about the requirements of privacy law. But the Data Protection Act has been around for nearly 20 years and the Privacy & Electronic Communications Regulations for 13. Although the ICO has recently revised its guidance so that it specifically references the activities of charities, during this time the law has not changed and the advice of the data protection community has often been dismissed in favour of the more attractive interpretations provided from within fundraising itself. To claim that there is insufficient guidance for charities about how to comply with data protection law is to miss the point – the law as written applies equally to the public, voluntary and commercial sectors. As is the case with health and safety law, contract law, employment law and tax law, ignorance of the law is no excuse for disobeying it.
Now is not the time to hunker down in the trenches and chuck rage grenades in all directions, but to step back, take a deep breath and consider another approach. Here are my suggestions for a more productive response to the current climate.
It’s time to end the assumption that industry voices are authoritative when addressing any subject other than their core expertise of fundraising. For data protection advice, go to a data protection professional and listen carefully to what they have to say, even if the advice is not what you want to hear.
Cease citing a "lack of guidance" from the ICO on charity obligations for data protection. It’s not the ICO’s job to hold the hands of a particular sector and the guidance on data protection its has already published is high quality, readable, accessible and reasonable. If sector or scenario-specific advice is needed, there is a good case for engaging a data protection practitioner rather than taking the risk of acting unlawfully.
Donors are the people who get most upset about the unexpected uses of their data that brought on the enforcement action. These are the people whose opinion is the most important and whose judgment of the fundraising community will be critical during these times. If donors are reacting with horror at the revelations of tele-matching, data-trading and wealth-profiling, then it does not matter whether these practices are long-embedded, seen as benign within the fundraising profession or have previously gone under the ICO’s radar. The fact that people are angry and shocked means that communications between charities and supporters have not been successful. For example, wealth-profiling can be beneficial – it allows charities to target fundraising communications appropriately and effectively, making better use of limited resources. If this activity is so critical to fundraising operations, then it should be possible to explain this to donors in a way that reinforces their desire to engage with and support the organisation, even if they’d rather not be subjected to profiling themselves.
Listen even when the message is unwelcome and uncomfortable, because privacy laws are not going away. In fact, they are getting more stringent. It’s time to ask "is this use of data fair, lawful and transparent?" If the answer isn’t "definitely", then the chances are you’re doing it wrong… or you’re doing wrong.
Rowenna Fielding is digital officer at the National Association of Data Protection Officers