The ICO’s new guidance addresses key questions that remained unanswered following the RSPCA and BHF fines: Do you need consent to undertake wealth screening? Is it compliant to use publicly available personal information for fundraising purposes?
First, this is a complicated area of law…so don’t believe everything you read: the Data Protection Act (DPA) is rarely black and white. It provides a set of principles, and the ICO’s new guidance on Fundraising and regulatory compliance therefore reflects this. It offers space in which to make informed, balanced, risk-based decisions that can (trust us) enable you to undertake fundraising (including wealth screening) in a compliant manner.
The ICO is not saying all wealth screening requires consent of the individual. The guidance highlights there are many shades of screening, ranging from “simply segmenting your donor database by postcode, through to using dedicated third-party companies to obtain more personal information and generate donor profiles.”
The key issue: the level of privacy intrusion that your actions require. Put simply, the ICO is asking you to “consider the privacy intrusion in wealth screening.”
At the one end of the scale, there are activities “such as segmenting databases by reference to postcodes or other information you already have may represent a relatively low level of intrusion into privacy.”
In such cases, you are not seeking out additional information from other sources – whether from a publicly available source or not. The impact on someone’s privacy is likely to be low. So at this end of the scale the ICO confirms that consent from the individual is not needed: instead, “the legitimate interest condition may be a valid basis for processing.”
The legitimate interests condition is a balancing exercise: you have to weigh up, on one side, “the legitimate interest you are pursuing and its benefits. On the other, you must consider the potential harm to the rights and freedoms of the individuals whose personal information you are processing. Typically this will involve considering how far the processing infringes their privacy and the effect of that infringement.”
Indeed, the ICO notes that in relying on legitimate interests (rather than consent) “your legitimate interests need not be in harmony with those of the individual. However, if there is a serious mismatch between competing interests, the individual’s legitimate interests will come first.”
This is similar to the balance already contained within the Fundraising Code of Practice, which notes that you must not engage in fundraising which is “an unreasonable intrusion on a person’s privacy; is unreasonably persistent or places undue pressure on a person to donate”
So the question has always been, and remains – what is reasonable to you, as a charity (and ultimately your Trustees) when it comes to your approach to collecting and using personal information for fundraising – especially if you are not relying on an individual providing their consent?
The ICO then tackles the other end of the scale – using multiple sets of personal information you do not already hold – whether from a publicly available source or not (see below* for more on reusing public personal information) to inform you about them; to build a profile of them; to make judgements about them – i.e. where there is likely to be a far higher level of privacy intrusion.
In such cases, the ICO states “the legitimate interest condition is highly unlikely to apply. So you’d need to seek the consent of individuals before doing such processing. It follows that there is an element of risk in relying on the legitimate interest condition for wealth screening. For more certainty you should seek the individual’s consent.”
So at this end of the scale the ICO is strongly recommending obtaining the individual’s consent…but still does not close the door completely to relying on legitimate interests. The ICO is saying it is a matter of balance and risk: does the intrusion reach a level where the potential harm to the rights and freedoms of the individuals whose personal information you are processing is too great? Or does the potential harm remain at a level where you would happily explain to anyone who asks – e.g. John Humphrys on Today – why you were happy not seeking the persons consent to undertake the type and degree of wealth screening you engaged in?
Regardless of how you justify your collection and use of personal information, the ICO is clear: you have to be fair and transparent; you have to ensure individuals are informed about your planned use of their personal information. The ICO highlights that
“the purpose of providing a privacy notice is to ensure that individuals have a reasonable understanding of how their personal information will be used and by whom…
“if individuals know the processing is taking place, they can exercise their rights over it, such as the right to object to the processing. If individuals remain unaware, they cannot do this…
“A privacy notice should be clear enough for an individual to reasonably foresee how and why you’ll use their data.”
The ICO supports this with three key statements:
- “if an organisation is able to successfully provide the information required, then it is practicable for it to do so.”
- “if it would be relatively easy for you to inform individuals, you should always do it, even if the effect of the processing on them would not be that great.”
- “if you have individuals’ data and it’s feasible to give them a privacy notice – because you have lists of their names and addresses, for example – then you should do so.”
It is also worth noting that the ICO’s push for greater transparency is being driven by the GDPR: one of its new requirements is informing people (where you did not obtain the information directly from them) about where the personal information you have on them originated from…including whether it came from publicly accessible source (Article 14(2)(f)).
Re-using publicly available information
The ICO notes that the Data Protection Act (DPA) “doesn’t stop you getting and using information from publicly available sources.”
But, as always, it’s a balance: “you need to ensure that the way you do it complies with all the DPA’s requirements.” Just because “personal information is publicly available doesn’t make it ‘fair game’. And it doesn’t make further use of that personal information for any purpose fair. An individual’s reasonable expectations are part of the assessment of whether you are processing personal information fairly.”
“The purposes for which you intend to process the personal information must be compatible with the purposes for which its processing was originally intended.
i.e. “So when you are getting and intending to use this information, you must compare the original purpose for which it was collected and used against the purpose for which you intend to use it.”
So, again, this is a judgement – you need to consider the individuals’ reasonable expectations; the potential effect on them and what they have been told. There is space for rationale assessment: what public personal information are you relying on? What is the source? Why is it in the public domain – did legislation force it there (so the person had no choice about it being public)? What were people told might happen to their personal information (or not)? Did the individual chose to make their personal information public? Does the person have a public profile? Does this mean they are likely to expect you to know about them, or might they have lower expectations of privacy?
Gary Shipsey is co-author of the Fundraising Regulatory’s new guidance – due to be launched at the Fundraising and Regulatory Compliance Conference on 21st February 2017.