Small change

Some senior figures in the charity sector have sought to deal with the Information Commissioner’s recent enforcement against the RSPCA and the British Heart Foundation by suggesting that the ICO’s action is disproportionate and unfair. The fundraiser sorry, academic, Ian MacQuillin has written two blogs which touch on the theme, while a few days ago, Robert Meadowcroft, the Chief Executive of Muscular Dystrophy UK tweeted:

If the is impartial regulator it will investigate practices of and not simply pursue charities

As 2016 is now disappearing over the horizon, I thought it was worth testing the hypothesis that the ICO is taking disproportionate action against charities, and the fines and other enforcement against charities are unrepresentative. TL:DR – it’s complete nonsense.

In 2016, the ICO issued 34 civil monetary penalties – 11 under the Data Protection Act, and 23 under the Privacy and Electronic Communications Regulations (PECR). There are a number of different ways of looking at the figures, and none of them show any evidence of disproportionality.

1) Charity CMPs as a proportion of the total in 2016

Of the 34 penalties, 2 were against charities, so 6% of the ICO’s CMPs in 2016 were against charities.

2) Amount charities were fined, as a proportion of the total in 2016

The CMP total was £3,225,500. The total of CMPs issued against charities was £43,000. This is 1.3% of the total.

3) Proportion of Data Protection CMPs issued to charities in 2016

If you look only at the CMPs issued under Data Protection, the charity proportion is not insignificant – there were 11 DP CMPs, so the 2 charity CMPs are 18% of the total – the same as the police, 1 more than councils, but less than the private sector or the NHS (3 each). However, this is the only comparison where charities feature significantly, and they are not the dominant sector. The next two comparisons are also instructive.

4) Proportion of PECR CMPs issued to charities in 2016

None. This is despite widespread breaches of PECR by charities, including phoning donors who are on TPS and sending texts and emails without consent (for example, the vast majority of mobile numbers gathered via charity posters in 2016 were obtained in breach of PECR).

5) Proportion of CMPs issued for marketing related activities in 2o16

There were 21 PECR CMPs related to marketing, and 2 DP CMPs related to marketing, making 23 marketing CMPs in all. 2 were against charities, which is 9.5% of the total. Given the big charities’ disastrous approach to marketing, this relatively small number is astonishing.

6) Level of CMPs in 2016

The average DP CMP was £108,500; the average charity DP CMP was £21,500.

The average PECR CMP was £84,666.75; there were no charity PECR CMPs.

The highest DP CMP was £400,000; the highest charity DP CMP was £25,000.

7) Other enforcement in 2016

There were 22 enforcement notices issued by the ICO in 2016, 8 under DP and 14 under PECR. 1 of the 8 DP enforcement notices was against a charity, which is 4.5% of the total, or 12.5% of the total DP enforcement notices. Either way, it is a small percentage of the total. Again, if you count the number of marketing related enforcement notices, there were 15, of which 1 was against a charity. This is 6.6% of the total.

8) CMPs since 2010

There have been 69 DP CMPs since 2010 that I can find (they drop off the ICO’s website after a few years); 4 were issued against registered charities, which is 5.8% of the total. The average DP CMP was £114, 163, whereas the average charity was £78,250. It is worth noting that these figures are slightly skewed by the £200,000 penalty against the British Pregnancy Advisory Service, which is a registered charity but receives most of its funding from the NHS.

The CMP against the British Heart Foundation was the 8th lowest CMP overall, while the CMP against the RSPCA was the 9th lowest. The only organisations to receive lower penalties than the charities were small businesses, unincorporated associations, and a bankrupt lawyer.

There have been 47 PECR CMPs that I can find since 2012; none have been issued on charities, which is 0% of the total.

Conclusion

These figures will likely be different in 2017. The ICO has signalled that more DP enforcement against charities is coming, and so the proportion of DP penalties may rise when the totals are in, but that depends on a variety of different factors including the number of other penalties and the ICO’s general approach. However, when you look at the facts for 2016, MacQuillin and Meadowcroft are wrong. Despite years of ignoring the Data Protection and PECR requirements in favour of a flawed, fundraiser-driven approach, the ICO has not taken disproportionate action against the charities. The action taken is a small percentage of the overall total. Special pleading and blame-shifting will not help the sector. Compliance with the law will.

Comments

  1. Concerned says:

    In order to make a valid case that charities aren’t being disproportionately targeted, you would also need to reference some sort of figure to account for size of sector — whether that is size of income, volume of contact with the public, etc.. I think you’d find that when you take the size of the charity sector into account (income of £40bn from all sources vs a total economy of £1.8 trillion, so charities representing c. 2% of the economy), there is a clearer argument that they have been unfairly targeted. The language of the sdjyducations is also highly inflammatory in a way that it is not for firms outside the charity sector.

    • If charities amount to 2% of the economy, and represent 1.3% of the fines, I think you’ve made my point for me. If you want to quarrel with the content of the press releases, I think that’s a side show to the main event of serious breaches for which the two charities concerned did not really take responsibility. Charities in breach of DP and PECR need to stop making excuses, start complying with the law, and then none of this will happen again. It’s entirely avoidable, but only if the rogue charities want to avoid it.

      • Concerned says:

        2% of fines but 18% of CMPs? Point is disproportionate targeting of charities. Size of fine reduced to minimise bad PR for ICO and to encourage charities not to appeal so looking at fines least meaningful of the comparator metrics. Volume of contact with public (far more relevant, but basically impossible to obtain) for charities will be far smaller than for commercial firms because charities spend far less as a % of their income on marketing than commercial companies do. So yes, I think they have been unfairly targeted and the inflammatory language in the adjudication is, far from a side-show, highly relevant bc it reveals the motivation and personal biases of the regulator.

      • What evidence do you have for the claim that the Commissioner is motivated by personal bias? That’s rather defamatory.

  2. Agree with Tim. Charities need to recognise that their motives do not give them a let-out from compliance with the law. The arguments against these penalties appear to hinge on the fact that charities are not-for-profit and had good intentions. Fine. Let’s compare the response (by ICO and media) to breaches within public sector bodies (NHS, local authorities) – which are also not for profit and are constituted for the public good. Case closed I think? Charities appear to me to have been given more/longer leeway than most: with the occasional exception (British Pregnancy Advisory Service springs to mind) it seems to be only now that we’re seeing them held to account. A number of years ago I was present when Dawn Monaghan of the ICO acknowledged that penalties going direct to the Treasury was not helpful in a resource constrained sector (NHS in that case). She suggested that the penalty should still be imposed, and ringfenced by the organisation to implement the necessary improvements. This does seem fairer: it’s not what the law says though.

  3. I agree that special pleading is hardly likely to carry weight with ICO or an Appeal Tribunal. And it’s hard to argue with your statistical analysis of compliance action in respect of charities against action in respect of other sectors.

    But statistical analysis is not the only measure of “disproportionate” or “unfair”. This appears to me to be a regulatory environment which is more like a social science than a “hard” one. In the latter there are absolutes. But when dealing with an environment in which terms like “any other information necessary to make the processing fair” are the basis of compliance or non-compliance it seems perfectly possible to argue that any action taken by the regulator may be disproportionate, even if there were just one action taken by that regulator. It’s also possible that just one fine could be regarded as unfair.

    I want to address the rest of this comments to the practices which have been fined other than the sharing of data with other charities.

    The language used in all of the documentation that ICO has produced about RSPCA and BHF has been full of emotion, especially the press release and new guidance to consumers which has been put on its website. While ICO does have a remit to educate, any regulator needs to do so based on evidence. Enquiries to date have not revealed ICO’s evidence base for the harm which it alleges has accrued to people through address updating and wealth screening. It is entirely possible to argue that, since the evidence base appears to be absent, the penalties may be unfair. We are being asked to take it on trust from ICO that they know that harm has occurred.

    The two charities have been fined for breaches of Principle 2. ICO argues that the practice of finding a new address for someone who’s moved house and whose address is publicly available through the Post Office’s National Change of Address service is a breach of Principle 2 (although this appears to be at odds with Principle 4.) So this must include those with an active direct debit and Gift Aid declaration. But it’s not possible to claim Gift Aid without an up to date address. ICO argues that the evidence base for this being a breach of Principle 2 is that the person had not supplied their new address and therefore do not want the charity to know where they are. It is possible to counter-argue that they have simply forgotten to update the address and that their continued giving is a sign that they remain interested in the charity and since the Gift Aid declaration signed by the donor emphasises the importance of an up to date address for it to be effective, the data subject can expect the charity to make efforts to keep someone’s address up to date. And if this is the case then it’s an integral part of processing data for the purpose of a Gift Aided donation. And therefore ICO’s argument that it’s a breach of Principle 2 is, at least in respect of these data subjects, erroneous and therefore unfair.

    So, if I understand Principle 2 correctly, much of this depends on what the person reasonably expected when they were told their data would be processed for fundraising purposes. Is keeping an address up to date from publicly available sources an expected part of the reason the person provided their data (not least to claim the tax relief the donor had asked the charity to do), or a wanton breach of Principle 2? I know of very little, if any, research in this area. This means that the CPNs, and the tone of the language around them, has to be based at least partly on conjecture by ICO. It’s reasonable to ask if that’s a fair way of regulating.

    There are a number of problems with the communications from ICO on this. The press release and the “information for the public” lists the three areas of problematic processing in the reverse order to that in the actual penalty notices. Is the order significant? I don’t know, but it would have been safer (and less open to criticism) to have used the same order especially since the breach on which ICO is on probably the firmest ground is demoted to third place in the documents aimed at the general public.

    In the penalty notices says “In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.” On what evidence base does ICO base this assertion, and in any case is it relevant? And if there is no evidence then it is certainly potentially unfair to have included it as an “aggravating factor.”

    I don’t want the reader to get the impression that I am arguing charities should have a free-for-all, or even special treatment, although in some EU jurisdictions they do have the latter. But it is difficult that the enforcement on wealth screening and address updating, especially in respect of Principle 2, appears to be based on a scanty evidence base and hung on the back of enforcement in respect of data sharing which is more difficult to do lawfully.

    I await enforcement action from ICO on the whole Executive Search industry for trawling publicly available information to build up their candidate banks, and on Experian and the other data warehouses which sell all sorts of aggregated publicly available data for purposes other than that for which it was originally collected, on Tesco for their profiling of me based on their Clubcard data without an adequate notice, and on my local NHS trust which wrote to me to say that unless I opted out they would share my medical data with local Social services on what they called an “implied consent” basis.

    If that enforcement action begins to happen in respect of these things as well then I will concede that all sectors are being treated equally and that the action on charities was not disproportionate and not unfair. I might argue for a change in the law too, but that’s a separate matter.

    • First, and this isn’t quite as smart-arsed a point as it may sound, neither of the charities have been fined for principle 2 breaches. They have been fined for principle 1 breaches i.e. a breach of the fairness principle. The fact that you didn’t even do enough research to be able to tell the difference between one principle or another, or even just check the numbers, is instructive.

      * UPDATE: The above is bollocks. I was typing from memory, and completely forgot they did both principle 1 and 2. I think the fact that I had a go at Mr Beney for not doing his research is the best bit. I am a lazy moron. UPDATE ENDS*

      Second, you’ve very carefully spent the bulk of your comment on the least dodgy sounding practice i.e. keeping data up to date. The charities did not just keep gift-aid information up-to-date. They shared data with unnamed charities for a variety of different purposes, including to do further marketing. Treating donors as no more than prospects to be further milked is a fairly unattractive way to look at people on whose generosity the whole of the charity sector is founded. Ian MacQuillin is very keen for the beneficiary not to be forgotten, but to be so dismissive of the breaches that most directly affected donors is to go to far the other way.

      Third, there is no emotive language in the notices themselves. I am sure the big charities didn’t like to see themselves being criticised; nobody does. The best way to avoid criticism and bad headlines is to behave better, rather than shooting the messenger, however keen for a headline the messenger might have been. It isn’t as if charities aren’t happy to get media coverage when it’s positive; this is what the other side of the coin looks like.

      I’ve seen a lot of assertions about the other sectors who do the same thing that the charities do, and I accept that Experian and other data brokers are long overdue the ICO’s attention. But somebody had to be first. Especially as the General Data Protection Regulation is coming, the ICO has to gear up for a much stricter regime, and start to send out these messages. The Daily Mail dropped a heap of evidence in the ICO’s lap, and a parliamentary committee roasted the previous Commissioner for years of not bringing charities to heel. He reacted, and here we are. At worst, you could argue that the charities were in the wrong place at the wrong time. But they were still in the wrong place. Like any breach of any law, civil or criminal, not everyone is caught. Most, indeed, are not. The big charities got caught. They can continue to make excuses, or they can pick themselves up, brush themselves down, and do better in future.

      At the end, you seem to want it both ways. It’s unreasonable for the Commissioner to say that charities should have higher standards than other organisations, but you hint at special treatment even as you say that you don’t want it, which is hypocrisy. Either we can expect higher standards, or we can treat charities like the other sector with the most aggressive and intrusive tactics, indeed, the sector some of the big charities most resemble in their marketing. Like some of the big charities, the claims management sector targets elderly and vulnerable people, it uses outsourced, target driven call centres, shares data about individuals in secret, it sends texts and emails without proper consent, and it flouts the TPS. It’s clear that you don’t think charities should be judged by higher standards, so I would argue that they should be judged like their cousins in the PPI and accident claim business, which means the very low fines should not have been levied. They should have been much higher.

      Both the RSCPA and the British Heart Foundation still have a small window in which to appeal. If you are right about the absence of harm, the CMPs would fall apart. They would be invalid. Of course, the ICO would be perfectly within their rights to call donors to the Tribunal, to get witness statements from those who have been profiled or whose data has been shared. Moreover, while the Commissioner’s notices contain only the detail necessary for the case, the Tribunal lifts the lid on the whole situation. I would absolutely fascinated to see the business model of either charity fully ventilated in the Tribunal – the ball is absolutely in their court if they want to roll the dice. Just as importantly, the ICO backed away from enforcement notices. No practice, no tactic has been banned – if anything for which either charity has been fined can be done within the constraints of Data Protection, the ICO has done nothing to stop it.

      • Thanks for the quick reply. Para 4 of the RSPCA notice says “The penalty is based on serious contraventions by RSPCA of the first
        and second data protection principles under Schedule 1 of the DPA.” Paras 43 and 54 of the RSPCA notices also say that the charity contravened DPP2. When I read your answer I thought I’d imagined it, but that’s not so. So I respectfully disagree with the first para of your reply.

        I don’t argue charities should treated differently – and take your point that parity could mean higher fines – but it seemed worth noting that some EU countries do so, and that seemed to set a little more context for what I wrote.

        It appears that BHF has decided to pay https://www.bhf.org.uk/news-from-the-bhf/news-archive/2016/december/bhf-response-to-ico-decision although a group of donors has decided to give extra in order to fund the fines.

        You suggest that my lack of discussion of the data sharing is “careful”. Rather I would say it’s “precise.” Your original post was about whether or not the fines were unfair and / or disproportionate. You will note that I did not argue that this might be the case in respect of data sharing. I was interested in exploring whether or not the enforcement action in respect of the non-sharing practices had the potential to have been unfair or disproportionate. I’d happily discuss wealth screening as well as address updating if you like. I chose address updating because the actual process is so simple and that made my point about the potential for unfairness easier to make.

      • I made the mistake of replying on the fly, and caught myself out in the process because I forgot that the ICO decided that the main principle 1 breach lead to a second principle 2 breach. The ICO did cite principle 2 and I forgot that – my apologies for the mistake. This is what comes of being a smart arse replying too quickly.

        The thrust of the notices is principle 1 – they’re about what people were told. It’s a weird thing to argue that the incompatibility is the issue that makes the ICO’s action disproportionate when there is a bigger, much more significant breach that always would have been problematic. When you say “if I understand Principle 2 correctly, much of this depends on what the person reasonably expected when they were told their data would be processed for fundraising purposes”, that’s much more of a principle 1 issue. Similarly, ““any other information necessary to make the processing fair” is principle 1, not 2. Profiling people and sharing their data without their knowledge is a breach of principle 1 – there is then a knock-on breach of principle 2 if the data was used for an incompatible purpose.

        Even if you think the second use is compatible with “fundraising purposes”, it’s a meaningless decision if people didn’t properly understand what the purpose was. Fundamentally (and here is where my memory lead me down a blind alley), everything that the charities got wrong here happened because of a principle 1 breach. People don’t know that charities profile them and share their data. A fundraising consultant might well know what fundraising involves, but the average person doesn’t. If the charities had been more direct about what fundraising involves, these problems couldn’t have arisen. I think secret profiling is unethical, but it also happens to be a breach of Data Protection. If BHF have decided not to appeal, it doesn’t suggest they had much faith in the argument.

      • I get your point about Principle 1 and 2 and the interaction between them. And accept that I have a much fuller knowledge of what fundraising involves than the average person. I have argued that if one was fundraising from a “Guild of Retired Fundraisers” then a privacy notice which said “We’ll do all the things you’d expect” might be OK, but in all other circumstances it wouldn’t.

        I had a conversation online with someone from ICO before Christmas in which I tried to explore what would be a lawful condition for processing in respect of the example I gave in my original reply – the address updating stuff. I was told I would always need explicit consent to do this. I asked about legitimate interest together with a very clear privacy notice and was told that until GDPR the only condition for lawful processing in respect of direct marketing was explicit consent. I questioned this, suggesting that address updating in itself was not direct marketing and that in some cases legitimate interest + privacy notice is OK for direct marketing, in response to which I was referred to the charity section of the new DM guidance, which says nothing about the question I was asking. When I questioned this the person said that s/he’d said all that she was going to say, but I could ring up for further guidance when I’d read the whole DM document if I wanted.

        Albeit that this was a “first line of response” enquiry, it left me wondering how to ensure that one does comply with the law.

      • If this was the helpline that you rang, forget it. Ring them again, you’ll get a different answer.

        The method of communication is overlaid with the rules in PECR, so when you get to texts, emails and automated calls, charities can’t use legitimate interest and the so-called soft opt-in is ruled out for fundraising because it doesn’t involved a sale. As far as I can see, if you’re looking at profiling or updating, it’s consent or legitimate interest. I don’t see how the ICO can say in a blanket way that processing that doesn’t involve direct marketing is definitely consent rather than legitimate interest. If they’re saying that, I think it’s nonsense. The difficulty comes in the clarity of the privacy notice – it cannot be long or complex, and it has to be written in plain language rather than waffle and euphemism, which is what most privacy notices look like (in every sector).

      • On this one you and I are in complete agreement! In my example I was very clear it was mailed communication so no PECR.

      • Tues 4 2017 16.53 “I’ve seen a lot of assertions about the other sectors who do the same thing that the charities do, and I accept that Experian and other data brokers are long overdue the ICO’s attention. But somebody had to be first.”

        ‘scuse me and all – charities aren’t first. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/02/ico-given-new-powers-to-audit-nhs/.

        Perhaps we should be celebrating that the NHS must be getting better if the ICO has time to pay attention to other sectors now? /devil’s advocate.

        Declaration of interest: I’m currently working in the NHS.

      • I should clarify that I meant somebody had to be first in getting enforced on for profiling. There’s been plenty of enforcement over the years, but several charity people have asked why the ICO acted on wealth management and profiling against charities when they could have done Experian, executive search or the financial sector. So that was my answer – somebody had to be first. It is worth saying that while the NHS weren’t the first to suffer from mandatory audit (that was central government), they have had many more penalties issued against them than the charity sector.

    • @Tim 3.16 pm 5 January (aside: I am useless, can’t work out how to quote or reply to the exact post). You’re right on all counts, lazy of me. The point I was supporting was that charities are not being hard done by or special cases when it comes to compliance.

      Re: ICO – they’re advertising at the moment for case officers – the people who answer the phone. Starting salary is only £19K/year and change. Would anyone with both qualifications AND experience who doesn’t live on the doorstep get out of bed for that?

  4. “If this was the helpline that you rang, forget it. Ring them again, you’ll get a different answer.”

    Not so much the elephant in the room as the dinosaur. How can we trust an answer we receive from the ICO’s helpline if it differs from person to person? This is not encouraging.

    “If the [ICO] are saying that, I think it’s nonsense.”

    But if the ICO can get it wrong, as this example implies, what hope is there for everyone else? Even less encouraging…

    • There is a clear answer to this one (well two answers). The first is to say again, seriously, do not ring the helpline. It works acceptably as a helpline for members of the public (most of the time), but it is useless for data controllers and the ICO should stop pretending that a quick phone call to a relatively junior ICO official will give a workable answer. They do their very best, but it’s not a job that I believe that the ICO equips them for, or that anyone who wasn’t a massively qualified, long-experienced expert could have a stab at doing.

      Second answer – always ask which section or principle of Data Protection backs up a person’s opinion. I’d love to see the bit of the Data Protection Act that says you can’t use legitimate interest for direct marketing purposes.

%d bloggers like this: