Fair Cop

The bedrock of Data Protection is fairness. You cannot gain consent without fairness. Your interests are not legitimate interests if they are secret interests. Unless you have an exemption or you claim that telling the person represents disproportionate effort (i.e. the effort of telling outweighs the actual impact), you have to tell the person whose data you are using the purposes for which their data will be used, and any other information necessary to make the processing fair.

The ICO’s Privacy Notices Code of Practice is not ambiguous, nor was its predecessor. It is impossible to read the ICO’s published guidance on fair processing without taking away the key message, consistently repeated for more than a decade: if something is surprising or objectionable, especially if it involves some kind of impact or sharing outside the organisation, it should be spelt out. New-ish Information Commissioner Elizabeth Denham seems to have chosen to reverse the ICO’s previously timid, unimaginative approach to the first principle with a pair of civil monetary penalties against charities. We have one each for the Royal Society for the Prevention of Cruelty to Animals, and the British Heart Foundation, with the promise of more to come. You might say it was unfortunate that charities are first in line rather than, say, credit reference agencies or list brokers (to be a touch tautological). It was the charity sector’s misfortune to fall under the Daily Mail’s Basilisk gaze, and they have to accept that we are where we are.

To issue a civil monetary penalty, there are three hurdles for the ICO to clear. Firstly, there must be a serious breach. Both charities used commercial companies to profile thousands (and in one case, millions) of donors, buying up data from publicly available sources* to assess their wealth and resources, they shared data with other charities whose identity they did not know via a commercial company, and in the case of the RSPCA, they bought contact details to fill in data that donors had provided. The average donor did not have any idea that this was happening. I can see there’s a problem that when everyone in the charity sector knows that wealth screening goes on, it seems normal. But I’ve been using it as an example on my training courses ever since the Mail revealed it, and bear in mind that these are often seasoned data protection professionals who know about data sharing and disclosure, attendees are invariably shocked and some cases revolted by what I tell them.

There is no doubt in my mind that this processing needed to be spelt out, and there is no doubt from the notices that it was not. Carefully selected third parties or partners has been a stupid lie in marketing for years, but not even knowing where the data goes is much worse than the usual flogging it to all comers. At least the list broker knows who he’s flogging it to, even though the only careful selection is the ability to pay.

The second hurdle is the need to show that the breach is likely to cause damage or distress to the affected data subjects. It’s been known for quite some time that the ICO was planning to take enforcement action over the Mail stories, and the gossip I heard from charities was that fines were likely. I’ll be honest, I wasn’t convinced. The Information Commissioner lost a Data Protection Tribunal appeal from Scottish Borders Council because they bungled the damage / distress element of a £250000 CMP over pension records found in recycling bins. ICO made a flawed claim that the loss of paper pension records was likely to result in identity theft, but Borders had an expert witness who could argue convincingly that this was not true. The link between the breach (the absence of a contract with the company processing the data) and the damage was broken, and the ICO lost.

But this case is different. The ICO does not need to make a link between an incident and a breach, because they are bound up together here. Both notices show that the ICO has given considerable thought to the distress angle. There is no question that the charities breached the first principle, and their only hope for an appeal is to convince the Tribunal that people would not be caused substantial distress by secret profiling and data sharing after an act of generosity. This is not science, and all I can say is that I am persuaded. But for an appeal to be successful, the charities will need to persuade a Tribunal with strong experience and knowledge of DP and PECR from the numerous (and almost exclusively doomed) marketing appeals.

The third element requires the breach to be deliberate or a situation where the charities ought reasonably to have known about the breach. As I have already said, the ICO’s position on fair processing is well known in my sector and available to anyone who can type the ICO’s web address. I think it’s possible that the charities didn’t know what they were doing was a breach, but in my opinion, this is because the Institute of Fundraising and the Fundraising Standards Board effectively acted as a firewall between charities and reality. The advice (often inaccurate and out of date) came from the IoF, and complaints about charities went to the FRSB and no further. When your code of practice is written by the people who earn their living from fundraising and most in your sector are doing the same thing as you are, it’s not hard to fool yourself into thinking it’s OK. But ‘everybody does it’ will cut no ice with the Tribunal. The RSPCA and the BHF are not tiny charities flailing in the dark – they are massive, multi-million pound operations with vastly greater resources than many of my clients.

Daniel Fluskey, head of Policy for the Institute of Fundraising, whose apparent lack of experience or qualifications in Data Protection does not prevent him from writing inaccurate articles for the charity sector on GDPR, has already weighed in, saying that the ICO should be providing the specific wording that charities require: “Charities need more detail on the ICO’s view of what lawful practice looks like: what form of words would have passed the test?” The Information Commissioner is the regulator for every organisation, of every size and shape, that processes personal data. If they start writing tailored wording for charities, they will have to do it for everyone else as well. It is a ridiculous demand. I think the ICO should move on to the data pools, wealth screeners and list brokers, but if she could find the time to issue an enforcement notice on the Institute of Fundraising, forbidding them ever to speak or write on Data Protection matters again, the third sector would have a fighting chance of complying.

Besides, how hard is it to find compliant wording? Nobody – especially not the trade association for fundraisers – should be allowed to present this as a byzantine and complex task. The individual doesn’t need to know what software you’re using, or whether cookies are involved. They need to understand the purpose – what are you collecting, what are you going to do with it, who are you going to give it to? This should be presented without euphemism or waffle, but it’s when you strip out the legalistic nonsense, you see the problem. It isn’t that the poor charities were labouring under the burden of complex data protection rules. They could not comply with the Data Protection Act because what they were doing (and in RSPCA’s case, are apparently still doing) is so unattractive:

  • We will share your details with unspecified charities via a commercial company. We don’t know who they are.
  • We will buy your phone number, postal or email address from a commercial company if you have not given it to us.
  • We will use commercial companies to compile a profile of your wealth and property to work out whether to ask you for further donations. If you are likely to be worth a lot when you die, we will use this information to ask you for a bequest.

When Reactiv Media appealed their PECR penalty, the Tribunal rejected their appeal and increased the penalty. Like a lot of the spammers, they put themselves into administration to avoid paying up, but this option is not available to household name charities. If either the RSPCA or BHF appeal, they are dragging themselves deeper into the mud, and very possibly spending thousands more of donors’ money to do so. If they say that what they did wasn’t a breach, or that they couldn’t have been expected to know that it was, their officers, advice and business model will be scrutinised to a doubtlessly painful extent. The claims management company Quigley and Carter found themselves described as “feckless” and “most unimpressive” in the course of being filleted during a recent failed appeal. Do charities really want that? Even if they decide to roll the dice solely on distress, does either charity really want to acknowledge a serious breach that they knew or ought to have know about in the hope of getting the fine overturned on a technicality? Do they want ICO to call donors as witnesses?

The business model of pressure selling, TPS-busting, heavy texting, data sharing and donor-swapping adopted by some of the UK’s most celebrated charities resembles nothing so much as the activities of the claims management, PPI spammers (i.e. the scum of the earth). For all the noise and bluster on Twitter and in the charity press this week, there is an uncomfortable truth that has to be faced. The hated Daily Mail unearthed it, and the ICO has rightly acted on it. Some big charities have run an end-justifies-the-means approach to marketing and they have got away with it for a decade. Fundraisers ruled the roost, and compliance has been sidelined or ignored. Given how much money the RSPCA and the BHF have raised from fundamentally unlawful practices, they should pull back and rethink how they get donations in the future. They should ignore the Institute of Fundraising’s every word on Data Protection and PECR, and like every other charity, concentrate on reading and applying the ICO’s Code on Privacy Notices and guidance on Direct Marketing.

And right now, if there is a fundraiser sitting with the two CMP notices working out how to at the same time devise a method to raise loads of cash for their cause while complying with Data Protection and PECR, I hope they wipe the floor with everyone else.

*citation needed

What do they know?

A few months ago, a dispute arose between the popular / reviled* FOI request website What Do They Know and a landlord in Bournemouth, after his address was inadvertently included in an FOI response. The landlord asked for his address to be removed, and What Do They Know refused. WDTK volunteer Richard Taylor described all this on the site, drawing attention to the fact that the address was still there. I can see no evidence that WDTK informed the landlord that they would publicise the fact that he had complained; my guess is that they did not.

The landlord complained to the ICO. Replying to the ICO on behalf of the charity, Taylor claimed that there was a legitimate interest in continued publication, but hedged his bets by stating that WDTK was exempt under DP’s S32 journalistic purposes exemption. The ICO rejected both arguments and asked WDTK to remove the original spreadsheet. Again, Taylor wrote in detail about this on the site, revealing in the process that the landlord had complained to the ICO. It’s worth noting that the ICO never reveals the identity of those who make complaints to it, and I can find no evidence that the complaint was made public anywhere else. None of my correspondence with the charity has revealed any.

A similar issue arose last year. Another council published the name of a Unison official (apparently in error) and What Do They Know refused to take it down. Again, Taylor revealed the fact that the individual had complained to the ICO, although on this occasion the ICO chose to take no action. Taylor also researched the complainant and published information about his wife on the WDTK page. Though the information Taylor gathered was clearly in the public domain, at best, it suggests an unsympathetic attitude to those who raise concerns when their data gets published on the site.

The first Data Protection principle requires Data Controllers to process data fairly, lawfully and according to a set of conditions. In this case, the data controller is UK Citizens Online Democracy, the charity which runs My Society. Data Protection requires that people must be told how their data will be used, while the only condition available to What Do They Know is legitimate interest, which must be balanced against any prejudice to the rights and freedoms of data subjects. If you complain to What Do They Know, or to the ICO about What Do They Know, they’ll make this public and a volunteer may research your family relationships and publish that too. As Taylor’s comments are always couched in terms of ‘we’ and ‘us’, I believe that that this approach is endorsed by the charity as a whole. This blows the legitimate interest argument out of the water: if a person cannot complain to either What Do They Know or the ICO without the matter being published by What Do They Know, there is clearly prejudice to their rights and freedoms.

The doomed use of S32 piqued my interest, so last month I asked What Do They Know for copies of: “any procedures or guidance available to control how personal data is obtained and published by My Society in the context of the What Do They Know website”. Of course, the charity isn’t covered by the Freedom of Information Act, but for an organisation whose public commitment to FOI and transparency verges on the obsessive, it’s not unreasonable to ask them to apply FOI standards to themselves. A month later, I received a reply:

“Personal data generally comes from users and public bodies and the site, and emails sent by it, contain lots of warnings when material is to be published online. We do our best to ensure our users, including those responding to requests at public bodies, are fully aware of what we do with the information we obtain.

NB: if you’re writing a blog post, please note how we write mySociety.”

That’s right – they didn’t give me the guidance, but Heaven Forbid I get the branding wrong. I persisted, pointing out they’d dodged the request for procedures in favour of a vague narrative answer. This time, I received a reply from Mark Cridge, the Chief Executive, setting out the decision-making process for What Do They Know (there was an opportunity for him to distance the charity from Taylor’s actions here, and he didn’t take it). On the specific request for procedures, despite the fact I’d pointed out that my request had been sidestepped, this was his reply:

We also have policies on our private internal wiki, which volunteers can refer to which provide more detailed guidance on our established policies, specific data protection guidance and key learnings from our experience of running the service for the past eight years

But he didn’t provide them, though this was what I had asked for twice. Yes, the charity is not covered by FOI and can do what it likes when annoying people like me ask them questions. No, this approach is not consistent with the values of an FOI campaigning organisation. In any case, it doesn’t matter, because I already know what the Private Wiki says about Personal Data:

Personal data in general

  1. We only consider takedown requests when we get them. We don’t pre- or post-moderate the site.
  2. The source of personal data is irrelevant, whether it is inadvertent, leaked with intent, or from someone who later develops “Google remorse”. The source of complaint/takedown request is also irrelevant, whether it comes from the data subject or a third party.
  3. Our responsibilities are therefore about deciding whether to continue to publishing or not, in line with our obligations as Data Processors, when a complaint about personal data drawn to our attention, i.e. on a case-by-case basis
  4. We have DPA Section 32 on our side, so we look at the PCC code and weigh up the public interest

The guidance proves that Taylor’s use of S32 isn’t just a randomly clutched straw. S32 is an immense exemption – it removes more or less every Data Protection requirement except security. The fact that it doesn’t apply to What Do They Know (and we know that this is the ICO’s position) isn’t the only problem. The reference to What Do They Know being ‘Data Processors’ is even more stupid. Data Processors have no data protection responsibilities – they are merely agents of someone else. There are two problems here. First, it’s impossible for the charity to be simultaneously a data controller using S32 and a data processor – they’re either one or the other. Second, the subtext of both positions is that the operation of What Do They Know exists in a vacuum – whether it’s because they’re journalists or data processors, they’re not answerable for DP issues.

The absurdity of the charity thinking it’s a data processor is plain as soon as you try to work out on whose behalf they would be operating. They’re definitely not data processors for the public authorities, who have no option but to send data to the website. It’s equally ridiculous for the charity to think that they’re Data Processors for the applicants. If this was true, UKCOD wouldn’t be allowed to remove material from requests without the applicants’ permission, applicants would be the ones dealing with the ICO over complaints, and every What Do They Know user would need a binding legal contract with the charity, or find themselves in breach of the Data Protection Act’s seventh principle.

Guidance like this could easily create a sense of immunity and entitlement – whatever happens, we’re not covered. Worse that that, the volunteer who seems to take the lead on Data Protection issues is Taylor, an anti-privacy zealot who films people without their permission, without properly identifying himself and publishing the results despite their explicit requests for him not to. When I contacted him about this intrusive behaviour earlier this year, he justified his antics with similarly vague S32 arguments. He also compared himself to Channel 4 News and Roger Cook, although I don’t think they ever stood in the rain filming a meeting through a window despite being invited inside. He also told me that he didn’t need to provide a Data Protection notification for his website because he claims the ICO says that ‘personal websites’ are exempt. They’re not, and the ICO doesn’t say so. I can’t prove that Taylor wrote the WDTK guidance, but I think it’s a safe assumption.

Whenever I write a blog like this about people who perceive themselves to be doing the right thing for the right reasons, one of the criticisms that is thrown back at me is that I am being deliberately negative. Why can’t I offer something constructive? Indeed, the last time I criticised What Do They Know, this is exactly what the former Director of My Society Tom Steinberg said. I did write a blog with some helpful suggestions of how What Do They Know could be improved, but none of my suggestions were taken up. This time around, I put my money where my mouth is. Last year, long before I corresponded with UKCOD or Taylor about these matters, I offered free Data Protection training to the volunteers at a time and venue of their convenience. I didn’t want any PR; indeed, I would have asked them to keep it a secret. Of course, I am not a cheerleader for What Do They Know – I think it can be an unhelpfully ideological enterprise, sometimes showcasing the worst aspects of FOI – but the offer was genuine and it fell by the wayside for reasons that were never explained.

So here we are. Cridge told me that the policies and procedures he didn’t want to show me will be reviewed, but how long has the above-quoted nonsense held sway? A What Do They Know volunteers can shame complainants and dig into their backgrounds, while the organisation fails to be transparent over its flawed guidance. Of course, I didn’t tell anyone at What Do They Know that I knew what the guidance said, but if transparency is such an unalloyed positive, why couldn’t I prise it out of them?

It’s impossible to blame UKCOD for the fact that public authorities sometimes inadvertently disclose information in response to FOI requests. It would be unacceptable if data was accidentally sent to a single applicant. Nevertheless, What Do They Know magnifies the problem by publishing all responses and failing to moderate what goes onto the site. I’m not convinced Richard Taylor is qualified to be involved in complex decisions about the publication or removal of personal data on behalf of a charity. I certainly don’t have confidence in a system based on wildly illogical guidance, and which allows volunteers to publish information about complainants and research their backgrounds. Complainants must be treated with respect, even if their complaints fail.

UKCOD’s management and trustees cannot hide behind the volunteer nature of What Do They Know – the website is not a naturally occurring phenomenon, and it needs to be managed and controlled. They created it, they run it, knowing that they lack the resources to proactively moderate it. In the light of this, if it is in the public interest for FOI requests to be broadcast, exactly the same approach should be taken for how What Do They Know is run.

 

(*delete as appropriate)


 

Consenting adults

Around two months ago, the Etherington Review into charity fundraising and governance published a series of recommendations about the way the sector should be run. The most eye-catching and ridiculous is the Fundraising Preference Service, which I wrote about at the time. The reaction to the FPS from charities has been almost universally negative, with a series of articles appearing in charity publications and on charity websites, all condemning the idea that the public should be able to stop communications from charities.

There is nothing in Data Protection, the Privacy and Electronic Communications Regulations (PECR) in general or the Telephone Preference Service (TPS) provisions in particular that stops a charity from contacting a person who wants to be contacted. The FPS is non-statutory, and so cannot change it. Since 1995, Data Protection law has been built on a requirement that any contact based on consent requires a freely given, specific and informed indication of the subject’s wishes. That’s what the Directive says, so any claim that somehow the upcoming DP Regulation represents a significant shift in how consent works is exaggerated. The problem for some charities is they have ignored this. When I make a donation, that is a freely given, specific and informed indication of my wish to make that donation. If the charity wants to call me, or text me and rely on consent, they need a freely given, specific and informed indication that I want to be called.

The current practice of charity posters that ask for a quick £3 or £5 text donation for a specific cause are a classic example of how this doesn’t work. Yes, there is minuscule small print on the poster that indicates that further calls or texts will be made and I can opt-out, but unless one has carried a magnifying glass onto the Tube or into the toilet cubicle, the text is impossible to read, and easy to overlook. Many charities using the one-off donation technique seem to be doing so to harvest mobile numbers for fundraising calls. In Data Protection terms, this is unfair and does not represent consent (breach of the 1st principle); in PECR terms, if the number is on the TPS, the charity has not obtained consent and any calls made to a TPS registered number harvested in this way will be unlawful.

An article in Civil Society published shortly after the FPS proposals were first mooted contains this key quote:

The idea is that members of the public would be able to simply and easily add their names to a “suppression list” so they would not be contacted by fundraisers. Rather than rely on charities using the existing mail and Telephone Preference Services, the FPS would allow you to put a stop to all contact with charities.

The TPS already allows you to put a stop to all contact with charities by phone, along with everyone else. Charities are not unfairly discriminated against by the TPS, any more than any other sector might be. The TPS is a blunt instrument, but it is a fair one. The fact that charities see the FPS as being a problem suggests to me that they either don’t understand the TPS (they believe the donation = consent nonsense), or they think they can ignore it. Civil Society reported at the end of October that the Institute of Fundraising (which represents, remember, organisations that make money out of fundraising, rather than charities themselves) was changing its guidance in line with the expectations of the Information Commissioner’s Office. The IoF nevertheless claims that this change (i.e. complying with PECR) “unduly” restricts the ability of charities to “maintain relationships with their supporters“.

Donation = consent isn’t the only myth that has been propagated. Civil Society’s David Ainsworth claimed a few weeks ago that all the blame lies at the door of the ICO (and that’s often a valid argument). The problem is, the story isn’t true. Ainsworth said “In 2010 David Evans, a senior data protection manager at the ICO, explicitly told charities they were allowed to call people registered on the TPS, so long as they received no complaints. Just in case there was any doubt, this was followed up with official guidance which effectively said that the ICO did not intend to apply the law to charities.” I asked Ainsworth on Twitter if he could provide evidence that this is what the ICO said. All he could provide was a note written by the Institute of Fundraising, who are hardly objective. But even that note contradicts Ainsworth’s article, stating the TPS position clearly, with only a little bit of nuance.

TPS regulations ‐ any person registered on the telephone preference service (TPS) cannot be called unless they have advised the calling party that they are happy to receive calls. In practice, a charity might judge that, given the nature of the relationship between them and the supporter, they might be able to make a marketing call to that subscriber despite TPS registration.

In truth, what Evans said is a line I have heard many times from different ICO people – if a data controller thinks it has consent, acts on that consent, and crucially, the ICO doesn’t receive any complaints, then they probably had consent. In other words, the ICO won’t act on complaints it hasn’t received. The ICO did not give charities an exception. Should any charity have bothered to investigate, they would have found that ICO has no power to do so. The problem was, as Christopher Graham told Parliament last month, there were thousands of complaints about charity direct marketing, but they were all going to the Fundraising Standards Board, a self regulatory body that regulates the Institute for Fundraising’s code. The FRSB did not pass any of the complaints on to the Information Commissioner.

**UPDATE: originally, this blog said that the Fundraising Standards Board was ‘run by‘ the Institute for Fundraising, which was poorly worded shorthand, treating the IoF as if they are the embodiment of fundraisers and charities. The FRSB is a membership body, paid for by its members (who are charities and fundraisers), and its role is to act as a self-regulator for the Code of Fundraising Practice drawn up by the IoF. I don’t believe that the FRSB is properly independent of the Institute for Fundraising not least because they ‘enforce’ a code written by the IoF, and which was legally inadequate. I’m not the only person who thinks this: post-Etherington, the FRSB is being abolished, and responsibility for the Fundraising Code is being transferred to a new regulator. The IoF’s Chief Executive welcomed the new regulator’s creation (tacitly welcoming the abolition of the FRSB), and recognised that moving the Code from the IoF to the new regulator was necessary to avoid the perception of a ‘conflict of interest‘.**

The biggest barrier to charities accepting legal reality – either by complying with the TPS, or with some workable version of the FPS if such a thing is possible – may be the fact that some in the sector don’t really believe in consent at all. Matthew Sherrington, a consultant writing in Third Sector this week, wasn’t exactly subtle: “The awkward truth, which is difficult for charities to argue publicly, is that the generous public (the UK is the most generous in Europe, as it happens) do not give off their own bat, but need to be asked” (my emphasis). The same argument was made by Ian MacQuillin, blogging on behalf of Rogare, a fundraising think tank: “Everyone knows that most people give because they are asked to do so” and later on “I suspect that the FPS would be used not just by people who really are on the receiving end of such a deluge of fundraising material that it was making their lives a misery; but more by people who want to spare themselves the difficult choice of deciding how to respond to a donation request, and the guilt and cognitive dissonance that results when they say no“. The thinking that runs through both articles, and others, is that fundraisers must be able to ask, that the potential donor / prospect / target (which is what we all are to the fundraiser) should not be allowed to opt-out of being asked. We should have to listen to the pitch, and should be forced into the awkward, embarrassing (or in MacQuillin’s word) guilt-ridden option of saying no. There is, in this world, something inappropriate, even immoral in having a choice about whether to be approached in the first place.

**UPDATE: I have had a long Twitter conversation with Matthew Sherrington. He hasn’t put a comment on the blog (which he and anyone is welcome to do) but he thinks I have misrepresented what he said about consent and marketing, and I think that I should mention this. I stand by my comments above, but I’m linking to his article again here so you can read it and make up your own mind about what he says.**

It’s possible that fundraisers and consultants genuinely don’t understand the TPS, don’t understand that it’s already supposed to be possible to opt-out of every marketing phone call, or that texts and emails are opt-in in the first place. Fundraisers see widespread abuse of PECR and Data Protection, so assume that it’s all fine and that daft proposals like the FPS represent unfair singling out of the charity sector. At this point, it is fair to criticise the Information Commissioner for their generally insipid enforcement. I think there is also a sense of entitlement among charities (which is one thing, as most charities have a clear public interest objective), but also among fundraisers (who are, in the main, just private businesses making a profit). There are no exemptions. There is no charity carve-out or defence. The European Data Protection Directive, from which everything in UK DP and PECR law is derived, makes clear that charities are included along with everyone else. It’s in article 30, if you’d like to check.

In amongst all of the anger and self-justification available in the charity press, one article in Civil Society also caught my eye: “Trust in charities is at its lowest point since 2007, with charities now less trusted than supermarkets“, according to a survey carried out by npfSynergy. Some might blame the Daily Mail and Camila Batmanghelidjh, but purely anecdotally, on every training course about direct marketing that I have run in the past five years, the main examples people come up with for poor quality, persistent, sometimes rude marketing calls are either PPI or charities. Fundraisers and charities alike need to ask themselves if they want to be in company with spivs and spammers. Rather than try to rewrite history, or the law, or continue to adopt an approach based on pestering and guilt, perhaps the big charities should look at a business model that is bringing them into disrepute. There is a real question about how they raise funds without marketing calls and other contacts to people who don’t want to receive them but the only solution to this is to get PECR and the DPA amended to remove charities from the marketing requirements, but as this would deprive the public of their existing rights and mean that the UK is in direct breach of EU law, I doubt they’ll get very far. I still think the Fundraising Preference Service is unnecessary in the light of existing provisions, but if it is implemented in some meaningful form, and finally gets the message across to the most unrepentant of charity spammers, maybe I’m wrong.

King Canute famously stood in the waves and ordered back the sea, but only to show that his powers were limited. Some charities and fundraisers are up to their necks in water, but think that they have the ability and the right to turn the tide of history. If they don’t wise up, they will drown.

 

A very bad call

A few weeks ago, I heard someone on the radio talking about why American bankers are prosecuted and imprisoned (sometimes), whereas British bankers almost invariably are not. The commentator said that American banking regulation is rules-based, whereas British banking regulation has historically been principles-based. Therefore, the American system is more black and white and it’s easier to cuff someone, as compared to a system that requires interpretation and analysis.

The same is true of the difference between Data Protection and the Privacy and Electronic Communications Regulations (PECR). Although Data Protection has some concrete rules (accuracy, the need for clear retention schedules), most of them are subject to interpretation. Imagine the delight of people I train when I tell them that there is often more than one correct answer, and all they need to do is explain why they think what they think. They love it.

PECR is different. PECR is rules. There are some areas for argument (for example, what counts as a ‘similar’ product or service when using PECR’s version of the offside rule, the soft opt-in). But most of the direct marketing section of PECR can be boiled down to rules. Texts and emails are opt-in. Phone is opt-out subject to screening against the TPS. Faxes are don’t be so stupid nobody sends marketing by fax these days. There are a lot of misconceptions around PECR; I read in The Times a few weeks ago that the charity exemption from the TPS was to be removed, even though it has never existed. Trawl the forums and comments of marketing websites, and you will find a widespread belief that customers can be considered to have opted in to marketing automatically, even though this is nonsense. However, because of all this hogwash, the application of the PECR rules can cause panic in the marketing world.

This week, I was sent an email that has been circulated to a variety of charity clients by a marketing company that specialises in making fundraising calls. It was sent after the Fundraising Standards Board (FSB), a self-regulating body for fundraisers, recommended changes to the FSB’s code of practice. Bearing in mind that the FSB code is just an industry standard, it’s not a big issue. The Direct Marketing Association’s Code of Practice is actually stricter than the law, and so is an entirely good thing. The tone is generally depressing. Having mentioned the tragic death of Olive Cooke, the email talks of “the continued focus on the treatment of vulnerable people, all of which can be considered valid points to consider improving“. That’s right: the treatment of vulnerable people is a ‘valid point‘ to ‘consider improving‘, but that not what they’re worried about. There are areas of “extreme concern” that they really want to talk about.

The first issue of extreme concern is a proposed change to the FSB code that states that fundraisers cannot call anyone on the TPS unless they have given clear permission to receive calls.  This is because “The Information Commissioner’s Office has confirmed that it is not sufficient to assume that a TPS registered supporter has given consent to receive calls simply due to the fact that they have made a donation.

The marketing agency says in bold type: This potential requirement to TPS, prior to calling, is extremely alarming and could have devastating consequences for the future of telephone fundraising”. Bear in mind, it has been a requirement to screen all marketing calls against the TPS since the regulations came into force in 2003. There is no charity exemption, no existing customer or donor exemption; those words or concepts simply do not appear. The email talks a lot about ‘warm calling’, which is a marketing term that refers to contacting people with whom you have a relationship. Warm calling has no relevance on the PECR rules at all. It is a red herring. If I am on the TPS, you can’t call me unless I have given you consent. Consent cannot be inferred from another action – either I have consented or I have not. You can count me as a sceptic on the issue of tick-boxes and whether people have truly consented in many cases, but to bring in the concept of warm calling strongly suggests the absence of any meaningful consent at all.

The marketing agency has two solutions, one ridiculous and one concerning. The first is to lobby the Institute of Fundraising with “extensive evidence of the damage this would do”. In other words, keep unlawful wording in a non-statutory code to create the illusion that warm calling is legal. The lack of understanding for the legal framework they are working in is remarkable. The code is irrelevant – the fact that an industry code is wrong make no difference to the law.

The second suggestion (again in bold type) is unacceptable: “contact every donor you do not have explicit consent to contact by telephone, whilst we have the opportunity, and get their expressed opt in”. If the charities already have consent to call TPS registered people, they don’t need to call them again. If they don’t already have consent, then calling them to get their consent is in itself a breach of PECR. All of these proposed calls would either be a waste of time or unlawful, and while the agency generously wants to ‘share the cost of these calls’, I doubt that they will be made at a loss.

The second recommendation to cause ‘extreme concern’ to the agency (rather than the misery and inconvenience they might be causing to the people they call) is a recommendation that the industry practice of making three donation requests during the course of a call could constitute ‘pressure’, rather than ‘reasonable persuasion’. The email goes on to set out the success rate of successive asks, with a 50% success rate on the third ask. The idea that the number of times the caller might ask for money during a call might be restricted to just two is anathema: “this would affect the whole of telephone fundraising”. In other words, we’ll lose money if we’re not allowed to pressure people.

The email ends with a touching moment of self-doubt: “We do also appreciate you may believe our email is driven by this agency’s self interests”. That thought didn’t cross my mind. Not even for a second.

There is a legitimate debate to be had about the morality of fundraising tactics, but only within the law. If chuggers are licensed to operate on public streets, then how they act is more about ethics than law. If charities and their agents have consent to call TPS-registered people, or they cold call people who aren’t on the TPS, the techniques that they use are an issue of morality. There is a strain of “end justifies the means” thinking in some charities that, in my opinion, can drag them down to the PPI, accident-that-wasn’t-your-fault level of marketing. How they square this with their charitable aims is a matter for them. I don’t think that charities should pay agencies to use high-pressure sales techniques on vulnerable people, but if it isn’t illegal, that’s just my opinion.

But the law is the law. A charity (and a marketing agency paid by them) cannot call someone registered on the Telephone Preference Service unless they have explicitly said that they (i.e. the specific charity making or instigating the call) can do so. A charity cannot call someone on TPS to obtain consent to call. There is no exemption, no loophole. An industry code of practice is irrelevant to this, whether it is right or wrong. Any charity which goes along with this is not just acting irresponsibly or selfishly: they are breaking the law. Any such calls should be tackled by the Information Commissioner as mercilessly as the spam texts and calls from claims and double-glazing companies that are their usual fodder. Indeed, there is a strong argument that Wilmslow should intervene to prevent any such calls from happening.

Underwhelming

The Information Commissioner has published the latest in a long line of undertakings, this time involving Northumbria NHS Trust. As always, the ICO’s press release is very misleading about what has really happened. This time, the notice has been ‘issued’, a word clearly intended to imply that the Trust had no choice in the matter. Recent undertakings have also purported to be “rulings“. However, the Information Commissioner has two powers to enforce the Data Protection Act, and the undertaking isn’t one of them.

Where the ICO identifies a serious breach of the DPA that was likely to lead to serious harm, and which the organisation could have prevented, they can issue a civil monetary penalty – it’s not technically a fine, although that’s the shorthand that most people use. In security cases, the breach is often the lack of training, the lack of management supervision, the lack of procedures or checks. It’s entirely possible for the ICO to issue a CMP without an incident (a loss or a theft of data), but they currently seem to lack the imagination to accomplish this. The CMP is a punishment – even if everything that was wrong has been put right, the ICO can still issue the penalty.

The other power that the ICO has is the Enforcement Notice. Here, there is no direct punishment, only the threat of prosecution if the notice is not complied with. The crucial difference between a CMP and an enforcement notice is that with the latter, the breach must be ongoing. The staff have not been trained, the laptops remain unencrypted, crucial and risky procedures are undocumented and unchecked. If an organisation refuses to undertake the steps required to put things right, an Enforcement Notice is plainly the tool to use. It’s possible – and logical – for the ICO to use either or both, depending upon the problem. They did both with Powys Council in 2011, for example. There could be a particularly heinous breach (CMP) which the organisation still hasn’t rectified (EN).

Neither of these problems is solved by an undertaking, a measure that is not even mentioned in the Data Protection Act. Put simply, an undertaking is the ICO asking the organisation to make a public promise that they will put things right and do better next time. If an organisation does not do what it has promised to do, there are no immediate consequences. If the ICO found an undertaking that had been ignored, they could do nothing other than issue an Enforcement Notice. Nothing is triggered by the failed undertaking in itself, whereas failure to comply with an Enforcement Notice leads to prosecution. There are people who think that the undertaking is a bargain to snapped up – if you refuse to sign, an enforcement notice or CMP will be winging its way from Wilmslow. But think about what that means: the ICO thinks they could make the case for a CMP, but is letting the organisation off the hook. Do you believe that? Alternatively, the ICO thinks that there is a significant ongoing breach (an Enforcement Notice cannot be issued if the identified breach has already been dealt with), but is choosing to trust an organisation that has already cocked it up to sort it out because they’ve been asked to. Which is nice.

I can see what’s in it for the ICO. Their investigations advance at a glacial speed (I have spoken to data controllers who have dealt with enforcement for years on a single case), and the ICO’s reputation for being risk averse and indecisive is richly deserved. Going for an undertaking closes the case. Asking the organisation to sign an undertaking does not require the ICO to identify a breach that is sufficiently serious to survive scrutiny by the Tribunal, should the data controller decide to appeal, so rather than making a firm decision, the undertaking allows for woolly compromise. Crucially, the ICO can still announce the undertaking as if they have actually made a decision – DP people will tweet and comment, there will be some stories in the IT and local press, and overall, the impression of action will have been created.

However, I don’t understand how the undertaking is anything but a kick in the teeth for the cooperative organisation: they don’t need to be cajoled with an enforcement notice and don’t deserve a CMP. If the ICO thinks the organisation will do it without being forced to do it, would they really risk a tribunal appeal on an Enforcement Notice that the data controller might already have complied with? And on the other side, would they really risk letting a recalcitrant or unwilling data controller off with a glorified press release instead of a CMP or an enforcement notice? If an unsigned undertaking might result in a CMP, is there any evidence that any of those that have actually received an undertaking were first offered a CMP and refused it? And if not, why not? Why were they immediately punished, but all the undertaking recipients not?

I can see only two possibilities – the ICO lacks the confidence to enforce when they should be doing (which is possible), or the ICO does not want to admit that it has spent months on a hiding-to-nothing case where the incident is more eye-catching than the breach. Wilmslow’s senior staff still have a real problem telling incidents and breaches apart, and the undertaking allows them to make a move without ever really deciding. If they offer your organisation an undertaking, they’ve already decided that they don’t have the evidence or the serious breach for a genuine exercise of their powers.

Don’t get me wrong, I have no problem with those that breach the DPA receiving CMPs and Enforcement Notices: I’m all for it. The absence of enforcement on fairness, dodgy re-use and selling of data, inaccuracy and failed subject access is a scandal. But for an organisation that hasn’t breached the DPA sufficiently badly to warrant a CMP, and who has put the problems right (or is clearly willing to do so), the undertaking is a PR exercise for the ICO. It is not an order, it is not a requirement, it is a request. You can say no.