Secret Service

A little while ago, I noticed an interesting story on the website of the Fundraising Regulator. They reported a case where a woman had applied for a job with a charity and subsequently, she started to receive marketing from them. She asked for her details to be removed from their donor list, and the request was ignored. The story was still there when they reworked their website recently, but it now appears to have vanished.

This is a breach of Data Protection and (potentially) PECR – the charity would not have informed the person that their data was being used for marketing which is a breach of the first DP principle, they breached the second principle by re-using the data for an incompatible purpose. By ignoring her request for the marketing to stop, they breached her rights under Section 11 of the old DPA and if they sent emails, they breached PECR as well.

Given that this is a quite a serious breach of DP fundamentals, you might think that the Fundraising Regulator isn’t really the right person to deal with it. Although direct marketing forms part of the Code of Fundraising Practice, the proper regulator for both DP and PECR is the Information Commissioner. For both possible breaches, the issue of fundraising is probably the least important aspect – a charity that misuses personal data in such a profound way should be investigated by the Information Commissioner, not a non-statutory body with a relatively narrow focus.

I asked the Fundraising Regulator whether they had passed the complaint to the Information Commissioner’s Office. After a little while, I received a reply from a senior officer asking why I wanted to know. I said that I thought this was a relatively serious breach of data protection, and I wanted to know whether it had been shared with the right people. Shortly after that, I received a reply saying that they couldn’t tell me. This is an anonymised case study – the description of the case did not name the charity, or give any identifying information about the donor. The Fundraising Regulator has already decided to use the story to promote their work, and so asking whether they have shared it with the appropriate regulator (a question that has a Yes / No answer) seems entirely reasonable to me. I pushed a little, and apparently my request went up to Gerald Oppenheim, the FR’s eminently sensible Chief Executive. He also said no.

So I made an FOI request to the ICO, asking for the number of complaints the Fundraising Regulator has passed on to them, and a summary of each complaint. The ICO replied, saying that 100 complaints have been passed from the FR, and in response to my request for a summary of each complaint, they gave me whatever this is:

Charities who have failed to on-board onto the Fundraising Preference Service (FPS) portal despite receiving a request to stop communications from a member of the public.”

Weirdly they claimed that “We do not hold information in regard to the details of each complaint” but in reply to my question about what action they have taken as a result of these complaints, the answer was: “No further action, logged for future intelligence purposes”. This means that they don’t hold any information about complaints that they have logged for future intelligence purposes.

Leaving that aside, the ICO’s response doesn’t suggest that the complaint I am interested in was shared, and so I am going out on a limb to say that I think the reason that the Fundraising Regulator didn’t want to tell me whether they had shared the complaint is because they hadn’t and didn’t want to admit it.

Why does this matter? The Fundraising Regulator’s predecessor, the Fundraising Standards Board, was an inherent part of the Data Protection problems in the charity sector that exploded spectacularly with stories in the Daily Mail. Thousands of complaints were soaked up by the FRSB and never passed on, meaning that the ICO was largely unaware of marketing problems in the sector. The last thing that the FR should be doing is sitting on serious data protection issues in the same way. The ICO and the FR have signed a memorandum of understanding agreeing to share information to assist each other in carrying out their functions, and so there is a clear gateway for the FR to inform the Commissioner of complaints like this.

The problem is, I only know about this complaint because the FR was incautious enough to try to get some PR out of it. Who knows how many more complaints they have dealt with that reveal genuine data protection problems – it may be an isolated case, or there may be loads of them. The organisation’s refusal to be open about the fate of this case means it’s unlikely they’d be forthcoming if it wasn’t a one-off. The FR’s role in operating a glorified opt-out service which is arguably not really required has already attracted some justifiable criticism from the charity sector, but this issue also deserves scrutiny.

Charities have had a torrid time over the way in which some of them handled personal data – as unpopular as this will make me (again), I think much of the flack was deserved. But it isn’t helping the sector for cases like this to be buried – bad practice should be rooted out publicly and by the right people, so all can learn by example. I can’t make Freedom of Information requests to the Fundraising Regulator because they’re not covered, and given the track record of the FRSB, being told rather haughtily that “it is for our organisation and the ICO to discuss and agree what issues we should and shouldn’t be investigating” doesn’t fill me with very much confidence that the right lessons have been learned. The Fundraising Regulator should be transparent about what cases are passing through their doors, which get passed on, and which don’t. Otherwise, perhaps the Mail should start digging again.

Yas Queen!

One of the features of the GDPR which is superficially similar to the old Data Protection Act but turns out to be quite different is the requirement to provide information about how personal data is being used. The word ‘transparency’ is an inherent part of the GDPR first principle, whereas it was absent from the previous version. The DPA 1998 allowed data controllers to decide what information data subjects needed to know, beyond who the controller was and what purposes their data was being processed for. The GDPR has two similar but distinct lists of information that must be provided, one for where data is obtained from the subject, the other where data is obtained from somewhere else, and they dictate what must be provided in scary detail.

When I first started looking at the GDPR, it was this element that I was most sceptical about. I simply couldn’t believe that organisations would admit where they obtained data from, or how long they were going to keep it. I have an almost completed blog on the boil (stay tuned) which is about the very subject of list brokers covering up where they get personal data from and who they sell it to. So when a friend passed me the ‘Data Protection Privacy Notice for Alumni and Supporters‘ from Queen Mary (University of London), I was amazed to see a clear, transparent explanation of what data was used, for what purposes, and under what legal basis. The only problem is that some of it is bollocks, and some of it deploys an attitude to data that requires a seatbelt and a helmet.

Ironically, because it is a relatively short and easy to read document (four pages of A4 in normal font, written in human English), the nonsense leaps out at you like a chucked spear in a 1950s 3D movie. The notice asserts that for a list of purposes, the University is relying on the legal basis of legitimate interests’. The purposes include:

furthering Queen Mary’s educational and charitable mission (which includes fundraising and securing the support of volunteers

This is, of course, direct marketing. The notice then says:

We may pursue these legitimate interests by contacting you by telephone, email, post, text or social media.

Which would be a PECR breach. The University cannot send emails or texts to alumni without consent, but according to the policy, they can. Of course, some clever person (I have a list of names here) will come along and tell me that since students pay for their education, surely the University can rely on the soft opt-in? Well, for one thing, these are alumni, some of whom may have attended the University decades ago (and Queen Mary freely admits to tracking down ex-students using the Royal Mail’s Change of Address Service). For anyone who didn’t substantially pay for their degree, it doesn’t fly. Moreover, I’ve trained a lot of universities who were understandably squeamish about the idea that a qualification like a degree can be reduced to a mere commodity, like a dishwasher or a new set of tyres.

And there’s more.

If you are registered with the Telephone Preference Service (TPS) but have provided us with a telephone number, we will assume we have your consent to call you on this number until notified otherwise

No. For Pity’s Sake, No. Have the last three years of the world and his dog banging on incessantly about consent (often insisting wrongly that you always need it but OK) been for nothing? There is no such thing as assumed consent. There is no such thing as assumed consent. MATE, ARE YOU HAVING A LAUGH?

It seems odd that because Queen Mary have done something really well, I’m criticising them. To be clear, it’s one of the clearest privacy notices I have ever seen. But it’s not just the unlawful bits that stick out like Madonna’s bra (happy 60th, Your Majesty). The rest of it is, to use my favourite euphemism for this kind of thing, is bold. Students’ personal data will be retained “in perpetuity“. The data held about alumni includes “occupation, professional activities and other life achievements“, “family and spouse / partner details and your relationships with other alumni, supporters and friends” and also “financial information relating to you and your family, including data and estimations around your income, assets and potential capacity to make a gift“. If anyone from Queen Mary is reading this, my friend says not to get your hopes up.

The gleeful description of what data they hold is an amuse bouche to the relish with which Queen Mary describe their use of research. The fundraiser Stephen Pidgeon once told me with great vehemence that fundraisers  couldn’t possibly be frank about the techniques that they deploy. Queen Mary, on the other hand, have more or less had shirts made: “we may gather information about you from trusted publicly available sources to help us understand more about you as an individual and your ability to support the university in ways financial or otherwise“. They explicitly say that they do wealth screening in some cases, and have a long list of possible data sources including Companies House, company websites, “rich lists“, Factiva, Lexis Nexis, “general internet and press searches“, Who’s Who, Debretts People of Today and LinkedIn.

Because I banged on about it so loudly a year or so ago, I should be the first to point out that despite all the bollocks talked about the ICO banning wealth screening, the ICO’s enforcement against charities did not such thing: it fined a number of high-profile charities for doing wealth screening without fair processing. Ostensibly, Queen Mary are simply doing what the ICO demanded by describing the process, but I have a sneaking suspicion that some of Our Friends in Wilmslow might be surprised to see wealth screening being carried out so enthusiastically.

To be frank, I do not believe that Queen Mary can justify processing the personal data of the spouses or family members of alumni in any circumstances, unless with consent. I think it is unfair, they do not have a legitimate interest in processing the data, and it is excessive. I think they and any institution who did the same deserve to be enforced against, or at the very least they should receive a shedload of Right to Be Forgotten Requests from mischievous family members. I am also sceptical about the depth of research that may be carried out into some alumni – it’s clear that it will only be a subset of the whole, but unless we’re talking about a handful of millionaires who might well expect this kind of thing to go on, I think this document is an inadequate way to meet the requirements of transparency. If a university is digging into a person’s background to this extent, it’s a form of processing that a person should directly know about and have a right to prevent. My friend only read this document because she’s in the business – Queen Mary should tell people if they’re subject to this level of profiling.

I know some fundraising consultants who will take issue with this and to be clear, I am not dogmatically saying that QM can’t do this. But seriously, can they do this? Is this what the brave new world of GDPR is all about? My instinct is HELL NO WITH AN AIRHORN FOR EMPHASIS but it would be hilarious if I was wrong, and the GDPR really doesn’t dent this kind of activity. I write this solely to see what other people think. Do you think this kind of thing is OK?

I don’t have a dynamite conclusion to this blog. I could kiss the person who wrote this privacy notice because it’s so plain and well-written, and yet the approach to consent and PECR is so misbegotten, I think whoever came up with it should be cast out into the Cursed Earth without a backwards glance. I don’t believe that Queen Mary can possibly justify the amount of data that they propose to process and the purposes for which they think legitimate interests is an adequate umbrella. But at the same time, the ICO looked at precisely this kind of activity and only really complained about the lack of transparency, which isn’t a problem here. All I can say for certain is that other people are going to get the fundamentals so enthusiastically arse-about-face, and do such interesting things, I demand that they do so with the same clarity.

 

A SMALL ADVERT – if you’d like to know more about this kind of thing, I’m running courses in September and November on GDPR, marketing, how to be a DPO and other big DP issues. Some of the September courses are already full, so book now: https://2040training.co.uk/gdprcourses/

 

Unambiguously yours

There’s an old joke about a tourist in Ireland asking for directions and getting the reply ‘If I was you, I wouldn’t start from here’. To anyone in the position of wondering whether to contact all of the people on their mailing list to get GDPR-standard consent to send marketing, fund-raising or promotional emails and texts, I can only say this: I wouldn’t start from here.

With apologies to regular readers who already know (there must be six of you by now), the problem comes because most of the people advising on the solution don’t seem to know what the problem is. They think that the General Data Protection Regulation makes a significant change to the nature of consent from what is required now, and so they tell their clients and employers that there is an urgent need to carry out a ‘re-consenting’ exercise. A memo has clearly gone out – a distinguished correspondent has sent me two examples of organisations sending out emails to get consent in the past week, and yesterday, the charity Stonewall used Valentine’s Day as a prompt to beg its supporters to ‘not leave us this way’. It was lovely, and it is probably an admission that Stonewall have been acting unlawfully since at least 2003, if not 1998.

Here’s the problem. The 1995 Data Protection Directive defines consent like this:

any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed

and

the data subject has unambiguously given his consent

If you’re new to this, read those sentences a few times. Think about ‘freely given’. Think about the consent being an ‘indication’, something by which the person ‘signifies’ their ‘agreement’. Think about ‘unambiguously given‘. If you think that this be interpreted as an opt-out, where are your car keys? Consent, according to you, is me taking your car keys and leaving you a legalistic note somewhere that says that unless you tell me not to borrow your car, I can borrow your car. Or because I borrowed it another time and you didn’t object, I can keep borrowing your car until you tell me not to.

This is nonsense. Consent cannot be inferred. It cannot be implied. A badly written opt-out buried in terms and conditions, consent assumed because I made a donation, the fact that you have my email address and you assume that I must have given it to you with my consent for marketing rather than (for example) you bought it from a list broker who launders dodgy data like drug money – none of these examples constitute consent. Consent is consent. You asked and I said yes. We all know what it means and to pretend otherwise is to lie so you can persuade yourself that you can spam people.

Yes, the GDPR adds a couple of things. It requires consent to be ‘demonstrable’. It states explicitly that consent can only be obtained by a ‘statement or by a clear affirmative action’. But if you claim that the absence of the above phrase in the Directive is any help to the opt-out model, you’re lying to yourself. An opt-out is inherently ambiguous, and the directive says that consent cannot be unambiguous. I might have misunderstood the wording (especially if the language was clunky or technical, which it often is), the data may have been obtained for a different purpose and the consent option is buried in terms and conditions, I might just have missed it or forgotten. The Directive is clear.

Jump ahead to the Privacy and Electronic Communications Regulations, based on Directive 2002/58/EC (often known the ePrivacy Directive). The definition of consent comes from the Data Protection Directive, and so if the ePrivacy Directive says you need consent, what you need is unambiguous, freely given, specific and informed consent. The ePrivacy Directive is enacted by the Privacy and Electronic Communications (EC Directive) Regulations 2003, or PECR (which all good people pronounce as ‘Pecker’ and revel in the opportunities that doing so affords them).

PECR makes life even harder for the opt-outers. For emails, PECR says that the recipient must have “previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender“. If you think that a person can ‘notify’ you by not doing something (i.e. not opting-out), once again, where are your car keys?

Surprisingly given all the execrable practice to which the Commissioner happily turns a blind eye, Wilmslow fired a shot across everyone’s bows with three enforcement cases last year. Morrisons and Flybe are to some extent red herrings as they deliberately targeted people who had explicitly opted out of receiving direct marketing, so when the companies emailed them asking them to opt back in, it was plainly bullshit. The Honda case is more interesting, in the sense that Honda ignored everyone who had opted in (because they’d opted in) and everyone who had opted out (naturally). They contacted people where they didn’t know either way, where they held no evidence of consent. Despite the fact that in all three cases, the contact itself wasn’t selling anything, all were sent for marketing purposes, and here, the ICO argued that the organisations didn’t have consent for sending emails for marketing purposes. It’s been argued by idiots that all Honda were trying to do was comply with GDPR, but that’s patently false. They were trying to pack out their marketing list before a perceived change in the law (GDPR) while ignoring another law that was just fine thanks (PECR).

And now we come to the payoff. If Stonewall (and all the others) have consent to send fund-raising emails, they don’t need to ask again. If they don’t have freely given, specific, informed and unambiguous consent, they shouldn’t be sending emails for marketing purposes now, even if the purpose is to ask for consent from people who are happy to give it because the email is inherently unlawful. It wouldn’t be unlawful for Stonewall to write to all of its supporters and ask them for consent, because post isn’t electronic so PECR doesn’t apply. I would say that there is plainly a legitimate interest for them to use post to ask people for permission to send fund-raising and promotional correspondence by email, so there is no GDPR problem.

The problem with a re-consenting exercise is that the organisation is basically admitting to a PECR breach. The problem is exacerbated by doing that re-consenting exercise by email, because as Honda have demonstrated, doing so is in itself a breach of PECR. People complained to the ICO about the Honda emails, which is why they enforced. If you do a re-consenting exercise by email, anyone irritated enough by the request may well complain. Then what?

So what do I think organisations should do in the light of all this? Well, I wouldn’t start from here. But ignoring the law for a moment, this might be a time to be pragmatic. If you send people content that they want and you don’t annoy them (email being less annoying and distracting than phone or text in my opinion), if you have nice big bright unsubscribe buttons, and if YOU RESPECT BLOODY UNSUBSCRIBE REQUESTS (Hello Daily Telegraph), what’s the risk? Why draw attention to yourself?

I am convinced that sending emails to people who haven’t opted-in is unlawful unless you’ve got the soft opt-in (which because it’s predicated on data gathered through a sale, most charities won’t have). But many organisations have been content to do that for years despite it being unlawful now. So what’s actually changing? I think everyone should comply with the law because privacy – the right to be left alone – is a vital foundation for a civilised society. But if you’re sitting on a mailing list and you’re not sure what to do with it, I would forgive you if you took a slower, longer path, taking every natural opportunity to get renewed consent from existing contacts, getting strong unambiguous consent from anyone new, and hoping that churn and natural wastage gets you where you need to be. And if you’re wrestling with this right now and you’ve read this far, good luck and best wishes.

Catch the Pidgeon

Even before the fundraising sector met its Data Protection nemesis in December, with two charities cruelly hung out on the rack, forbidden ever to raise funds again (CORRECTION: given two of the smallest fines in Data Protection history and not forbidden from doing anything), various blogs, and tweets showed that anguished tin-rattlers were confused about what they were accused of.

A classic of the genre was published just over a week ago by Third Sector, penned by Stephen Pidgeon, a “consultant and teacher” (one assumes modesty prevented the publication from mentioning that until recently he chaired the Institute of Fundraising’s Standards Committee, responsible for the until-recently legally incorrect Code of Fundraising Practice). Pidgeon made a series of assertions in his article, and the most important of them is wrong.

Pidgeon describes profiling as a serendipitous activity – a fundraiser innocently planning some door-drops (not a hint of pestering spam in this charming scenario, nor any resort to a data-mining outfit like Prospecting for Gold) happens to notice that a donor has sold a business, and so decides to add his details to an existing campaign. The scheme is ruined by the ICO who says: “That’s not allowed – it’s against the Data Protection Act without express permission“. As Pidgeon points out, the DPA is much vaguer than that. If the Commissioner had indeed said this, it would be nonsense. The problem is, they didn’t.

Both charity notices set out the ICO’s position on charity profiling – it cannot be secret. The same is true for data sharing and appending new data to records that the subject didn’t provide. Neither notice finds profiling without consent to be a breach. Admittedly, of the Data Protection only offers one other option to justify profiling in these circumstances (legitimate interests), but either Pidgeon doesn’t know what the notice says, or he is deliberately misleading his audience. The word ‘permission’ does not appear in either notice, and the word ‘consent’ isn’t mentioned either.

Pidgeon also asserts that wealth profiling is not confined to charities:

This issue is not confined to charities. Yet, in all the 100-plus ICO adjudications in 2016, I could not find a single commercial firm censured for wealth screening.

To be pedantic, they’re not unenforceable ‘adjudications’, they’re formal legal notices, and if you add up all of the DP and PECR monetary penalty and enforcement notices in 2016, you don’t get to 100. He might be including the undertakings, which could be compared to the blancmange adjudications that charities have grown used to, but they’re irrelevant in a conversation about enforcement. The more important point is that like others, including the fundraising apologist academic Ian McQuillin and the researcher Matt Ide, Pidgeon claims that everyone does wealth screening but only the charities are getting punished for it. The Daily Mail hasn’t exposed Marks and Spencers or Greggs for wealth screening – possibly because they’re good at keeping it secret, but a more likely explanation is that they don’t do it. Until someone in the charity sector shows evidence of another organisation doing secret profiling, it’s just a distraction from the fact that – as Pidgeon claims – most of the charity sector have been doing it unlawfully for years.

Many in the sector also seem persuaded that the ICO action is a weird anti-charity vendetta. MacQuillin’s contributions to the Critical Fundraising Blog pondered the mystifying question of why the data protection regulator has taken action when household name organisations have been exposed for breaching data protection. The ICO takes action for three reasons – an organisation reports itself for something, ICO gets lots of complaints about something, or something makes a big splash in the press. There were thousands of complaints about charity fundraising, but all went to the toothless Fundraising Standards Board, who hardly ever passed them on to ICO. So it was the Daily Mail’s headlines that did the trick – the heartbreaking story of Olive Cooke but more importantly for the ICO’s purposes, the flamboyantly unlawful way in which charities treated Samuel Rae, trading his data relentlessly with anyone who wanted it.

In pursuing his false claim about consent, Pidgeon derisively summarised what charities might have to say to prospective donors: “We want to find out how rich you are; tick here to agree”! As a first draft, this has some merit, but a charity involved in wealth screening should also add ‘We want to know whether you are worth more alive or dead‘. The consent claim is a red herring, but perhaps unwittingly, Pidgeon has hit on the real problem for fundraisers: daylight. The foundation of Data Protection is fairness, and the only way to achieve it, regardless of whether consent is part of the mix, is to tell the subject the purposes for which their data will be used. Stretching the law as far as they can, the ICO has invented the concept of ‘reasonable expectations’. Reasonable expectations doesn’t appear in the Data Protection Act, but the ICO’s idea is that if you are only doing something that the person would expect, you don’t have to spell it out. One might take issue with this because it’s not in the Act, but it’s a sensible idea. The ICO’s emphasis has always been on being transparent over unexpected or objectionable processing.

Tesco’s Clubcard scheme is a useful example. Clubcard is a loyalty scheme, clearly based on profiling. The user knows that when they swipe their card, their purchases are analysed so that tailored offers and vouchers can be provided. Needless to say, Tesco also use the data for their sales and marketing strategy. If you look at the T&Cs for the Clubcard scheme, you will not find references to data sharing with third parties for wealth screening. They don’t need to – they can analyse your purchases instead. The user knows that profiling is inherent to the scheme, and they are not required to participate when shopping at Tesco. I have a Clubcard because I understand the system and I don’t believe that Tesco flogs my data. The profiling is the basis on which the whole thing operates. I have a choice about whether to shop at Tesco, and separately, whether to have a Clubcard when I do.

On the other hand, the RSPCA profiled seven million donors after they donated; presumably the lion’s share of all people who donated to the charity. The RSPCA did not tell people that this was the purpose for which their data will be used, and nobody outside the charity sector was aware of what was happening. Unlike Clubcard, donors could not participate without being screened and analysed by the charity. I have used the wealth-screening example on many of my training courses. The reaction is always surprise, and often revulsion.  Nobody ever leaps to the charity’s defence because secret profiling is a dodgy way to do business.

Pidgeon’s squeamishness about describing the process – the daft example of the story in the newspaper, his emphasis on data being gathered from the public domain – suggests that fundraisers are more ambivalent about their methods than they might like to admit. The existence of five facts in five separate publicly accessible places is different to the combination of those facts in one place, gathered with the intention of tailored marketing. A profile is greater than the sum of its parts, and people should be told that it exists. Pidgeon isn’t alone in his approach – Chris Carnie, the founder of ‘prospect research’ company Factary erroneously characterised myself and others as saying that using public domain data is “an intrusion into an individual’s privacy. That searching for a named individual in Companies House fundamentally affects the rights of that person“. All I said was that such research should be transparent, but this isn’t news that Carnie and his colleagues find palatable. Ide’s company goes as far as to assess the ‘ethical credentials‘ of a donor, which sounds a world away from noticing a story in a paper.

The Daily Mail is a revolting newspaper – the worst combination of small-minded, petty conservatism and curtain-twitching prurience. It is a matter of ongoing annoyance to me that the Mail is one of the very few national news outlets that covers Data Protection issues with any enthusiasm. I really wish the Guardian or the Times had exposed the ghastly exploitation of vulnerable people like Samuel Rae, or their hunger for information about possible donors. I wish Dispatches’ fine work on the shameful state of some fundraising call centres had got more attention. Nevertheless, none of this is the Mail’s fault, and fundraisers’ relentless blame-shifting needs to be called out for the cant that it is. Everyone knows whose fault this is.

The charity and fundraising sector isn’t in a mess over data protection because of the Daily Mail, and it isn’t there because of the Information Commissioner. This problem is the fault of some fundraisers and their agents not obeying the law, and trustees who didn’t ask them enough questions. MacQuillin claims that almost everything that has happened to the fundraising sector over the past two years is because of ‘fake news‘; Olive Cooke’s death wasn’t, her family says, the result of the spam tsunami that charities subjected her to. For one thing, this claim disgracefully ignores Samuel Rae, whose story would have caused the same interest even if it wasn’t the sequel to Olive Cooke. Moreover, it is itself fake news. If some of Pidgeon and MacQuillin’s compadres had done their job with a greater interest in the law, they wouldn’t be here now. This is the second or third time I have written this blog. With 11 more possible fines, and fundraisers still in denial about what they have done, I’ll probably have to write it again before long.

Small change

Some senior figures in the charity sector have sought to deal with the Information Commissioner’s recent enforcement against the RSPCA and the British Heart Foundation by suggesting that the ICO’s action is disproportionate and unfair. The fundraiser sorry, academic, Ian MacQuillin has written two blogs which touch on the theme, while a few days ago, Robert Meadowcroft, the Chief Executive of Muscular Dystrophy UK tweeted:

If the is impartial regulator it will investigate practices of and not simply pursue charities

As 2016 is now disappearing over the horizon, I thought it was worth testing the hypothesis that the ICO is taking disproportionate action against charities, and the fines and other enforcement against charities are unrepresentative. TL:DR – it’s complete nonsense.

In 2016, the ICO issued 34 civil monetary penalties – 11 under the Data Protection Act, and 23 under the Privacy and Electronic Communications Regulations (PECR). There are a number of different ways of looking at the figures, and none of them show any evidence of disproportionality.

1) Charity CMPs as a proportion of the total in 2016

Of the 34 penalties, 2 were against charities, so 6% of the ICO’s CMPs in 2016 were against charities.

2) Amount charities were fined, as a proportion of the total in 2016

The CMP total was £3,225,500. The total of CMPs issued against charities was £43,000. This is 1.3% of the total.

3) Proportion of Data Protection CMPs issued to charities in 2016

If you look only at the CMPs issued under Data Protection, the charity proportion is not insignificant – there were 11 DP CMPs, so the 2 charity CMPs are 18% of the total – the same as the police, 1 more than councils, but less than the private sector or the NHS (3 each). However, this is the only comparison where charities feature significantly, and they are not the dominant sector. The next two comparisons are also instructive.

4) Proportion of PECR CMPs issued to charities in 2016

None. This is despite widespread breaches of PECR by charities, including phoning donors who are on TPS and sending texts and emails without consent (for example, the vast majority of mobile numbers gathered via charity posters in 2016 were obtained in breach of PECR).

5) Proportion of CMPs issued for marketing related activities in 2o16

There were 21 PECR CMPs related to marketing, and 2 DP CMPs related to marketing, making 23 marketing CMPs in all. 2 were against charities, which is 9.5% of the total. Given the big charities’ disastrous approach to marketing, this relatively small number is astonishing.

6) Level of CMPs in 2016

The average DP CMP was £108,500; the average charity DP CMP was £21,500.

The average PECR CMP was £84,666.75; there were no charity PECR CMPs.

The highest DP CMP was £400,000; the highest charity DP CMP was £25,000.

7) Other enforcement in 2016

There were 22 enforcement notices issued by the ICO in 2016, 8 under DP and 14 under PECR. 1 of the 8 DP enforcement notices was against a charity, which is 4.5% of the total, or 12.5% of the total DP enforcement notices. Either way, it is a small percentage of the total. Again, if you count the number of marketing related enforcement notices, there were 15, of which 1 was against a charity. This is 6.6% of the total.

8) CMPs since 2010

There have been 69 DP CMPs since 2010 that I can find (they drop off the ICO’s website after a few years); 4 were issued against registered charities, which is 5.8% of the total. The average DP CMP was £114, 163, whereas the average charity was £78,250. It is worth noting that these figures are slightly skewed by the £200,000 penalty against the British Pregnancy Advisory Service, which is a registered charity but receives most of its funding from the NHS.

The CMP against the British Heart Foundation was the 8th lowest CMP overall, while the CMP against the RSPCA was the 9th lowest. The only organisations to receive lower penalties than the charities were small businesses, unincorporated associations, and a bankrupt lawyer.

There have been 47 PECR CMPs that I can find since 2012; none have been issued on charities, which is 0% of the total.

Conclusion

These figures will likely be different in 2017. The ICO has signalled that more DP enforcement against charities is coming, and so the proportion of DP penalties may rise when the totals are in, but that depends on a variety of different factors including the number of other penalties and the ICO’s general approach. However, when you look at the facts for 2016, MacQuillin and Meadowcroft are wrong. Despite years of ignoring the Data Protection and PECR requirements in favour of a flawed, fundraiser-driven approach, the ICO has not taken disproportionate action against the charities. The action taken is a small percentage of the overall total. Special pleading and blame-shifting will not help the sector. Compliance with the law will.