BETTER LATE THAN NEVER

Last September, I was on holiday in Greece, full of the joys of ancient architecture, sunshine and Greek food. I decided that having spent too much of my time having a pop at charities and fundraisers and the Institute of Fundraising, I would do that thing that people always tell negative smart-arses like me to do. WHY DON’T YOU DO SOMETHING HELPFUL INSTEAD OF SNIPING FROM THE SIDELINES. I decided that they had a point.

I decided to write a clear, plain English guide to fundraising and charities based largely on the first data protection principle, setting out what Data Protection really requires from Data Protection. I wrote a blog asking for questions that charities and fundraisers really wanted the answers to, planning to write the guide over Christmas and publish it in January. Initially, I had lofty ideas for something interactive, but it came to nothing, so a guide to DP and fundraising was the aim.

Friends, things did not go to plan. Instead of writing the guide, my Christmas was dominated by some unexpected visits to hospital, and several encounters where medical professionals cheerfully reassured me that people with my condition often only find out when they have a stroke. Seasons Greetings and all that, Doc, but any sentence that contains the words ‘stroke’ or ‘brain tumour’ isn’t reassuring. The eventual diagnosis was far from serious, but it still exploded any chance I had of doing the guide on time.

By the time things calmed down, it was January, and I was writing my charity guide in fits and starts while doing loads of work around the country. And then every two minutes, someone was arranging a conference or publishing guidance and it seemed I had missed the boat. More than once, I wondered if there was any point in finishing my charity guide when the ICO and the Fundraising Regulator had already weighed in on the subject.

Then I actually read the guidance in question, and I decided that both regulators hadn’t hit the target I was aiming for – a candid, realistic and human guide to the legislation. Moreover, having relentlessly criticised charities and fundraisers, annoying a good many good people in the process, I felt that if I had something useful, something positive to give, I was obliged do so. Therefore, with no great fanfare and with no ambition further that the hope that some people might read it and understand DP better, I am publishing my guide today. If you would like to read it, please click here to get it from the downloads section of my website. You don’t need to register or sign up to anything to download it.

I did intend to say that this would be the last thing I write about charities and fundraising because surely by now I’ve said everything I possibly could and I don’t want this blog to become solely about charities. Then I realised I have Strong Opinions about the Fundraising Preference Service which some fundraisers may even agree with, so I am not going to make that claim. Nevertheless, regular readers of this blog (hello both of you) will be reassured that I intend to spend less time goading the charity sector and more time, well, goading other people.

Thanks for reading.

Idle Hands

On August 27th, the minister for International Trade, Greg Hands MP, tweeted an important update about foreign investment in the UK:

One US company emails “The minister was spot-on with his comments on Brexit & we’ve decided to stay in the UK based on guidance provided.”

It’s clearly a good thing if Brexit doesn’t result in the economic calamity that some have predicted, but by itself, Mr Hands’ tweet doesn’t advance the debate. To judge whether this is good news, we need to know how big a company this is, how likely they were to leave, and what investment and jobs they might bring to the apocalyptic wasteland that is the UK’s future. In short, we need to know who they are. If the Government wants to use decisions made by  private companies for the purposes of propaganda, we need to be able to scrutinise who they’re talking about.

I asked Mr Hands who the company was on Twitter but he ignored me, so I made an FOI request to his Department for the name of the company and all of the information contained in the email. A few weeks later came their reply, a terse response that barely explained the nature of the exemption they were using (Section 43, which prevents disclosures that cause commercial prejudice). Of the public interest, they had this to say:

in this case it is also important that Government protects commercially sensitive information to allow this particular business to continue to operate in anonymity to limit the exposure of its business strategy; the disclosure of which may be advantageous to competitors operating in the same sector

I decided to ask for an internal review. The department could maintain their position by disclosing the email but removing the name, and to be honest, I was still working on the assumption that Hands might have made the whole thing up. The Department for International Trade has a difficult relationship with the truth – only this week, the Secretary of State Liam Fox appeared on television to deny sending a tweet despite the fact that the self-same tweet was being displayed on a massive screen behind him, while in a previous job, Hands tweeted about signing off an FOI request about the number of FOI requests his department had received, despite the fact that the department published the numbers.

My review request covered three areas – I had requested all of the information in the email so the metadata for the email could still be disclosed, the public interest had not been assessed properly (the Brexit debate being possibly the most important issue facing the UK in my lifetime), and finally, I said that the Department should at least contact the company to ask their consent.

The Department’s reply was in turn bland – Hands’ meeting with the company was in private, and they had made no public announcement – and meaningless. They dealt with the metadata issue with this sentence, which I still do not understand: “With reference to your request for metadata, this is nullified by the fact that we have not released any information to you for which we would be required to provide those details.

And so off to the Commissioner’s Office I went. After a few months, the ICO achieved a result. It turned out that the Department had never consulted the company in question, despite the fact that I specifically mentioned this in my internal review request. The ICO told them that they ought to have done this, so they did. Despite their claim in their original reply that the organisation needed anonymity to limit the exposure of their business strategy, the company clearly didn’t feel the same way, so I can tell you that the company is the medical imaging firm PACS Health, and the email came from their Chief Operating Officer (Mr Hands quoted it entirely accurately).

The Department’s approach does not bode well, especially given the turbulent times the UK faces – both outside and within. Secrecy is best, they seem to think. Openness and scrutiny is to be avoided, and has no benefit. Despite having two opportunities to do it (and being prompted by me), those handling my request didn’t think it was worth contacting the company to see what they think. The assumption is that the best course of action is to keep things behind closed doors. Of course, this is a somewhat charitable characterisation of their approach, because it’s entirely possible that the Department didn’t want to contact the company in case they said yes. I mean no disrespect to the fine folk of PACS Health, but they’re not exactly Nissan. How many small companies will have to adopt the same approach to make up for the economic opportunities the UK is about to lose?

The ICO’s attitude wasn’t encouraging either. Admittedly, it was only by complaining to them that I got the information, but the Senior Case Officer wrote to me saying that because of this, they proposed “to informally and proportionately close this matter” without issuing a decision notice. I can see the merit in this sometimes but here, the ICO has an opportunity to send out a message to all public authorities – when claiming commercial prejudice to third parties and private companies, it’s vital to consult them. Doing so in my case would have avoided an internal review and a complaint to the ICO, and they had to do it in the end anyway. By trying to dodge a decision notice, the chance to send this message is lost.

The problem is that unless I withdraw my complaint, the ICO’s main option to refuse to make a decision is to say that my complaint is frivolous or vexatious, and they clearly didn’t think it was. They don’t even have the guts to be transparent about this and say ‘please withdraw your complaint so we can close the case and hit our targets‘ – the Commissioner loftily proposes to close the matter, and I am invited to give the case officer a ring if I want to discuss it.

I asked if they were refusing to issue a decision notice, underlining the point that my case is a good example of the importance of consultation, and I received a somewhat testy reply, telling me that it was clearly not proportionate for the ICO to do so given that I was going to receive the information, and the Department had been told to consult in future. The problem with this argument is that this will only benefit the Department itself, whereas a Decision Notice will be seen by other public authorities and (more importantly) FOI applicants. And separately, there is also some benefit to the Department’s shoddy approach being ventilated. They might be less likely to do it again if it’s a known fact that they did it here.

As he realised that I would object to having the case closed informally, the Case Officer confirmed that a decision notice would nevertheless be issued, although he could not resist a slightly petulant parting shot: “Please note that the process of issuing such a notice can be a lengthy one (i.e. months not weeks)“. I’m not sure why I should be chastened by a reminder of the ICO’s ponderous decision-making processes – indeed, if they were better at making and signing off decisions instead of constantly looking for excuses to close cases, it probably wouldn’t take months anyway.

On both sides, transparency isn’t valued. The Department for International Trade want to keep everything way from scrutiny; the ICO just wants to close cases without going through the admin of writing a decision notice, despite the benefit that a wider dissemination of the case might have. Whatever you think about the future, we need an FOI system that is better hands than this.

Small change

Some senior figures in the charity sector have sought to deal with the Information Commissioner’s recent enforcement against the RSPCA and the British Heart Foundation by suggesting that the ICO’s action is disproportionate and unfair. The fundraiser sorry, academic, Ian MacQuillin has written two blogs which touch on the theme, while a few days ago, Robert Meadowcroft, the Chief Executive of Muscular Dystrophy UK tweeted:

If the is impartial regulator it will investigate practices of and not simply pursue charities

As 2016 is now disappearing over the horizon, I thought it was worth testing the hypothesis that the ICO is taking disproportionate action against charities, and the fines and other enforcement against charities are unrepresentative. TL:DR – it’s complete nonsense.

In 2016, the ICO issued 34 civil monetary penalties – 11 under the Data Protection Act, and 23 under the Privacy and Electronic Communications Regulations (PECR). There are a number of different ways of looking at the figures, and none of them show any evidence of disproportionality.

1) Charity CMPs as a proportion of the total in 2016

Of the 34 penalties, 2 were against charities, so 6% of the ICO’s CMPs in 2016 were against charities.

2) Amount charities were fined, as a proportion of the total in 2016

The CMP total was £3,225,500. The total of CMPs issued against charities was £43,000. This is 1.3% of the total.

3) Proportion of Data Protection CMPs issued to charities in 2016

If you look only at the CMPs issued under Data Protection, the charity proportion is not insignificant – there were 11 DP CMPs, so the 2 charity CMPs are 18% of the total – the same as the police, 1 more than councils, but less than the private sector or the NHS (3 each). However, this is the only comparison where charities feature significantly, and they are not the dominant sector. The next two comparisons are also instructive.

4) Proportion of PECR CMPs issued to charities in 2016

None. This is despite widespread breaches of PECR by charities, including phoning donors who are on TPS and sending texts and emails without consent (for example, the vast majority of mobile numbers gathered via charity posters in 2016 were obtained in breach of PECR).

5) Proportion of CMPs issued for marketing related activities in 2o16

There were 21 PECR CMPs related to marketing, and 2 DP CMPs related to marketing, making 23 marketing CMPs in all. 2 were against charities, which is 9.5% of the total. Given the big charities’ disastrous approach to marketing, this relatively small number is astonishing.

6) Level of CMPs in 2016

The average DP CMP was £108,500; the average charity DP CMP was £21,500.

The average PECR CMP was £84,666.75; there were no charity PECR CMPs.

The highest DP CMP was £400,000; the highest charity DP CMP was £25,000.

7) Other enforcement in 2016

There were 22 enforcement notices issued by the ICO in 2016, 8 under DP and 14 under PECR. 1 of the 8 DP enforcement notices was against a charity, which is 4.5% of the total, or 12.5% of the total DP enforcement notices. Either way, it is a small percentage of the total. Again, if you count the number of marketing related enforcement notices, there were 15, of which 1 was against a charity. This is 6.6% of the total.

8) CMPs since 2010

There have been 69 DP CMPs since 2010 that I can find (they drop off the ICO’s website after a few years); 4 were issued against registered charities, which is 5.8% of the total. The average DP CMP was £114, 163, whereas the average charity was £78,250. It is worth noting that these figures are slightly skewed by the £200,000 penalty against the British Pregnancy Advisory Service, which is a registered charity but receives most of its funding from the NHS.

The CMP against the British Heart Foundation was the 8th lowest CMP overall, while the CMP against the RSPCA was the 9th lowest. The only organisations to receive lower penalties than the charities were small businesses, unincorporated associations, and a bankrupt lawyer.

There have been 47 PECR CMPs that I can find since 2012; none have been issued on charities, which is 0% of the total.

Conclusion

These figures will likely be different in 2017. The ICO has signalled that more DP enforcement against charities is coming, and so the proportion of DP penalties may rise when the totals are in, but that depends on a variety of different factors including the number of other penalties and the ICO’s general approach. However, when you look at the facts for 2016, MacQuillin and Meadowcroft are wrong. Despite years of ignoring the Data Protection and PECR requirements in favour of a flawed, fundraiser-driven approach, the ICO has not taken disproportionate action against the charities. The action taken is a small percentage of the overall total. Special pleading and blame-shifting will not help the sector. Compliance with the law will.

Fair Cop

The bedrock of Data Protection is fairness. You cannot gain consent without fairness. Your interests are not legitimate interests if they are secret interests. Unless you have an exemption or you claim that telling the person represents disproportionate effort (i.e. the effort of telling outweighs the actual impact), you have to tell the person whose data you are using the purposes for which their data will be used, and any other information necessary to make the processing fair.

The ICO’s Privacy Notices Code of Practice is not ambiguous, nor was its predecessor. It is impossible to read the ICO’s published guidance on fair processing without taking away the key message, consistently repeated for more than a decade: if something is surprising or objectionable, especially if it involves some kind of impact or sharing outside the organisation, it should be spelt out. New-ish Information Commissioner Elizabeth Denham seems to have chosen to reverse the ICO’s previously timid, unimaginative approach to the first principle with a pair of civil monetary penalties against charities. We have one each for the Royal Society for the Prevention of Cruelty to Animals, and the British Heart Foundation, with the promise of more to come. You might say it was unfortunate that charities are first in line rather than, say, credit reference agencies or list brokers (to be a touch tautological). It was the charity sector’s misfortune to fall under the Daily Mail’s Basilisk gaze, and they have to accept that we are where we are.

To issue a civil monetary penalty, there are three hurdles for the ICO to clear. Firstly, there must be a serious breach. Both charities used commercial companies to profile thousands (and in one case, millions) of donors, buying up data from publicly available sources* to assess their wealth and resources, they shared data with other charities whose identity they did not know via a commercial company, and in the case of the RSPCA, they bought contact details to fill in data that donors had provided. The average donor did not have any idea that this was happening. I can see there’s a problem that when everyone in the charity sector knows that wealth screening goes on, it seems normal. But I’ve been using it as an example on my training courses ever since the Mail revealed it, and bear in mind that these are often seasoned data protection professionals who know about data sharing and disclosure, attendees are invariably shocked and some cases revolted by what I tell them.

There is no doubt in my mind that this processing needed to be spelt out, and there is no doubt from the notices that it was not. Carefully selected third parties or partners has been a stupid lie in marketing for years, but not even knowing where the data goes is much worse than the usual flogging it to all comers. At least the list broker knows who he’s flogging it to, even though the only careful selection is the ability to pay.

The second hurdle is the need to show that the breach is likely to cause damage or distress to the affected data subjects. It’s been known for quite some time that the ICO was planning to take enforcement action over the Mail stories, and the gossip I heard from charities was that fines were likely. I’ll be honest, I wasn’t convinced. The Information Commissioner lost a Data Protection Tribunal appeal from Scottish Borders Council because they bungled the damage / distress element of a £250000 CMP over pension records found in recycling bins. ICO made a flawed claim that the loss of paper pension records was likely to result in identity theft, but Borders had an expert witness who could argue convincingly that this was not true. The link between the breach (the absence of a contract with the company processing the data) and the damage was broken, and the ICO lost.

But this case is different. The ICO does not need to make a link between an incident and a breach, because they are bound up together here. Both notices show that the ICO has given considerable thought to the distress angle. There is no question that the charities breached the first principle, and their only hope for an appeal is to convince the Tribunal that people would not be caused substantial distress by secret profiling and data sharing after an act of generosity. This is not science, and all I can say is that I am persuaded. But for an appeal to be successful, the charities will need to persuade a Tribunal with strong experience and knowledge of DP and PECR from the numerous (and almost exclusively doomed) marketing appeals.

The third element requires the breach to be deliberate or a situation where the charities ought reasonably to have known about the breach. As I have already said, the ICO’s position on fair processing is well known in my sector and available to anyone who can type the ICO’s web address. I think it’s possible that the charities didn’t know what they were doing was a breach, but in my opinion, this is because the Institute of Fundraising and the Fundraising Standards Board effectively acted as a firewall between charities and reality. The advice (often inaccurate and out of date) came from the IoF, and complaints about charities went to the FRSB and no further. When your code of practice is written by the people who earn their living from fundraising and most in your sector are doing the same thing as you are, it’s not hard to fool yourself into thinking it’s OK. But ‘everybody does it’ will cut no ice with the Tribunal. The RSPCA and the BHF are not tiny charities flailing in the dark – they are massive, multi-million pound operations with vastly greater resources than many of my clients.

Daniel Fluskey, head of Policy for the Institute of Fundraising, whose apparent lack of experience or qualifications in Data Protection does not prevent him from writing inaccurate articles for the charity sector on GDPR, has already weighed in, saying that the ICO should be providing the specific wording that charities require: “Charities need more detail on the ICO’s view of what lawful practice looks like: what form of words would have passed the test?” The Information Commissioner is the regulator for every organisation, of every size and shape, that processes personal data. If they start writing tailored wording for charities, they will have to do it for everyone else as well. It is a ridiculous demand. I think the ICO should move on to the data pools, wealth screeners and list brokers, but if she could find the time to issue an enforcement notice on the Institute of Fundraising, forbidding them ever to speak or write on Data Protection matters again, the third sector would have a fighting chance of complying.

Besides, how hard is it to find compliant wording? Nobody – especially not the trade association for fundraisers – should be allowed to present this as a byzantine and complex task. The individual doesn’t need to know what software you’re using, or whether cookies are involved. They need to understand the purpose – what are you collecting, what are you going to do with it, who are you going to give it to? This should be presented without euphemism or waffle, but it’s when you strip out the legalistic nonsense, you see the problem. It isn’t that the poor charities were labouring under the burden of complex data protection rules. They could not comply with the Data Protection Act because what they were doing (and in RSPCA’s case, are apparently still doing) is so unattractive:

  • We will share your details with unspecified charities via a commercial company. We don’t know who they are.
  • We will buy your phone number, postal or email address from a commercial company if you have not given it to us.
  • We will use commercial companies to compile a profile of your wealth and property to work out whether to ask you for further donations. If you are likely to be worth a lot when you die, we will use this information to ask you for a bequest.

When Reactiv Media appealed their PECR penalty, the Tribunal rejected their appeal and increased the penalty. Like a lot of the spammers, they put themselves into administration to avoid paying up, but this option is not available to household name charities. If either the RSPCA or BHF appeal, they are dragging themselves deeper into the mud, and very possibly spending thousands more of donors’ money to do so. If they say that what they did wasn’t a breach, or that they couldn’t have been expected to know that it was, their officers, advice and business model will be scrutinised to a doubtlessly painful extent. The claims management company Quigley and Carter found themselves described as “feckless” and “most unimpressive” in the course of being filleted during a recent failed appeal. Do charities really want that? Even if they decide to roll the dice solely on distress, does either charity really want to acknowledge a serious breach that they knew or ought to have know about in the hope of getting the fine overturned on a technicality? Do they want ICO to call donors as witnesses?

The business model of pressure selling, TPS-busting, heavy texting, data sharing and donor-swapping adopted by some of the UK’s most celebrated charities resembles nothing so much as the activities of the claims management, PPI spammers (i.e. the scum of the earth). For all the noise and bluster on Twitter and in the charity press this week, there is an uncomfortable truth that has to be faced. The hated Daily Mail unearthed it, and the ICO has rightly acted on it. Some big charities have run an end-justifies-the-means approach to marketing and they have got away with it for a decade. Fundraisers ruled the roost, and compliance has been sidelined or ignored. Given how much money the RSPCA and the BHF have raised from fundamentally unlawful practices, they should pull back and rethink how they get donations in the future. They should ignore the Institute of Fundraising’s every word on Data Protection and PECR, and like every other charity, concentrate on reading and applying the ICO’s Code on Privacy Notices and guidance on Direct Marketing.

And right now, if there is a fundraiser sitting with the two CMP notices working out how to at the same time devise a method to raise loads of cash for their cause while complying with Data Protection and PECR, I hope they wipe the floor with everyone else.

*citation needed

Actually asked questions

One of the annoying things about working on documents or advice for the public is the inevitable moment where someone asks “shouldn’t we have some FAQs?”. And then someone proceeds to write a series of questions that the organisation wants the public to know the answers to, rather than the answers to questions the public have actually asked. Frequently asked by who, is what I frequently want to know.

I am currently working on a product aimed giving data protection advice to charities. It will be free to access, and should hopefully be ready by the end of the year (early in January is equally likely). It will take into account the current DP and PECR law, the Fundraising Preference Service and associated Regulator, as well as anticipating the GDPR in several key aspects. As part of this, I would like to include an ‘actually asked questions’ section, in which people working on DP or IG for charities ask questions, and I provide the answers.

This is where you (hopefully) come in.

I want to get real questions from practitioners and volunteers working in the charity sector. There are a whole bunch of things I want to say about the topic, but questions from the intended audience are vital to make the guidance meaningful. If you have any questions about Data Protection, PECR, marketing, volunteers, security or other related matters, please send them to the following email address:

mail@2040training.co.uk

You can be specific or general. You can ask about the detail, the background, individual scenarios relevant to your work or issues that cover the whole sector. I would be happy with 5 questions, or 500. You can also tell me things you think DP guidance for charities should include. I have the content more or less planned out, but I might have missed something.

There are a few things you need to know before sending a question in.

1. You will not receive an individual answer to your question. Your question, if at all possible, will be answered in the FAQ section of the product. It may be that your question is answered in the main body of the text, in which case, your question will not feature specifically but the answer will still be there. If it is impossible to answer your question – time permitting – I will reply direct to you to explain why and give some advice if I possibly can.

2. You will not be added to any mailing list, or receive any marketing as a result of participating. If you indicate in your email that you want to know when the product is available (it will be free, and getting access to it will not involve any obligations or commitments), then I will send you a single email to let you know. You will receive nothing else and your details will not be retained for any other purpose.

3. All questions will be treated anonymously. You, and the charity you are associated with, will not be identified or alluded to in the product, no matter what the nature of the question is. Even if the question is “can we sell our donors’ data to a claims management company?’ or “can we buy data even if we think it might have been stolen?”, you will not be identified. The sole purpose of this is to make the product more useful and lively by getting direct input from the intended audience. By the way, the answer to both of the above questions is no.

4. Questions sent in after 15 December probably won’t make the cut (although I will do my best to read anything received after that)

The final shape of the product may go one of several ways, so I am being vague about what it actually is – one option is easy but less interesting, the other is better but more time consuming. Nevertheless, to emphasise the point again, it will be free, and you will receive no marketing or further contact if you choose to participate.

I very much hope that if you have any questions or queries, or other issues you would like to raise, you will send them in. Thanks for reading – if you have the opportunity to tweet or circulate this to people in the charity sector who might have questions they want to ask, I would be very grateful if you would. I cannot promise that anyone who necessarily like what I have to say, but I’m very keen to find out what you’d like to know.