The Red Menace

Just before New Year, the pro-Brexit, anti-single market pressure group Change Britain published a report about the possible savings that could accrue to the UK if we cut all ties with the EU. Keen observers of current politics will be astonished to learn that the amount is in the multiple billions. One of the top savings is from repealing the Data Protection Act 1998, which Change Britain claims costs the economy a whopping £1,058,830,000, while (if I am reading the table right), giving a benefit of precisely nothing. It’s a prime example of ‘harmful EU red tape‘ that Change Britain is very much against.

Curiously, the report doesn’t include any mention the General Data Protection Regulation, despite the fact that the Government announced several months before its publication that GDPR will apply in the UK, reflecting the reality that it will come into force before we leave. The report does not hint at any cost in repealing the DPA and replacing it with something else, or the wasted effort currently being expended by organisations large and small in preparing for GDPR, all of which they want to cancel out. The economic benefit of being able to share data across EU borders isn’t priced in at all, even if we accept the £1 billion cost at face value. Inevitably, Change Britain’s report has the mindset of an Oscar Wilde cynic, knowing the price of everything and the value of nothing. Although the DPA is clunky and badly enforced, the benefits of saying that personal data should be obtained fairly, used transparently, kept in good order and processed securely are enormous.

I emailed Change Britain just before New Year asking the questions outlined below. I would like to express my gratitude to the Change Britain staff member who took the time to give me two courteous replies when many people were probably on holiday or hung-over.

Can you confirm that Change Britain believes that the GDPR should not be implemented, as well as advocating the repeal of the Data Protection Act? Can I ask what analysis you have done into the effects of repealing DP, in terms of its effects on the security and quality of personal data, and the rights of UK citizens to know how their data is used, and to get access to it on request?
Can you also provide me with any proposals Change Britain have for replacing the Data Protection Act / GDPR, or is the idea to remove any controls or protections on the way personal data is used in the UK post-Brexit?
Finally, can you give me any analysis on the effect of repealing the DPA / not implementing GDPR on the ability of UK companies to exchange personal data with EU countries, and how this would affect the UK’s adequacy for Data Protection purposes? As I am sure you already know, not having adequate data protection provisions would make it virtually impossible for EU and UK companies to do business with each other, because no personal data could be shared outside the EU.

In their reply, Change Britain didn’t explain why they hadn’t mentioned GDPR in the first place, but noted that the Coalition Government said in 2013 that the GDPR could ‘impose unnecessary additional costs on current businesses‘, a comment made on a version of the GDPR which is quite different to the one we’re actually getting. The emphasis was on ensuring that “expensive red tape is cut so that the burden on business is reduced“.

They didn’t really answer the questions, but the thrust of their preferred approach seemed to come here: “We believe that it is possible to secure a new relationship that allows ongoing data sharing between the UK and the EU and gives UK policy makers an opportunity to deal with the issues they have identified with EU laws and – in so doing – reduce the burden of red tape on British businesses“. They didn’t mention the fact that the current government has announced that the GDPR will apply or what the implications of that might be for their proposal. Crucially, while they clearly wanted to “reduce the burdens”, they did not explain to me what these burdens were.

It seemed to me that Change Britain were describing the Mother of Worst Case Scenarios: repeal of the DPA with a UK only replacement instead of adopting the GDPR, some kind of negotiated deal over EU data sharing with all the fragility that entails in the world of Max Schrems, a situation which could well mean UK businesses with EU customers separately adopting GDPR for their customers. Of course, there are many who think that an adequacy finding for the UK post-Brexit is going to hard to achieve, and so some kind of UK Privacy Shield arrangement (AKA Daragh O Brien‘s Privacy Brolly) is the likely outcome. But I’m not aware of anyone in the DP world who thinks this is a good idea – it’s just what we might end up with.

I emailed them again. I asked whether they were proposing what I thought they were proposing (making it sound as complicated and horrendous as I did just now). I wondered whether they had a list of the specific burdens that they objected to. I also asked if they had an analysis of the costs of reversing the current position on GDPR, given all the time and money that is currently going into preparing for it precisely because the government has said that we should. Finally, I asked whether a Privacy Shield arrangement was should be the aim, given the fiery death of Safe Harbor and the fact that the prognosis for Privacy Shield is somewhat toasty (to paraphrase).

They were kind enough to reply again, but with a striking lack of detail. “Brexit is an opportunity to repeal laws that don’t work and introduce better versions” they told me. They did not dispute my interpretation of what they want, which is astonishing. They are “aware of the legitimate issues that you have raised, however we also believe that the concerns raised about the impact of the EU’s data protection regime on small businesses should also be given equal weight when the Government considers the opportunities that come from Brexit”. They didn’t explain how reversing current government policy and forcing UK businesses to operate at least two different DP systems, no matter how large or small they might be was in the interests of anyone, and especially, how this would save a billion pounds. There is no reason why a small business wouldn’t be one of the enterprises running Change Britain’s UK DP at home, and the GDPR abroad, notwithstanding the *increase* in red tape that their proposal would involve. Change Britain want two laws in place of one, after all.

Despite claiming that Data Protection doesn’t work, Change Britain have not carried out any analysis on the burdens associated with it to underpin their demand that it should be abolished. They have not calculated the cost of abolishing it and replacing it with something else – indeed, I would go as far as to say that they showed no evidence of having thought about it. They could only point me to the previous government’s (now outdated) view of GDPR, and reports produced by the British Chambers of Commerce in 2005 and 2010. It seems to be a case of UK good, EU bad, even as the GDPR is being scrutinised around the world as a model to emulate, or at least react to.

Change Britain’s abolition of the DPA and the abandonment of the GDPR is an economically illiterate idea on a par with Vote Leave’s NHS Bus Promise. It makes no sense except as a sound-bite in a press release designed solely for headlines and incapable of surviving serious analysis. Change Britain’s idea is the opposite of what the Government has told UK businesses to prepare for. It is a recipe for confusion and uncertainty. It is utterly irresponsible.

Whatever you think of Brexit, it has wiped the future clean. Anyone who confidently predicts what the UK will look like in 2020 or 2025 is a fool or a liar. I think it will be a disaster, but other opinions are equally valid. The UK Government’s confirmation that GDPR will apply is a small strand of certainty. Even though the Secretary of State left the door open for change at some stage (which she has every right to do), we know what’s coming next for Data Protection, despite Brexit. In their antipathy towards the EU and all its works, Change Britain want to murder even this tiny certainty. They have no original thoughts on why they think it’s a good idea beyond money-saving that they cannot possibly stand up. They cannot offer any hint of what they want to replace DPA / GDPR with, except that it must be homegrown. It cannot be European in origin. I very much hope that their proposal gets the shortest shrift that the DCMS has in stock.

Make no mistake, compliance with GDPR will be difficult for some, but I suspect that many of the organisations most keen to decry the GDPR would struggle equally to comply with the 1984 Data Protection Act, produced by the Thatcher Government, which even now has parallels with both our current DP Act and the GDPR. The GDPR is clearer, less technical and more understandable than the DPA. It is in most ways an improvement. Change Britain’s proposal is vandalism, and we should wash it away.

FULL DISCLOSURE: I voted Remain, I wholly accept that the UK is going to leave the EU as a result of the referendum, I am more convinced than I was before that it is a stupid idea, and in a free country, you should defend my right to say so.

Small change

Some senior figures in the charity sector have sought to deal with the Information Commissioner’s recent enforcement against the RSPCA and the British Heart Foundation by suggesting that the ICO’s action is disproportionate and unfair. The fundraiser sorry, academic, Ian MacQuillin has written two blogs which touch on the theme, while a few days ago, Robert Meadowcroft, the Chief Executive of Muscular Dystrophy UK tweeted:

If the is impartial regulator it will investigate practices of and not simply pursue charities

As 2016 is now disappearing over the horizon, I thought it was worth testing the hypothesis that the ICO is taking disproportionate action against charities, and the fines and other enforcement against charities are unrepresentative. TL:DR – it’s complete nonsense.

In 2016, the ICO issued 34 civil monetary penalties – 11 under the Data Protection Act, and 23 under the Privacy and Electronic Communications Regulations (PECR). There are a number of different ways of looking at the figures, and none of them show any evidence of disproportionality.

1) Charity CMPs as a proportion of the total in 2016

Of the 34 penalties, 2 were against charities, so 6% of the ICO’s CMPs in 2016 were against charities.

2) Amount charities were fined, as a proportion of the total in 2016

The CMP total was £3,225,500. The total of CMPs issued against charities was £43,000. This is 1.3% of the total.

3) Proportion of Data Protection CMPs issued to charities in 2016

If you look only at the CMPs issued under Data Protection, the charity proportion is not insignificant – there were 11 DP CMPs, so the 2 charity CMPs are 18% of the total – the same as the police, 1 more than councils, but less than the private sector or the NHS (3 each). However, this is the only comparison where charities feature significantly, and they are not the dominant sector. The next two comparisons are also instructive.

4) Proportion of PECR CMPs issued to charities in 2016

None. This is despite widespread breaches of PECR by charities, including phoning donors who are on TPS and sending texts and emails without consent (for example, the vast majority of mobile numbers gathered via charity posters in 2016 were obtained in breach of PECR).

5) Proportion of CMPs issued for marketing related activities in 2o16

There were 21 PECR CMPs related to marketing, and 2 DP CMPs related to marketing, making 23 marketing CMPs in all. 2 were against charities, which is 9.5% of the total. Given the big charities’ disastrous approach to marketing, this relatively small number is astonishing.

6) Level of CMPs in 2016

The average DP CMP was £108,500; the average charity DP CMP was £21,500.

The average PECR CMP was £84,666.75; there were no charity PECR CMPs.

The highest DP CMP was £400,000; the highest charity DP CMP was £25,000.

7) Other enforcement in 2016

There were 22 enforcement notices issued by the ICO in 2016, 8 under DP and 14 under PECR. 1 of the 8 DP enforcement notices was against a charity, which is 4.5% of the total, or 12.5% of the total DP enforcement notices. Either way, it is a small percentage of the total. Again, if you count the number of marketing related enforcement notices, there were 15, of which 1 was against a charity. This is 6.6% of the total.

8) CMPs since 2010

There have been 69 DP CMPs since 2010 that I can find (they drop off the ICO’s website after a few years); 4 were issued against registered charities, which is 5.8% of the total. The average DP CMP was £114, 163, whereas the average charity was £78,250. It is worth noting that these figures are slightly skewed by the £200,000 penalty against the British Pregnancy Advisory Service, which is a registered charity but receives most of its funding from the NHS.

The CMP against the British Heart Foundation was the 8th lowest CMP overall, while the CMP against the RSPCA was the 9th lowest. The only organisations to receive lower penalties than the charities were small businesses, unincorporated associations, and a bankrupt lawyer.

There have been 47 PECR CMPs that I can find since 2012; none have been issued on charities, which is 0% of the total.


These figures will likely be different in 2017. The ICO has signalled that more DP enforcement against charities is coming, and so the proportion of DP penalties may rise when the totals are in, but that depends on a variety of different factors including the number of other penalties and the ICO’s general approach. However, when you look at the facts for 2016, MacQuillin and Meadowcroft are wrong. Despite years of ignoring the Data Protection and PECR requirements in favour of a flawed, fundraiser-driven approach, the ICO has not taken disproportionate action against the charities. The action taken is a small percentage of the overall total. Special pleading and blame-shifting will not help the sector. Compliance with the law will.

Human Wrongs

A few years ago I went to Strasbourg, home of the famous European Court of Human Rights. After admiring the building itself, I noticed a disabled man camping on the other side of the tracks that take visitors to the tram stop named, rather piously, ‘Droits De L’Homme’. He had a huge display in several languages, setting out the appalling injustice that the Court had dealt him by not upholding his case. There were several such men, who would no doubt have treated a ECHR victory as total vindication, but the loss was evidence only of the Court’s bias and corruption. I immediately thought of the notorious FOI applicant and progenitor of vexatious caselaw Alan Dransfield, and wondered if one day, he would be one of the poor souls, earnestly telling his sorry tale to tourists. This is unlikely of course, because Dransfield would spend his time shouting at every passer-by that they were a dickhead.

Nevertheless, the website ‘Amazon News Media’ chose to celebrate International Human Rights Day last month (10th December, diary fans) by publishing an open letter from Dransfield to the Justice Secretary Elizabeth Truss. Fans of Dransfield’s work will be pleased to see a number of familiar themes in the letter. Dransfield claims that the Information Commissioner’s Office is guilty of fraud and theft of public funds. There is ‘tangible evidence‘ that they, along with multiple public authorities, are involved in a conspiracy to pervert the course of justice:

The evidence of complicity between the ICO and Public Authorities seeking to avoid obligations under FOI by consistent misuse and abuse of Section 14/1 vexatious exemption is overwhelming

Dransfield doesn’t specify what the overwhelming / tangible evidence is, beyond asserting that he lost his case at the Court of Appeal, so QED: the fix is in. The letter makes a series of allegations about the ICO and demands that the Commissioner is sacked and replaced by himself. The allegations are a mixture of falsehood (he says that they don’t publish their register of interests when they do) and opinion (he claims it is a breach of an unspecified EU Trade law that the ICO usually uses 11KBW for legal services, ignoring the fact that they are the leading information law chambers in the UK). The only verifiable claim is the conflict of interest in having a council leader act as a manager of a team that deals with complaints about councils and political parties. Dransfield only knows about this because I did an FOI request about it and wrote about it here (inevitably, Dransfield spells his name wrong and the mistake slipped through Amazon News Media’s presumably robust fact checking procedures).

If you’re not familiar with it, the scale of the Dransfield conspiracy is breathtaking – construction companies including Balfour Beatty, multiple councils, the Health and Safety Executive, Dransfield’s MP Ben Bradshaw, the previous and current Information Commissioners and many of their staff, West Ham United, the Olympic Delivery Authority and various other Olympic bodies, former secretary of state Chris Grayling, myself, the Upper Tribunal, the Court of Appeal, the Supreme Court and the House of Lords, all working tirelessly to cover up the construction of a network of unsafe buildings and bridges across the UK. Only Dransfield has the insight to see the conspiracy in all its Byzantine complexity, and the entire UK legal system is ranged against him to stop his crusade.

There is, of course, another perspective, but Amazon News Media have seemingly backed Dransfield with gusto. The accompanying editorial hails “Mr Dransfield’s long experience as a social watchdog” and complains of his “extensive scapegoating” but demonstrates a slender grasp on the facts. For example, it claims that vexatiousness was planted at the second, Upper Tier Tribunal, rather than being a feature of the original refusal dealt with by the ICO. Moreover, like Dransfield, Amazon News Media make big play of the fact that it was the ICO who appealed to the Upper Tribunal and Court of Appeal, describing it as an “abuse” of the system. When Dransfield went to the First Tier Tribunal, he was appealing the ICO’s decision, not Devon’s original refusal. If the ICO disagrees with the FTT, it is they (and not Devon) who must take forward the appeal. The appeal process is not open only to the applicant – public authorities and applicants can challenge the Commissioner, but the Commissioner is entitled to challenge decisions that they think are wrong. This is how the system is designed, and Dransfield chose to use that system. Complaining about the result of a process you initiated is acting like the men outside the ECHR.

I put a comment on the Amazon News Media blog, pointing out that I had made 100s* of FOI requests without ever being refused as vexatious (the issue of Alex Ganotis’ role at the ICO just being one of many), pointing out that Dransfield’s hostility and abusive character is probably part of the problem. An unnamed representative of the organisation dismissed this – apparently, when Dransfield called the Information Commissioner Elizabeth Denham a ‘useless cow’ on Twitter, this was just “colourful language [that] perhaps reflects the insult of having your name unreasonably scape-goated for half a decade“. So perhaps the insult is Denham’s fault for not giving Dransfield the face-to-face meeting he’s been demanding since July. It’s an odd perspective, because Dransfield has been calling me a prick and a dickhead for disagreeing with him ever since this mess started.

I can’t work out who runs the Amazon News Media site – it describes itself as “an evidence-based website practising freelance written and video journalism“, but the website, Twitter account and Facebook page are all somewhat anonymous. The site itself is registered to a David Hodgson in New Zealand, but the nameless person who runs the Twitter account told me that it is based in Swansea. Whoever they are,

UPDATE: I know who they are. I’ve read all 59 pages of the judgement.

They have made a fatal error in their analysis of Dransfield’s case. The editorial states that Dransfield enjoys “superior knowledge of lighting protection systems, and Health and Safety regulations” – the problem is that this is irrelevant to the case. S14 of FOI has no public interest test – it’s not about the information, but the process.

The Information Commissioner, the two Tribunals and the Court of Appeal are not supposed to decide whether Dransfield is right about the unsafe buildings. For the record, I think the conspiracy is a complete fantasy, and Dransfield’s requests are the result of a grudge against his former employer, Balfour Beatty. None of Dransfield’s blood-curdling predictions about fatal lightning strikes have come true, and I am not aware of anyone in the UK Health and Safety sector who backs his theories (I’m famously an arsehole and lots of people agree with me about Data Protection despite this impediment).

None of this matters. The question in play is not one about Health and Safety. The question is whether Dransfield’s torrent of requests, complaints and other correspondence were an abuse of the FOI system. Dransfield had every opportunity to put his case before four independent bodies – one of them agreed with him, and the others did not. It’s not impossible for Dransfield to be right about the buildings (as unlikely as this may seem) and yet, because of his hostility, his stubbornness and the sheer weight of his requests, they tip into vexatiousness.

Ironically, despite Dransfield’s antipathy towards the ICO (and his misogyny towards the new Commissioner), his demand that the ICO sort out the vexatious issue is completely wide of the mark. Even if Denham accepted that he was right, she is powerless to reverse the Dransfield decision. If Wilmslow executed a volte face tomorrow, the Court of Appeal decision would still stand. Public authorities could use the CoA judgement against the ICO in the Tribunals who would be bound by it. Only the courts can change the decision – it is out of the Commissioner’s hands. It’s tempting to believe that Dransfield knows this, and he directs his rage toward the ICO solely because he enjoys it, rather than knowing it will change the outcome.

In the end, Amazon News Media grew tired of my interventions and refused to publish my final comment unless I edited out all of the mansplaining, repetition and “snark”. Instead of being censored, you can – if you wish – read the comments on ANM, and then, by way of a conclusion to all this, I reproduce the comment that they found so objectionable.

You can twist what I have said in any direction that suits you. The decisions that the ICO makes are, obviously, about the public interest (where that applies, and with some exemptions, it doesn’t). Sometimes they get those decisions wrong, sometimes they get them right. When a decision has been tested at several levels, and then looked at subsequently by differently constituted tribunals, you have two choices. Either you can believe that there is an enormous conspiracy to subvert the FOI Act, or you can look at the particular case and decide that maybe the system got it right. There is no inner truth here – you believe what you want to believe based on your own prejudices.

What I said above is that Mr Dransfield’s letter, your publication of it and your conspiracy theories about the legal system will have no practical effect. Truss will not intervene because it isn’t her place to intervene in legal cases. The European Court of Human Rights will not intervene, because Mr Dransfield has been refused leave to appeal there. These are facts – you can put a political / paranoid spin on them if you like, but the spin doesn’t change the facts. If you want to stop vexatious decisions being made under Dransfield, someone needs to take a case all the way to the Court of Appeal and get Dransfield overturned. Alternatively, the FOI Act will have to be amended in Parliament. Given that you think the entire legal system is corrupt, I assume you’re not much keener on MPs. Which makes all of the above a monumental waste of time. But at least it gives you and Dransfield something to do.

* ANM refuse to believe that I have made 100s of FOI requests without proof. Given that they are willing to turn an abusive blowhard into a Human Rights champion without any justification, I am content to say that I have, and if they or you don’t believe me, I don’t care.

** It has been suggested to me that in my comment above, I said that the Court of Appeal can overturn Dransfield, whereas the suggestion is that actually, only the Supreme Court can do it i.e. the court *above* the Court of Appeal. If this is right (and I suspect that it is), the difficulty of reversing Dransfield is greater.

Fair Cop

The bedrock of Data Protection is fairness. You cannot gain consent without fairness. Your interests are not legitimate interests if they are secret interests. Unless you have an exemption or you claim that telling the person represents disproportionate effort (i.e. the effort of telling outweighs the actual impact), you have to tell the person whose data you are using the purposes for which their data will be used, and any other information necessary to make the processing fair.

The ICO’s Privacy Notices Code of Practice is not ambiguous, nor was its predecessor. It is impossible to read the ICO’s published guidance on fair processing without taking away the key message, consistently repeated for more than a decade: if something is surprising or objectionable, especially if it involves some kind of impact or sharing outside the organisation, it should be spelt out. New-ish Information Commissioner Elizabeth Denham seems to have chosen to reverse the ICO’s previously timid, unimaginative approach to the first principle with a pair of civil monetary penalties against charities. We have one each for the Royal Society for the Prevention of Cruelty to Animals, and the British Heart Foundation, with the promise of more to come. You might say it was unfortunate that charities are first in line rather than, say, credit reference agencies or list brokers (to be a touch tautological). It was the charity sector’s misfortune to fall under the Daily Mail’s Basilisk gaze, and they have to accept that we are where we are.

To issue a civil monetary penalty, there are three hurdles for the ICO to clear. Firstly, there must be a serious breach. Both charities used commercial companies to profile thousands (and in one case, millions) of donors, buying up data from publicly available sources* to assess their wealth and resources, they shared data with other charities whose identity they did not know via a commercial company, and in the case of the RSPCA, they bought contact details to fill in data that donors had provided. The average donor did not have any idea that this was happening. I can see there’s a problem that when everyone in the charity sector knows that wealth screening goes on, it seems normal. But I’ve been using it as an example on my training courses ever since the Mail revealed it, and bear in mind that these are often seasoned data protection professionals who know about data sharing and disclosure, attendees are invariably shocked and some cases revolted by what I tell them.

There is no doubt in my mind that this processing needed to be spelt out, and there is no doubt from the notices that it was not. Carefully selected third parties or partners has been a stupid lie in marketing for years, but not even knowing where the data goes is much worse than the usual flogging it to all comers. At least the list broker knows who he’s flogging it to, even though the only careful selection is the ability to pay.

The second hurdle is the need to show that the breach is likely to cause damage or distress to the affected data subjects. It’s been known for quite some time that the ICO was planning to take enforcement action over the Mail stories, and the gossip I heard from charities was that fines were likely. I’ll be honest, I wasn’t convinced. The Information Commissioner lost a Data Protection Tribunal appeal from Scottish Borders Council because they bungled the damage / distress element of a £250000 CMP over pension records found in recycling bins. ICO made a flawed claim that the loss of paper pension records was likely to result in identity theft, but Borders had an expert witness who could argue convincingly that this was not true. The link between the breach (the absence of a contract with the company processing the data) and the damage was broken, and the ICO lost.

But this case is different. The ICO does not need to make a link between an incident and a breach, because they are bound up together here. Both notices show that the ICO has given considerable thought to the distress angle. There is no question that the charities breached the first principle, and their only hope for an appeal is to convince the Tribunal that people would not be caused substantial distress by secret profiling and data sharing after an act of generosity. This is not science, and all I can say is that I am persuaded. But for an appeal to be successful, the charities will need to persuade a Tribunal with strong experience and knowledge of DP and PECR from the numerous (and almost exclusively doomed) marketing appeals.

The third element requires the breach to be deliberate or a situation where the charities ought reasonably to have known about the breach. As I have already said, the ICO’s position on fair processing is well known in my sector and available to anyone who can type the ICO’s web address. I think it’s possible that the charities didn’t know what they were doing was a breach, but in my opinion, this is because the Institute of Fundraising and the Fundraising Standards Board effectively acted as a firewall between charities and reality. The advice (often inaccurate and out of date) came from the IoF, and complaints about charities went to the FRSB and no further. When your code of practice is written by the people who earn their living from fundraising and most in your sector are doing the same thing as you are, it’s not hard to fool yourself into thinking it’s OK. But ‘everybody does it’ will cut no ice with the Tribunal. The RSPCA and the BHF are not tiny charities flailing in the dark – they are massive, multi-million pound operations with vastly greater resources than many of my clients.

Daniel Fluskey, head of Policy for the Institute of Fundraising, whose apparent lack of experience or qualifications in Data Protection does not prevent him from writing inaccurate articles for the charity sector on GDPR, has already weighed in, saying that the ICO should be providing the specific wording that charities require: “Charities need more detail on the ICO’s view of what lawful practice looks like: what form of words would have passed the test?” The Information Commissioner is the regulator for every organisation, of every size and shape, that processes personal data. If they start writing tailored wording for charities, they will have to do it for everyone else as well. It is a ridiculous demand. I think the ICO should move on to the data pools, wealth screeners and list brokers, but if she could find the time to issue an enforcement notice on the Institute of Fundraising, forbidding them ever to speak or write on Data Protection matters again, the third sector would have a fighting chance of complying.

Besides, how hard is it to find compliant wording? Nobody – especially not the trade association for fundraisers – should be allowed to present this as a byzantine and complex task. The individual doesn’t need to know what software you’re using, or whether cookies are involved. They need to understand the purpose – what are you collecting, what are you going to do with it, who are you going to give it to? This should be presented without euphemism or waffle, but it’s when you strip out the legalistic nonsense, you see the problem. It isn’t that the poor charities were labouring under the burden of complex data protection rules. They could not comply with the Data Protection Act because what they were doing (and in RSPCA’s case, are apparently still doing) is so unattractive:

  • We will share your details with unspecified charities via a commercial company. We don’t know who they are.
  • We will buy your phone number, postal or email address from a commercial company if you have not given it to us.
  • We will use commercial companies to compile a profile of your wealth and property to work out whether to ask you for further donations. If you are likely to be worth a lot when you die, we will use this information to ask you for a bequest.

When Reactiv Media appealed their PECR penalty, the Tribunal rejected their appeal and increased the penalty. Like a lot of the spammers, they put themselves into administration to avoid paying up, but this option is not available to household name charities. If either the RSPCA or BHF appeal, they are dragging themselves deeper into the mud, and very possibly spending thousands more of donors’ money to do so. If they say that what they did wasn’t a breach, or that they couldn’t have been expected to know that it was, their officers, advice and business model will be scrutinised to a doubtlessly painful extent. The claims management company Quigley and Carter found themselves described as “feckless” and “most unimpressive” in the course of being filleted during a recent failed appeal. Do charities really want that? Even if they decide to roll the dice solely on distress, does either charity really want to acknowledge a serious breach that they knew or ought to have know about in the hope of getting the fine overturned on a technicality? Do they want ICO to call donors as witnesses?

The business model of pressure selling, TPS-busting, heavy texting, data sharing and donor-swapping adopted by some of the UK’s most celebrated charities resembles nothing so much as the activities of the claims management, PPI spammers (i.e. the scum of the earth). For all the noise and bluster on Twitter and in the charity press this week, there is an uncomfortable truth that has to be faced. The hated Daily Mail unearthed it, and the ICO has rightly acted on it. Some big charities have run an end-justifies-the-means approach to marketing and they have got away with it for a decade. Fundraisers ruled the roost, and compliance has been sidelined or ignored. Given how much money the RSPCA and the BHF have raised from fundamentally unlawful practices, they should pull back and rethink how they get donations in the future. They should ignore the Institute of Fundraising’s every word on Data Protection and PECR, and like every other charity, concentrate on reading and applying the ICO’s Code on Privacy Notices and guidance on Direct Marketing.

And right now, if there is a fundraiser sitting with the two CMP notices working out how to at the same time devise a method to raise loads of cash for their cause while complying with Data Protection and PECR, I hope they wipe the floor with everyone else.

*citation needed

Actually asked questions

One of the annoying things about working on documents or advice for the public is the inevitable moment where someone asks “shouldn’t we have some FAQs?”. And then someone proceeds to write a series of questions that the organisation wants the public to know the answers to, rather than the answers to questions the public have actually asked. Frequently asked by who, is what I frequently want to know.

I am currently working on a product aimed giving data protection advice to charities. It will be free to access, and should hopefully be ready by the end of the year (early in January is equally likely). It will take into account the current DP and PECR law, the Fundraising Preference Service and associated Regulator, as well as anticipating the GDPR in several key aspects. As part of this, I would like to include an ‘actually asked questions’ section, in which people working on DP or IG for charities ask questions, and I provide the answers.

This is where you (hopefully) come in.

I want to get real questions from practitioners and volunteers working in the charity sector. There are a whole bunch of things I want to say about the topic, but questions from the intended audience are vital to make the guidance meaningful. If you have any questions about Data Protection, PECR, marketing, volunteers, security or other related matters, please send them to the following email address:

You can be specific or general. You can ask about the detail, the background, individual scenarios relevant to your work or issues that cover the whole sector. I would be happy with 5 questions, or 500. You can also tell me things you think DP guidance for charities should include. I have the content more or less planned out, but I might have missed something.

There are a few things you need to know before sending a question in.

1. You will not receive an individual answer to your question. Your question, if at all possible, will be answered in the FAQ section of the product. It may be that your question is answered in the main body of the text, in which case, your question will not feature specifically but the answer will still be there. If it is impossible to answer your question – time permitting – I will reply direct to you to explain why and give some advice if I possibly can.

2. You will not be added to any mailing list, or receive any marketing as a result of participating. If you indicate in your email that you want to know when the product is available (it will be free, and getting access to it will not involve any obligations or commitments), then I will send you a single email to let you know. You will receive nothing else and your details will not be retained for any other purpose.

3. All questions will be treated anonymously. You, and the charity you are associated with, will not be identified or alluded to in the product, no matter what the nature of the question is. Even if the question is “can we sell our donors’ data to a claims management company?’ or “can we buy data even if we think it might have been stolen?”, you will not be identified. The sole purpose of this is to make the product more useful and lively by getting direct input from the intended audience. By the way, the answer to both of the above questions is no.

4. Questions sent in after 15 December probably won’t make the cut (although I will do my best to read anything received after that)

The final shape of the product may go one of several ways, so I am being vague about what it actually is – one option is easy but less interesting, the other is better but more time consuming. Nevertheless, to emphasise the point again, it will be free, and you will receive no marketing or further contact if you choose to participate.

I very much hope that if you have any questions or queries, or other issues you would like to raise, you will send them in. Thanks for reading – if you have the opportunity to tweet or circulate this to people in the charity sector who might have questions they want to ask, I would be very grateful if you would. I cannot promise that anyone who necessarily like what I have to say, but I’m very keen to find out what you’d like to know.