Advertising standards

This week, the great and the good and some other people descend on Cambridge for the 30th Annual Privacy Laws and Business’ three day Data Protection Conference in Cambridge. It’s a big event, with Data Protection regulators, practitioners and a large collective noun of DP lawyers all milling around St John’s College listening to each other talk. I’ve only been once – no employer I’ve ever worked for wanted to pay, so I ended up pitching PLB a talk about crap Data Protection stories so I could get in for nothing. The cheapest possible ticket is a one day option for charities and the public sector at £437.50 +VAT; for 3 days, that goes up to £1242.50 + VAT, while someone working for a company with more than 500 employees will pay £1775 + VAT, plus more for accommodation or the optional Sunday night dinner. The college bars have extended opening hours in case you have more money to burn.

As PLB’s amusingly vulgar marketing makes clear, this is no dry academic event. For attendees with the requisite funds, the conference is an opportunity to ‘take your place at the privacy top table‘ and enjoy ‘Privileged Access‘ to the various Data Protection regulators in attendance. Emails from PLB promise that DP Authorities such as Helen Dixon from Ireland, Isabelle Falque-Pierrotin from France and our very own Elizabeth Denham will be available for ‘priceless informal one-to-one discussions’ and will be ‘pleased to engage you in discussion‘. Imagine that.

The UK’s Information Commissioner is being particularly accommodating this year. As well as being listed on the conference website as a ‘Supporter’ of this commercial event, the Commissioner herself is giving a talk on Tuesday and chairing another session while no fewer than five ICO staff members will be in attendance (a fact advertised by PLB in the ‘top table’ email). Perhaps most generously of all, Mrs Denham is the star of an advert for the conference, happily plugging the relaxed atmosphere and expert PLB staff while exhorting viewers to attend. And this is where I have a problem.

There’s nothing wrong with the ICO appearing at commercial events like this – big conferences are a legitimate way to make the organisation more visible and get messages out. It’s very different if the ICO is endorsing the event in question. The PLB conference is not a charity or public sector event – it is a commercial conference run for profit. The ICO’s speaking engagement policy says explicitly that ICO officers should avoid accepting invitations where ‘our attendance can be interpreted as ICO endorsement of a commercial organisation over those of competitors‘, and yet Denham has gone further than that, by actively promoting the conference and the expertise of PLB’s staff. The same policy states that the ICO logo must not be displayed when labelled as a ‘supporter’ – which is exactly what PLB are doing with the logo on their website.

I made an FOI request to the ICO about Denham’s appearance in the advert, asking for emails and other correspondence about why she agreed to do it. In the initial response, there was no evidence of an invitation, only emails arranging the filming itself. When I queried this, I was told that the original request was made and agreed to verbally last October, and while there may have been some follow-ups by email shortly thereafter, they will have been deleted because the ICO deletes all emails from everyone’s inbox after six months. So Denham, who famously burnishes her records management credentials, didn’t think it was worth keeping a record of why she had decided to endorse a commercial event, despite breaching her own speaking engagement policy and code of conduct by doing so.

The correspondence I did get was nevertheless illuminating. When I made my request, I used the word ‘advert’ because PLB were describing it as a ‘conference video’ and I wanted to underline what it really was. However, the word ‘advert’ is used routinely by ICO staff in their emails – there is no question that Denham and her staff perceived it as being something else. The content of Denham’s turn came directly from Stewart Dresner, PLB’s Chief Executive. Even specific phrases that she uses (the sickly ‘summer school‘ for example, at which she at least has the decency to laugh while saying) come direct from one of his emails to her. After it was filmed, Denham was keen to check that Dresner thought the video was OK, and he replied with a sentence that should have pulled everyone up short: “I greatly appreciate you taking this step and so effectively endorsing several important features of our conference” (my emphasis). The ICO is an independent regulator; endorsing commercial products or events should be beyond the pale. The ICO’s code of conduct is obviously based on the Civil Service Code, but they have adapted it in a key passage. The Civil Service Code says that officers should not use information they have obtained in the course of their work to favour others, but the ICO goes further:

You should not misuse your official position, or information acquired during the course of your duties, to further your private interests or those of others

If you are a member of the senior management team, or a member of staff who is either working on a contract or dealing with issues which could raise matters of substance, you should ensure that any possible conflicts of interest are identified at an early stage and that appropriate action is taken to resolve them.

 

Senior officers like Robert Parker, the ICO’s head of communications, and Steve Wood, recently appointed Deputy Commissioner after Rob Luke’s mysterious cameo appearance, were involved throughout this correspondence. Even if Denham didn’t think an endorsement could be problematic, her staff should have intervened. Most of the ICO’s senior management were at least copied into the emails I’ve received, and none of them identified a problem in the Commissioner personally endorsing a commercial event in breach of her own policies. There is a telling moment in the correspondence where Dresner complains that PLB were not aware of Denham giving evidence to Parliament. Dresner’s expectation is that PLB will be tipped off about such appearances: “we do suggest that you distinguish between your mass media list, who would receive some media releases, and your specialist media list, who would receive all of them“. It’s clear that Dresner expects special treatment – and why wouldn’t he? The Commissioner herself is advertising his conference.

Nobody at the ICO would ever recommend anything that I did or was involved in because I write stuff like this, so you might think this is all just sour grapes. Given that I don’t think the ICO is an effective regulator, I couldn’t seek their approval even if they would give it but in any case, I don’t want Wilmslow’s endorsement. If I have anything going for me as a itinerant jobbing consultant, it’s that I am independent and I encourage the people I deal with to think and act independently. What’s distasteful about this episode is that the Commissioner, for whom independence isn’t a bonus but a necessity, doesn’t seem to act in the same way. Using the regulator’s name to flog conference places should be inconceivable, and yet this is what Denham has done. However prestigious or expert they may appear, the Information Commissioner should not personally or corporately recommend or endorse commercial products and organisations. This shouldn’t have happened, and it must not happen again.

Fair Cop

The bedrock of Data Protection is fairness. You cannot gain consent without fairness. Your interests are not legitimate interests if they are secret interests. Unless you have an exemption or you claim that telling the person represents disproportionate effort (i.e. the effort of telling outweighs the actual impact), you have to tell the person whose data you are using the purposes for which their data will be used, and any other information necessary to make the processing fair.

The ICO’s Privacy Notices Code of Practice is not ambiguous, nor was its predecessor. It is impossible to read the ICO’s published guidance on fair processing without taking away the key message, consistently repeated for more than a decade: if something is surprising or objectionable, especially if it involves some kind of impact or sharing outside the organisation, it should be spelt out. New-ish Information Commissioner Elizabeth Denham seems to have chosen to reverse the ICO’s previously timid, unimaginative approach to the first principle with a pair of civil monetary penalties against charities. We have one each for the Royal Society for the Prevention of Cruelty to Animals, and the British Heart Foundation, with the promise of more to come. You might say it was unfortunate that charities are first in line rather than, say, credit reference agencies or list brokers (to be a touch tautological). It was the charity sector’s misfortune to fall under the Daily Mail’s Basilisk gaze, and they have to accept that we are where we are.

To issue a civil monetary penalty, there are three hurdles for the ICO to clear. Firstly, there must be a serious breach. Both charities used commercial companies to profile thousands (and in one case, millions) of donors, buying up data from publicly available sources* to assess their wealth and resources, they shared data with other charities whose identity they did not know via a commercial company, and in the case of the RSPCA, they bought contact details to fill in data that donors had provided. The average donor did not have any idea that this was happening. I can see there’s a problem that when everyone in the charity sector knows that wealth screening goes on, it seems normal. But I’ve been using it as an example on my training courses ever since the Mail revealed it, and bear in mind that these are often seasoned data protection professionals who know about data sharing and disclosure, attendees are invariably shocked and some cases revolted by what I tell them.

There is no doubt in my mind that this processing needed to be spelt out, and there is no doubt from the notices that it was not. Carefully selected third parties or partners has been a stupid lie in marketing for years, but not even knowing where the data goes is much worse than the usual flogging it to all comers. At least the list broker knows who he’s flogging it to, even though the only careful selection is the ability to pay.

The second hurdle is the need to show that the breach is likely to cause damage or distress to the affected data subjects. It’s been known for quite some time that the ICO was planning to take enforcement action over the Mail stories, and the gossip I heard from charities was that fines were likely. I’ll be honest, I wasn’t convinced. The Information Commissioner lost a Data Protection Tribunal appeal from Scottish Borders Council because they bungled the damage / distress element of a £250000 CMP over pension records found in recycling bins. ICO made a flawed claim that the loss of paper pension records was likely to result in identity theft, but Borders had an expert witness who could argue convincingly that this was not true. The link between the breach (the absence of a contract with the company processing the data) and the damage was broken, and the ICO lost.

But this case is different. The ICO does not need to make a link between an incident and a breach, because they are bound up together here. Both notices show that the ICO has given considerable thought to the distress angle. There is no question that the charities breached the first principle, and their only hope for an appeal is to convince the Tribunal that people would not be caused substantial distress by secret profiling and data sharing after an act of generosity. This is not science, and all I can say is that I am persuaded. But for an appeal to be successful, the charities will need to persuade a Tribunal with strong experience and knowledge of DP and PECR from the numerous (and almost exclusively doomed) marketing appeals.

The third element requires the breach to be deliberate or a situation where the charities ought reasonably to have known about the breach. As I have already said, the ICO’s position on fair processing is well known in my sector and available to anyone who can type the ICO’s web address. I think it’s possible that the charities didn’t know what they were doing was a breach, but in my opinion, this is because the Institute of Fundraising and the Fundraising Standards Board effectively acted as a firewall between charities and reality. The advice (often inaccurate and out of date) came from the IoF, and complaints about charities went to the FRSB and no further. When your code of practice is written by the people who earn their living from fundraising and most in your sector are doing the same thing as you are, it’s not hard to fool yourself into thinking it’s OK. But ‘everybody does it’ will cut no ice with the Tribunal. The RSPCA and the BHF are not tiny charities flailing in the dark – they are massive, multi-million pound operations with vastly greater resources than many of my clients.

Daniel Fluskey, head of Policy for the Institute of Fundraising, whose apparent lack of experience or qualifications in Data Protection does not prevent him from writing inaccurate articles for the charity sector on GDPR, has already weighed in, saying that the ICO should be providing the specific wording that charities require: “Charities need more detail on the ICO’s view of what lawful practice looks like: what form of words would have passed the test?” The Information Commissioner is the regulator for every organisation, of every size and shape, that processes personal data. If they start writing tailored wording for charities, they will have to do it for everyone else as well. It is a ridiculous demand. I think the ICO should move on to the data pools, wealth screeners and list brokers, but if she could find the time to issue an enforcement notice on the Institute of Fundraising, forbidding them ever to speak or write on Data Protection matters again, the third sector would have a fighting chance of complying.

Besides, how hard is it to find compliant wording? Nobody – especially not the trade association for fundraisers – should be allowed to present this as a byzantine and complex task. The individual doesn’t need to know what software you’re using, or whether cookies are involved. They need to understand the purpose – what are you collecting, what are you going to do with it, who are you going to give it to? This should be presented without euphemism or waffle, but it’s when you strip out the legalistic nonsense, you see the problem. It isn’t that the poor charities were labouring under the burden of complex data protection rules. They could not comply with the Data Protection Act because what they were doing (and in RSPCA’s case, are apparently still doing) is so unattractive:

  • We will share your details with unspecified charities via a commercial company. We don’t know who they are.
  • We will buy your phone number, postal or email address from a commercial company if you have not given it to us.
  • We will use commercial companies to compile a profile of your wealth and property to work out whether to ask you for further donations. If you are likely to be worth a lot when you die, we will use this information to ask you for a bequest.

When Reactiv Media appealed their PECR penalty, the Tribunal rejected their appeal and increased the penalty. Like a lot of the spammers, they put themselves into administration to avoid paying up, but this option is not available to household name charities. If either the RSPCA or BHF appeal, they are dragging themselves deeper into the mud, and very possibly spending thousands more of donors’ money to do so. If they say that what they did wasn’t a breach, or that they couldn’t have been expected to know that it was, their officers, advice and business model will be scrutinised to a doubtlessly painful extent. The claims management company Quigley and Carter found themselves described as “feckless” and “most unimpressive” in the course of being filleted during a recent failed appeal. Do charities really want that? Even if they decide to roll the dice solely on distress, does either charity really want to acknowledge a serious breach that they knew or ought to have know about in the hope of getting the fine overturned on a technicality? Do they want ICO to call donors as witnesses?

The business model of pressure selling, TPS-busting, heavy texting, data sharing and donor-swapping adopted by some of the UK’s most celebrated charities resembles nothing so much as the activities of the claims management, PPI spammers (i.e. the scum of the earth). For all the noise and bluster on Twitter and in the charity press this week, there is an uncomfortable truth that has to be faced. The hated Daily Mail unearthed it, and the ICO has rightly acted on it. Some big charities have run an end-justifies-the-means approach to marketing and they have got away with it for a decade. Fundraisers ruled the roost, and compliance has been sidelined or ignored. Given how much money the RSPCA and the BHF have raised from fundamentally unlawful practices, they should pull back and rethink how they get donations in the future. They should ignore the Institute of Fundraising’s every word on Data Protection and PECR, and like every other charity, concentrate on reading and applying the ICO’s Code on Privacy Notices and guidance on Direct Marketing.

And right now, if there is a fundraiser sitting with the two CMP notices working out how to at the same time devise a method to raise loads of cash for their cause while complying with Data Protection and PECR, I hope they wipe the floor with everyone else.

*citation needed

Caesar’s Wife

In May 2016, the Labour member for Heatons North, Alex Ganotis, became Leader of Stockport Council, having been a councillor for some years. A month or so later, I read a story mentioning him in the Manchester Evening News, and his name rang a bell. Alex Ganotis is also a Group Manager at the Information Commissioner’s Office – I know this because he has signed hundreds of FOI Decision Notices on behalf of the Commissioner.

I made an FOI request to the ICO to find out more about Mr Ganotis’ role – in particular, I wanted to know how likely it was that a professional politician might be involved in complaints to the ICO involving political parties or local government. If Mr Ganotis worked on financial services or health, for example, he would need to maintain a high degree of professionalism and neutrality, but there would be no immediate conflict of interest. So I asked the ICO what team he manages. The answer:

Mr Ganotis manages a team of staff who deal with complaints and concerns about councils and political parties

I had to read this several times before I could take it in.

The ICO’s Policy on party political activities is helpfully published on its website. It makes reassuring reading:

The ICO is an independent body and it is important for it to be free from party political bias, and to be clearly seen and acknowledged as being free from such bias……. It is of paramount importance that the ICO is acknowledged as being free from party political bias and influence. The work that we do can often be of a politically sensitive nature and any substantiated allegations of bias would have serious repercussions for the future of the ICO.

The policy sets out a process through which an ICO employee can gain approval for party political activities. I asked when Ganotis went through this process, and the ICO revealed that he was approved in October 2008, which means that his dual ICO / councillor role went on for nearly eight years before he became Leader – he did not seek re-approval when he became Leader, so it seems that the ICO has not reassessed his role now he is a council leader, nor has he asked for this to happen.

I asked for recorded information about the approval process for his role. The ICO has nothing. I asked for any recorded information about measures taken to ensure, in the Policy’s words, that ‘potential for conflicts of interest’ have been minimised with regard to Mr Ganotis’ role. Nothing is held. The ICO added “Mr Ganotis’ line manager and his peers are responsible for assigning decision notices and make a judgement on a case-by-case basis as to what he is assigned, taking into account whether individual cases could pose a potential conflict of interest.” There are no formal arrangements, no written criteria or parameters, nothing to measure or audit against. The ICO enthusiastically fines organisations hundreds of thousands of pounds for failing to maintain properly documented processes, but in the case of having a professional politician managing a team that deals with hundreds of complaints about political parties and councils, the ICO itself sees no need for rigour. Trust whoever decided that this is OK, Wilmslow says, because we have nothing else to offer.

Mr Ganotis is a Group Manager, answering to a Head of Department, but the ICO’s response makes clear that the former Information Commissioner himself, Richard Thomas, approved of the arrangement: “the Commissioner at that time was made aware of his standing and subsequent election“. When I wrote this blog originally, I assumed it was Christopher Graham who was Commissioner, but he did not take over until 2009. ICO trivia fans may remember that Graham was himself once a councillor (for the Liberal Party) and a twice-unsuccessful parliamentary candidate – one wonders if he knew about Ganotis’ status, and if he did not, why nobody told him.

Anyone who has political beliefs or leanings and works in local or central government knows the awkward but vital requirement to set those beliefs aside and act neutrally in the public interest. As a Labour voter in every election since 1992, I have done it myself. It is not easy, but you don’t need to be a saint to achieve it. I cast no doubt on Mr Ganotis’ personal integrity, or ability to do the same. But anyone who thinks that’s the point just needs to Google the title of this blog.

Mr Ganotis has signed hundreds of FOI decision notices on behalf of the Information Commissioner, exercising the Commissioner’s statutory powers. Those notices include  councils across the UK, and government departments run by ministers who, in his other role, Mr Ganotis publicly opposes, and he has been doing so for years. The ICO disclosed to me a spreadsheet of the cases that Ganotis’ team has dealt with since January 2014 (records before that are routinely destroyed). A quick glance at the organisations concerned give a flavour of the issues that pass across the team’s desk in just one month. In July 2016, I can see the Labour Party (8 times), Momentum, Saving Labour, and Progress. It is hard to imagine any team would be more steeped in politics and arguments about political activity than this one, and the (former) Information Commissioner decided that a professional politician was the right person to manage it.

Over the past few years, the Labour Party has carried out its obnoxious and unfair purge, struggled with allegations of member data misuse on all sides (Corbyn, Momentum and Owen Smith), and demonstrated the traditional party blindness to PECR. I have myself blogged sorrowfully but repeatedly about Labour’s Data Protection and privacy woes for several years. In all of that time, only David Lammy’s doomed automated calls have faced any enforcement action (and he wasn’t even an official Labour candidate in the election concerned). To be clear, I have no evidence of any influence being brought to bear on this. But, as the ICO’s own policy states explicitly, “the organisation does seek to ensure that the potential for conflicts of interest is minimised as is the possibility of the ICO being accused of being politically biased“. In this, Mr Ganotis, his line manager and the former Commissioner have failed, and failed spectacularly. How can anyone in politics have confidence in the ICO’s decisions?

Any FOI decision notice involving a council or a government department signed by Mr Ganotis could be tainted, and there are hundreds of them. The ICO’s failure to take action against the Labour Party for a consistently terrible approach to Data Protection and privacy issues is no longer just over-caution, but potentially something far more objectionable. Every case Mr Ganotis has been involved in could be perfect, but the ICO cannot guarantee this with a straight face; their own policy recognises the problem of perception, but their practice is blind to it. They could have moved Ganotis at any point since 2008 to another job of equal standing, and the problem would have evaporated. He is still in place.

That Mr Ganotis could not see that continuing to manage a team responsible for complaints about political parties and councils was incompatible with his role first as councillor and then as Council Leader raises a question about his judgement. That the ICO’s management was either unwilling or incapable of identifying and remedying the potential conflict of interest is a matter of serious public concern.

I have spent a decade and a half criticising, satirising and annoying the ICO in the hope that for no other reason than to spite me, they will become a more effective, more enthusiastic regulator of Data Protection. But this is too much. This is a genuine failure of governance. It could pollute a host of formal decisions (and indecisions) stretching back for years. It has to be dealt with.

I don’t understand how Mr Ganotis could ever sensibly manage the team responsible for political parties and enjoy the confidence of the public. Richard Thomas and Chris Graham should have stopped it, and I hope that the new Commissioner will ask questions about how her managers and Human Resources team could allow such a shocking situation to occur. But if all this isn’t put right, if this bizarre conflict of interest continues acknowledged but unaddressed, we should all look very closely at every decision that emerges from Wilmslow with a more sceptical eye than even I thought possible.

Less than ideal

Last week, Stephen Lee, an academic and former fundraiser was reported as having attacked the Information Commissioner’s Office for their interpretation of direct marketing at a fundraising conference. It was, he said “outrageous” that the Commissioner’s direct marketing guidance stated that any advertising or marketing material that promoted the aims and ideals of a not-for-profit organisation was covered by Data Protection. According to Lee, only fundraising activities should be considered to be marketing.

[NB: Third Sector articles are sometimes open to all and sometimes limited to subscribers. If the links don’t work, please accept my apologies!]

He is quoted as saying “Who says that’s right? Just the ICO. Who did it consult? No one.” and  went on to say “Why and how and in what way should we be compelled to comply with that proposition?”

Who says that’s right? Who did the ICO consult? Well, let me see now.

1) The Council of Europe

In 1985, the Council of Europe issued a Recommendation on the protection of personal data used for the purposes of direct marketing. The definition of direct marketing includes both the offer of goods or services and “any other messages” to a segment of the population. The recommendation predates the guidance Mr Lee disparages by more than 30 years.

2) The 1995 Data Protection Directive

The Directive makes clear that direct marketing rules apply equally to charitable organisations and political parties as they do to commercial organisations, and emphasises the need for people to be able to opt-out of direct marketing. By redrawing the definition, Mr Lee would contradict this fundamental right.

3) The Data Protection Act 1998

Given that Mr Lee feels qualified to make bold statements about the interpretation of the Data Protection Act, it’s odd that he doesn’t seem to have taken the time to read it. Section 11 of the Act states that the definition of Direct Marketing “the communication (by whatever means) of any advertising and marketing material which is directed at particular individuals”. The important word there is “any” – organisations do not get to pick and choose which of their promotional messages are covered and which are not.

4) The Privacy and Electronic Communications Regulations 2003

PECR sets up the rules for consent over electronic direct marketing (consent for automated calls, opt-out and TPS for live calls, consent for emails and texts). It does not define direct marketing, but instead says this “Expressions used in these Regulations that are not defined in paragraph (1) and are defined in the Data Protection Act 1998 shall have the same meaning as in that Act”. Therefore, the DPA definition applies to PECR.

5) The Information Tribunal (now the First Tier Tribunal)

In 2005, the Information Commissioner served an Enforcement Notice on the Scottish National Party after they repeatedly and unrepentantly used automated calls featuring Sean Connery to promote the party in the General Election. The SNP appealed, and in 2006, the Information Tribunal considered the issue. One of the main elements of the SNP appeal was against the ICO’s definition of direct marketing. Although the case is about a political party, the ICO’s submissions are based on the proposition that charities as well as political parties are covered by the definition of direct marketing, and that the definition cannot be restricted to fundraising alone. The Tribunal accepted the ICO’s view in full, and dismissed the appeal.

6) The charity sector and anyone else who wanted to be consulted

The ICO may have issued guidance in the 1980s or 1990s on the definition of direct marketing, but the idea that promoting aims and ideals is part of it has been their view since 1999. In guidance issued on the precursor to PECR, the ICO stated clearly that direct marketing includes “not just to the offer for sale of goods or services, but also the promotion of an organisations aims and ideals”. They specifically mentioned charities, as they have ever since. Virtually every iteration of the ICO’s guidance on PECR and direct marketing has been subject to public consultation – indeed, the very guidance Lee is talking about was subject to a public consultation.

Here’s the problem. Lee is an Honorary Fellow of the Institute of Fundraising, and has a long association with it. The IoF has been the most consistently pernicious influence on the charity sector’s compliance with data protection and privacy law in the past ten years. Their guidance and public utterances on data protection are often misleading, and they recently had to change their own Code of Practice because it was legally incorrect. At best, they haven’t noticed the ICO position on charities and direct marketing for more than 15 years. At worst, they deliberately ignored it in favour of an interpretation that largely suits fundraisers. Lee complained at the conference about the “appalling” communication between the ICO and charity umbrella bodies, but Richard Marbrow of the ICO summed the problem up all too well:

One of the things the sector asked for was clarity, and I will try and bring you that. The trouble is, if you then say ‘we don’t like that clarity, could we have some different clarity please?’, we’re not going to get on very well.”

The most important thing about Lee’s outburst is the subtext – if any form of communication is not covered by the definition of direct marketing, then your consent is not required  in the first place and you have no right to stop receiving it. His interpretation is nonsense, but it is also ethically unsound. At its most basic level, privacy means the right to be left alone, the right to have an area of your life which is yours, which others can’t intrude into. Lee seems to want to erode that right. If his view was correct (it’s not), charities could bombard people with phone calls, texts or emails to tell them how marvellous they are, how important their work is, how vital they are for society. As long as they don’t ask for money, the logic of his argument is that people wouldn’t be able to stop them.

Lee’s other question (“Why and how and in what way should we be compelled to comply with that proposition?”) has an easy answer. Ignore it. Carry on breaching the law, ignoring the rules. I went to the cinema last night and saw adverts for two different charities that plainly breached PECR, so that seems to be the plan. Given that the furore over charities began with an innocent person bombarded with unwanted correspondence, it’s remarkable that senior figures in the charity sector are ready for another go, but if Mr Lee wants to drag charities’ reputations deeper into a swamp that they share with PPI scammers and payday loan merchants, he’s welcome.

But the ICO should not listen to their concerns, or open friendly channels of communication with the sector. They should apply the law firmly and regularly until the charities get the message. If this results in more enforcement against charities than other sectors, that will be only because the big charities are among the worst offenders and they haven’t put their houses in order. If charity giving suffers as a result, even amongst the many charities that have not transgressed, they should stop blaming others and look to their fundraisers, their colleagues and themselves.

FPS FFS

Following some fine investigative work, the Daily Mail was today content to declare “VICTORY” in its battle against rogue fundraisers and their equally shameless charity employers. The Mail’s apparent triumph is the publication of a government approved review by the National Council for Voluntary Organisations and chaired by Sir Stuart Etherington, the NCVO’s Chief Executive. There are a variety of recommendations about the regulation of charities, but as I am not an expert, I don’t know whether they improve matters. One eye-catching notion is very much on my territory, and if I wanted to be unkind, I would suggest that it was an outrageously opportunistic stitch-up.

The review suggests the creation of a Fundraising Preference Service, which would allow participants to “reset” their relationship with all charities. Anyone signed up to the ‘FPS’ could not be contacted by charities, thus finally lancing the boil of charity pestering. The report observes “At the moment there is no way to ‘opt-out’ of being approached by fundraisers other than contacting the organisation concerned directly and relying on their good will to unsubscribe an individual.” This statement is so wilfully incorrect, one might almost call it a lie.

The Telephone Preference Service applies to any organisation – including charities – who wants to call any person for marketing purposes. Exactly the same model proposed for the Fundraising Preference Service already applies to the TPS – nobody can call you unless you specifically tell them that they can. Some large charities routinely ignore the TPS, but there is the possibility of a civil monetary penalty under the Privacy and Electronic Communications Regulations (PECR) for breaching the TPS requirements. Moreover, no opt-out is required for email or text, because marketing can only happen by those methods on an opt-in basis.

The water is slightly more murky for postal marketing which is not covered by the stricter rules of PECR, but only if a charity is not a member of the Direct Marketing Association, which requires its members to be members of the Mailing Preference Service. The MPS is imperfect, but it already exists.

A person does not need to rely on the “goodwill” of a fundraiser or charity if they demand an opt-out from marketing. Section 11 of the Data Protection Act gives every person the right to demand that marketing cease or not begin – to ignore such a request is unlawful. Goodwill does not come into it, although Section 11 is not mentioned anywhere in the review.

It gets worse. Rather than the maximum £500,000 civil monetary penalties or enforcement notices backed by the threat of prosecution available under PECR for breaches of the TPS, the Etherington Review press release offers this terrifying alternative “Charities which seriously or persistently breach the rules would be named and shamed and could be forced to halt their fundraising until problems are resolved.” They may even be sent to bed early without any pudding. The review suggests an unnecessary addition to the existing framework, with weaker penalties for transgressors.

No version of the Fundraising Preference Service makes any sense. Assume for a moment that existing laws are left entirely as they are – charities and fundraisers would be obliged to screen against both the TPS and the FPS, as well as the MPS if they are DMA members. I have no problem with this if that’s what they want to do, but in reality, I suspect many of the charities who currently ignore or pay lip-service to the TPS would use the new system as an excuse to forget it altogether.

But what if it was worse? Couldn’t the charities argue that with their brand new preference service, clearly designed to prevent the menace of unwanted charity marketing, these other blunter tools were not required? What would be the point of charities doing double or triple-screening? If the Fundraising Preference Service gets any traction, I guarantee that somewhere along the way, the suggestion will come that charities should be exempted from the TPS and the MPS. Why not cut out the unnecessary bureaucracy? Once charities were exempted, there would be a bonanza, an orgy of calls and contacts to everyone not registered, all perfectly justified, so long as the charities can find a minister daft enough to believe that PECR should be amended to reflect their new system.

*Harry Hill look to camera*

If the FPS is to to exist, I can only think of two ways in which it could work fairly. The first is that everyone who is already registered on the TPS or the MPS should be automatically migrated onto the FPS. If people really don’t want to be contacted by other organisations, but do want to hear from charities, they only need to tell their favourite good cause this good news. Alternatively, the FPS could be an opt-in list of people who actively do want to hear from charities, and everyone else must be left alone. But I don’t think the FPS should exist at all. At best, it is a massively ill-informed gimmick, and at worst, a Trojan Horse for one last delirious orgy of spam. Much simpler alternatives exist within the current law, and I can set out very easily how the problem can be solved.

  1. The rogue charities finally stop pretending that they do not understand the law. They accept that cannot call someone who is on the TPS, even if the person has donated, even if they are regular donors. Charities cannot call them unless they say, explicitly and without any persuasion or prior contact, that they actively want the charity to contact them, and they specify the method by which they want to be contacted by. This opt-in can only be obtained by the charity, and not by any agent or contractor. In the absence of a freely given opt-in, charities never contact anyone on TPS again. They find ways to generate income that do not breach the law.
  2. The Mailing Preference Service – which already exists after all – is made statutory for charities (in fact, it should be made statutory for all organisations).
  3. The Information Commissioner identifies a few high profile charity miscreants. To avoid the outcry that might (only might) result from a monetary penalty that hoovers up charity donations, they use the Enforcement Notice method. Force the chosen few to respect the TPS, or mail opt-outs, or require them to get explicit consent before sending texts. Make it clear that if the notices are breached, as far as possible, Section 61 of the Data Protection Act will be used to prosecute the senior officers of the charities as well as the charities themselves. Alternatively, bite the bullet and issues some CMPs. Let the targets howl, ride the inevitable bleating of the fat cats, then see what happens afterwards. If charities had to explain why their fundraising tactics resulted in large donations to the Treasury, I suspect those tactics would end.

The problem of charity marketing would never have become so out of control if the Information Commissioner had ever taken any action to stop it. But nearly all of the ICO’s DPA enforcement is on procedural or security issues – they almost never challenge something that is core to an organisation’s business model. They have done this under PECR, but only for the shady PPI and Cold Call Blocking merchants. PECR enforcement on the charities will cost them money, and I fear that the ICO lacks the nerve. The wayward charities have operated with impunity and their unlawful activities have generated income. The FPS is a self-serving wheeze that is not the answer – any charity that will not voluntarily comply with the existing system will happily flout this new one. Before the Fundraising Preference Service goes any further, the ICO has to act firmly and decisively, or the problem of rogue charity marketing may get worse.