Historically, we had been able to advise that the Information Commissioner's Office (ICO) was not inclined to use its fining powers against not-for-profits, and its enforcement record supported this view.
However, after the fundraising scandals at the start of the year the ICO made it clear there were no "special cases"; and as of this month, the spectre of serious regulatory fines for data protection breaches has become a reality for charities. Many universities will want to take note.
On 6 December, the ICO published the results of its investigations into the fundraising practices of the British Heart Foundation (BHF) and the Royal Society for the Prevention of Cruelty to Animals (RSPCA). The fines were long rumoured, and in fact lower than had been expected, but the ICO's conclusions have still sent shockwaves across the sector.
The ICO was damning about the ways in which those charities had (1) shared donors' contact details with other charities (and in the RSPCA's case, this was sometimes in spite of donors having ticked a box to 'opt out' of such data sharing); (2) analysed and filtered donors by their means and likeliness to give further donations (sometimes known as 'wealth screening'); and (3) used data-matching techniques to 'fill in the gaps' in donors' records, for example where a donor had not provided a telephone number but it was possible to use 'tele-matching' services to track it down from other sources, using the data that the donor had provided.
The BHF was fined £18,000 and the RSPCA was fined £25,000 for breaching the first data protection principle (fair and lawful processing) and the second data protection principle (that personal data must only be processed for specific, defined purposes) in ways that were likely to cause damage or distress for the individuals affected. Fines for breaches of these principles alone were previously very rare: and for charities, unheard of. The ICO news update was keen to stress that the Information Commissioner, Elizabeth Denham, had "exercised her discretion in significantly reducing the level of [the] fines" – apparently as much as tenfold – but that future fines could be significantly higher.
Ms Denham said, "My exercise of discretion should not take away from how serious these breaches were. The law exists to protect people’s rights and it applies irrespective of how altruistic the organisation’s motives might otherwise be". It should be stressed to schools' fundraisers that a material factor in the level of fines was the sheer scale of the operations, involving the details of millions of individuals year-on-year.
Many in the sector have strong objections to the view the ICO has taken, not simply in the unprecedented use of fining powers but also in its interpretation of the law. The chief executives of both charities have responded to express their disappointment, with the BHF's Simon Gillespie being particularly strident: "key aspects of the ICO's decision and findings are wrong, disproportionate and inconsistent", he insisted, adding that the BHF's trustees will "consider whether it's in the interests of our supporters and beneficiaries to challenge this decision".
So where does this leave HEIs which seek to raise funds for educational needs, capital projects and the like? Any organisations that share personal data (perhaps with alumni organisations), conduct 'wealth screening' type analysis, or perhaps use other datasets to build more complete contact details for individuals, will need to take heed. Some may wish to consider whether a cultural change is needed, although a timely review of published policies and notice wording could certainly lower the risk.
This call to action may come as a surprise to those who might fairly point out that the law has not in fact changed (yet – though that is coming in May 2018). It will be of little comfort to others (notably those already under investigation) to note that many would agree with the BHF that the ICO is in fact wrong on this question: for example, in its insistence on the need to obtain clear individual consent for this kind of activity.
In each case, however, the ICO was clear that neither organisation had sufficiently transparent published wording about its intentions, meaning that potential donors did not know what was happening with their details – and therefore had no chance to object or provide less data in the first place. This much is, at least, consistent with how the Data Protection Act should be applied.
Right or wrong, the ICO is the competent regulator here and its interpretation of the law is the one with most practical impact on organisations. It appears we have entered a new era in which the apparent permissiveness of the Data Protection Act (and the ambiguity of the ICO's own guidance) has been sharpened into a tougher enforcement regime which will not tolerate 'data analytics' for fundraising without consent. Some may not agree that this is the only valid lawful basis for carrying out this kind of activity – but at this moment it seems that to proceed on any other basis would be at heightened regulatory risk.
If you require further information on anything covered in this briefing please contact Alan Baker (firstname.lastname@example.org) or Owen O'Rorke (email@example.com) or your usual contact at the firm on 020 3375 7000. Further information can be found on the HE page of our website.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, December 2016