In October, the Fundraising Regulator launched a consultation proposing some fairly substantial data protection-related changes to the Code. By the time you read this, the consultation will have closed, but it is worth getting a sense of what might be around the corner.
The consultation included:
- a covering note from the Regulator;
- an annotated version of sections 5, 6 and 7 of the Code, showing the proposed changes;
- a "clean" amended version of sections 5, 6 and 7 of the Code; and
- a table of other data-related rules in the Code that, according to the Regulator, need to be amended, and the proposed revised wording.
In drafting the proposed alterations, the Regulator had several aims:
- to address issues identified in the Information Commissioner's (ICO's) penalty notices to charities, such as wealth screening, data matching and the use of publicly available data;
- bringing the Code into line with the General Data Protection Regulation (GDPR);
- to align the Code with its own and the ICO's guidance on direct marketing and with NCVO's findings on charities' relationships with donors.
The changes focus on sections 5, 6 and 7 of the Code. At the moment, these contain a mixture of data protection / electronic privacy issues and matters related to the content of fundraising communications (such as the need to comply with advertising codes of practice).
This currently has the title "Fundraising Communications and Techniques". The Regulator suggests renaming it "Personal Information and Fundraising".
The consultation draft includes the following sub-sections.
Most of this is new. As well as telling fundraising organisations they need to comply with the Data Protection Act 1998 (the DPA), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the PECR) and (after 25 May next year), the GDPR, it says that organisations "MUST" – the term used to denote requirements of the Code, but not of the law – "keep up to date with and have regard to relevant guidance from the [ICO]. This includes the ICO's Direct Marketing Guidance, its Fundraising and Regulatory Compliance Conference paper and its GDPR consent guidance". The current version only refers to "relevant guidance" from the ICO. Whilst charities and fundraisers may not enjoy the reading (or the extra training they may have to deliver when guidance is amended), they should find it helpful to be given a clearer idea of what "relevant guidance" they are expected to consider.
Database Practices and Processing Personal Information
This, too, is mostly new. The section begins by defining "personal information" / "personal data" (the terms are used synonymously) and "processing" (highlighting the ICO's guidance as to the very wide scope of the term, which includes collecting, holding and virtually any use of personal data), before outlining the rules on processing and storing / maintaining data.
Probably the most important proposed addition in this section is paragraph 5.2.2. Cross-referenced in a number of places in the revised sections of the Code, this describes the legal duties of organisations when processing personal data:
"When processing personal data (including publically available personal data) for any purpose, organisations MUST* :
a) have legitimate grounds for collecting, using and retaining the personal data... .[References to the DPA and the ICO's guidance are inserted here].
b) not use the personal data in ways that have unjustified adverse effects on the individual concerned;
c) give individuals clear and accessible information about how they will process their personal data, including who the organisation is; what they are going to do with the individual's personal information; and (where relevant) who it will be shared with... [Another reference to ICO guidance is inserted here].
d) only handle personal data in ways that the data subject would reasonably expect; and
e) not do anything unlawful with personal data."
These five principles are a helpful summary of the current law and clearly adopt current ICO guidance / language on DPA compliance. It would though perhaps be worth adding the caveat that this is DPA rather than GDPR language. Although the latter is not changing these fundamental principles in a substantive way, to avoid any confusion one would hope the draft guidance will be updated again to ensure consistency with Article 5 of GDPR, which lays out the principles relating to processing of personal data with effect from May 2018.
Buying and sharing personal data
Much of this is lifted from existing section 6.5 ("Selling/renting marketing lists"), but there are some proposed changes.
At present, section 6.5 states that personal data must not be shared for marketing or fundraising purposes without explicit consent, but adds that this does not apply to data sharing "between organisations which are within a federated structure and/or where one controls the other or both are under common control", or where data "are being shared with a data processor...where the requirements with regard to data processing under the [DPA] (including the written contract setting requirements as to security) are also met".
The draft revised version says that, in these cases, "the organisation structure/arrangement and the processing purpose MUST* be clear enough in the privacy information provided to the individual that the organisation can evidence that processing would fall within the individual's reasonable expectation."
This amendment does not represent a change in the law and is likely to have been prompted by the position ICO has adopted in its investigations.
Once again, the Regulator proposes adding a substantial amount of new material here. It begins by clarifying that fundraising and campaigning activities amount to direct marketing.
There is a new section on consent as a basis for direct marketing, which outlines the rules in the GDPR, such as the need to use opt-in methods, giving options to consent separately to different types of processing, and informing individuals that they can revoke consent at any time. By spelling out these conditions, organisations will hopefully be alerted to the relatively high bar they will have to reach under GDPR if they are to rely on consent as a lawful ground for processing.
Following this is another new section on using legitimate interests as a basis for direct marketing. It is fairly basic and the GDPR is not expressly mentioned, but perhaps this is an interim position: the ICO's guidance on legitimate interests under the GDPR is not expected until next year. There is reference to the fact that this applies to direct marketing communications "by phone or post", which is an important point worth emphasising; specifically that "legitimate interests" is not available as a ground for unsolicited electronic direct marketing (because of the restrictions in PECR) – specific consent must be obtained.
Draft section 6 consists entirely of wording currently in section 5. It addresses matters such as making sure your fundraising material doesn't breach copyright, complying with advertising standards, and the use of potentially shocking images.
Currently, this is entitled "Reciprocal mailing". The Regulator proposes changing this to "Mail" and broadening its scope accordingly. Much of it consists of paragraphs moved from section 6.
Other proposed changes
One of the consultation papers was a table of other data-related rules in the Code that, according to the Regulator, need to be amended. The majority of these amendments are nothing more than additional sentences referring the reader to relevant parts of section 5. The Regulator proposes deleting other wording, whether because the matter will be covered by other amended sections or because, as it stands, it is incompatible with the GDPR.
Although none of the items in the table are substantial, the most significant alterations are proposed for section 8 (Telephone fundraising). Most are to clarify that the rules apply only to direct marketing calls (as opposed to calls made for other purposes), with a proposed link to guidance by the Regulator and ICO on what constitutes a direct marketing call in paragraph 8.2.3 of the Code. Similar amendments are planned for the paragraphs, in section 9 of the Code, on SMS and MMS messages, Other amendments are aimed at ensuring that preference services are dealt with uniformly. The Code will incorporate the FPS by stating that calls must not be made to an individual "who has requested for the fundraising organisation to cease or not begin Direct Marketing...".
Although the consultation has closed, you can still access all the documents here.
There has been some criticism of the draft amendments. For instance, given that fundraising organisations will have to comply with the GDPR anyway, would it not be preferable for the Code simply to say that, link to appropriate guidance, and use the Code to explain what fundraising organisations need to do beyond basic legal compliance? The consultation draft already links to various pieces of guidance anyway (from both the Regulator and ICO) – including succinct summaries of the law in the Code may simply muddy the waters.
At the time of writing, there has been no indication of when we can expect to see the final version of the Code. However, given that the consultation draft refers to the DPA and the GDPR, no doubt we can expect at least one further consultation in 2018. After May 2018, references to the DPA will become obsolete, and the Data Protection Bill (which contains additional data provisions and will need to be read alongside the GDPR) should have completed its passage through Parliament before then. Whatever the outcome of this consultation, we will probably not have long to wait before we see another one.
This publication is a general summary. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, December 2017