Recent decisions by the Information Commissioner's Office (the ICO), fining a series of high-profile charities and seemingly condemning certain longstanding fundraising activities as unlawful, have confirmed for some what they long suspected: that data protection law has taken over the siege on the not-for-profit sector from the tabloid press.
It is true that there is no longer (if there ever was) any special treatment for charities by the data protection regulator – this much was confirmed by the previous Information Commissioner, Christopher Graham, before the Etherington Report. However, the strict line has certainly continued into the reign of new incumbent Elizabeth Denham, whose tenure began the same month (July 2016) that the new Fundraising Regulator was established. And the regulatory landscape is set to change further.
The General Data Protection Regulation (GDPR) will take effect in the UK, and across the EU, on 25 May 2018 – in less than 14 months' time. The Government has confirmed that this will have direct effect on that date regardless of Brexit. If the schedule is kept to, it will be joined on the books by a replacement for the current Privacy and Electronic Communications Regulations (PECR), the law that covers direct marketing (including fundraising) by email and telephone. The latter is not expected to change the landscape materially, but the GDPR will.
In truth, though, data protection law should always have been a significant compliance concern for the sector – and those who are strictly compliant now will not find the transition to GDPR to be the sea change of dire prediction. The basic structure of data protection law will remain the same after May 2018: data subjects will continue to enjoy rights which must be observed, data controllers will continue to have to comply with data protection principles (although so will data processors in many cases). However, there is no doubt the burdens are increasing. Those who have any doubt of their compliance with the existing law today should commit immediate and focused effort to meeting the standard of tomorrow.
Before we look to the future this article will look first to the basics that already bite, including recent enforcement cases.
Back to basics
One of the challenges for the lay reader when trying to get to grips with data protection law is cutting through the jargon. Unfortunately, the language of the Data Protection Act 1998 (DPA) is full of it – and it is not changing for the better under the GDPR. Hence it is important to remind ourselves of the basics.
The DPA is essentially the legal framework governing the relationship of organisations to private individuals, as it is captured on their systems (and in their filed paper records). Such an organisation is a "data controller", and those whose personal data is kept and used (or "processed") by that organisation are called "data subjects". Where a charity is the data controller, trustees must be aware of the responsibilities this confers: duties to keep data safe and accurate, to be able to justify the purpose for which it is kept, and to use it fairly.
Some of the most pressing duties on charities under the DPA involve the rights of data subjects. The right to object to direct marketing (including fundraising and the promotion of "aims and ideals") is one, but an individual can use the DPA to cause significant trouble in other ways for a charity if so motivated. It is in the nature of charities to attract loyalty and passion from supporters and stakeholders. However, such causes can also attract obsessives and troublemakers, whether their ideals are aligned or opposed.
A sometimes debilitating waste of charity funds, resources and emotional energy can come in dealing with a "subject access request" under the DPA: in essence, an extremely broad right to receive copies of all personal data held on an individual by an organisation within 40 days of asking. The charity that is best prepared to handle such a request is the one with the best records: not simply in quantity, of course, but in accuracy and simplicity. What must be kept as a matter of record should be kept, and kept in the most proper and professional language – but everything that constitutes "noise", electronically speaking, should be kept to a manageable operating minimum.
As a list of considerations about whether your charity is operating at basic DPA level now:
- Are you registered with the ICO as a data controller? Even if the extent of your personal data activities is managing staff and engaging supporters, this is caught by the DPA and these purposes should be recorded on the registry. Failing to register is not the biggest compliance issue per se (and the requirement is being done away with in 2018), but it can count against you in the event of a valid complaint on some other issue.
- Do you have the right staff trained in the right roles? Data privacy and management are specialist skillsets just like any other role in your charity. It is tempting to pile data protection onto the tasks list of an existing administrator, or silo it as an "IT issue", but the DPA expressly cites staff competency as a measure of data security (organisational as well as technical). At the same time, a basic level of knowledge should permeate the workforce. The ICO expects DPA training for staff every two years.
- Do you process "sensitive" personal data? Relevant to some charities, this might involve information about health (mental and physical), criminal records, ethnicity and religious beliefs. Such data carries a higher compliance burden and also reasserts the principle of sharing inside and outside a charity on a "need to know" basis only.
- How do you record personal data? Is it neat, neutral and accurate? Is it no more than you need to hold for an established, understood legal purpose? Are important decisions affecting individuals documented properly and even-handedly, or are staff or trustees gossiping rashly about colleagues and stakeholders by email?
- How do you outsource data management? Cloud computing, IT, HR, volunteers, fundraising consultants: there are numerous ways in which others may (legitimately) process data on your behalf, but it remains your liability. Specifically, the law requires that your contracts with these parties enforce minimum standards of DPA compliance, data security and control on your part.
Fundraising, databases and consent
The changing standard of consent is of course an article in itself, and your charity will not need reminding of its importance – in many cases recent steps will already have been taken. Many in the sector are moving towards a best practice "opt in" standard for all marketing activity, even cold calling (which is less regulated than text or email), which is a factor of first a "soft" investigation by the ICO at the end of 2015, which saw certain voluntary best practice undertakings adopted, then the recent enforcement action one year on.
Recent decisions have moved away from simply involving PECR (which governs the actual sending of communications to leads and supporters) and brought more into play the longstanding, but previously under-enforced, question of "fair processing". This is the development which has seen activities like data matching and wealth screening fall foul.
Historically, we had been able to advise that the ICO was not inclined to use its fining powers against not-for-profits, and its enforcement record supported this view. In any event, the only substantial fines were previously limited to serious data breach or mass marketing irregularities. However, as of December 2016, the spectre of serious regulatory fines for data protection breaches has become a reality for charities (and the ICO has fined a further eleven charities this month).
The fines were long rumoured, and in fact ten times lower than had been predicted in some quarters, but the ICO's conclusions have still sent shockwaves across the sector. What is more, Elizabeth Denham has expressly reserved the right to make the fines bigger next time.
The ICO was damning about the ways in which certain charities had, on a large scale, (1) shared donors' contact details with other charities (in one case, sometimes in spite of donors having ticked a box to 'opt out' of this); (2) analysed and filtered donors by their means or likeliness to give further donations (sometimes known as 'wealth screening'); and (3) used data-matching techniques to 'fill in the gaps' in donors' records, for example where a donor had not provided a telephone number but it was possible to use 'tele-matching' services to track it down from other sources, using the data that the donor had provided (and hence working around their express choices of communication, the ICO argued).
Fines for breaching the first data protection principle (fair and lawful processing) and the second data protection principle (that personal data must only be processed for specific, defined purposes) were previously unheard of, and not considered a high risk area in terms of the distress that may be caused for the individuals affected. However, Ms Denham's statement emphasised a betrayal of trust and added: "The law exists to protect people’s rights and it applies irrespective of how altruistic the organisation’s motives might otherwise be".
Many in the sector have strong objections to the view the ICO has taken, not simply in its unprecedented use of fines but also in its interpretation of the law (notably any suggestion that these activities all require "consent", strictly, as opposed to mere transparency). However, the ICO is applying the existing law and its interpretation of it is probably the practical yardstick by which to measure risk. Many charities are considering whether a cultural change is needed: and while a review of published notices and the wording of forms should in theory lower the risk, it is currently a brave charity that embarks on such activity.
The future: the GDPR
This next section looks at what all organisations should – in our view – be doing now, as a minimum, ahead of GDPR.
- Identify a compliance lead within your organisation, and raise awareness. Certain types of organisation will need to appoint a data protection officer. Most charities will not, or so current thinking suggests; but this does not change the need for a competent and well-supported compliance lead both now and going forward.
- Make the most of the coming year. There is no "transitional relief" after May 2018: as the GDPR puts it: "processing already under way should be brought into conformity with this Regulation within [the period between May 2016 and May 2018]". We have already noticed the ICO taking a harder line in enforcement.
- Do not get distracted by Brexit. The GDPR may be EU law, but the UK government has now been very clear that the GDPR will take effect in May 2018.
- Ensure you are on top of ICO guidance as it comes. The existing ICO guidance on the GDPR is limited but helpful in overview: more is expected as 2017 progresses. The ICO recently published a consultation draft of guidance on consent (the consultation closed on 31 March this year and results are awaited), but you should remain alert to other new guidance on key issues when it is issued.
- Carry out a 'mini-audit' of the personal data you hold and use, and why. In the first instance at least, we would hope this is something which existing staff could work up in initial draft within a few hours. Questions include:
a. What type of information do you hold on individuals, how, and why?
b. Are those individuals aware of what you are doing with their data? If you are relying on consent wording, will it be valid under the GDPR?
c. Do you share personal data with any third parties? If so, what do they use it for, and again do the individuals know?
Under the GDPR, “transparency” and “accountability” are key principles – so you will be expected to know the answers to the above, and more, when an individual data subject or the ICO asks the question. You should know now where you are exposed.
- Watch out for fines and remedies. Underpinning all these changes is a drastically increased set of sanctions – including higher fines – and expanded subject rights to object to, correct and prevent data uses which cannot be justified when challenged.
This is already a lot to take in, but there is no intention here to panic charities: each point raised should, of itself, be relatively straightforward and solvable. The above is a starting point for where we are, where we will be, and where we should be in data protection law. Those wanting to investigate further may be interested in reading the Fundraising Regulator's recently-published guidance on data protection and consent, reviewed elsewhere in this month's briefing.
If you require further information on anything covered in this briefing please contact Owen O'Rorke(firstname.lastname@example.org) or your usual contact at the firm on 020 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, April 2017