In February, the Fundraising Regulator published a suite of papers under the heading "Personal Information and Fundraising: Consent, Purpose and Transparency"
The introduction explains that this paper constitutes the Fundraising Regulator's interpretation of the law and acknowledges that other interpretations may be possible. Over the summer, the Regulator will be considering how best to incorporate key elements of this guidance into the Code of Fundraising Practice.
The substantive part of the document is divided into the following main sections:
- establishing the purpose(s) for which you are collecting and using personal data, and the administration of data processing;
- establishing the lawfulness of data processing – including guidance on the circumstances in which using personal data will be justifiable, obtaining consent, how long consent should be deemed to last etc;
- establishing fairness and transparency – what information you must provide to individuals whose personal information you want to use; and
- ensuring that data protection laws are followed when charities use third party suppliers.
The final part links to other guidance and resources – mostly that of the Information Commissioner's Office (the ICO).
A colour code is used throughout the guidance: green indicates references to the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR); orange refers to the General Data Protection Regulation (GDPR); blue is used to refer to existing codes, guidance and case law.
Since data protection law requires data to be collected and used only insofar as is necessary to achieve a specific purpose (and with the appropriate consents or other justification for processing) compliance will depend on charities identifying the purpose(s) for which they want to obtain personal data.
Among other things, this section emphasises the importance of identifying those purposes that constitute "direct marketing". This term encompasses material that is directed to particular individuals and promotes "an organisation's aims and ideals…the direct marketing rules in the DPA and PECR will apply to the promotional, campaigning and fundraising activities of not-for-profit organisations". Using personal data for the following activities will count as direct marketing:
- events and promotional activities;
- seeking legacies;
It is important for charities to understand this distinction because: (a) the DPA gives individuals the right to object to direct marketing; and (b) the PECR also contain rules about direct marketing communications.
The recommendations in this part lean strongly in favour of opt-in consents. It also encourages charities to seek separate consents for different channels of communication (such as mail and telephone), and different uses of personal information (e.g. to be asked for donations, to be told about volunteering opportunities, for the charity to share that information with another organisation).
Establishing fairness and transparency
In addition to citing the legal requirements, this quotes extensively from the ICO's guidance on privacy notices, suggesting that trustees review their privacy policies and notices "as part of the annual review of their approach to Direct Marketing" and ensure that they are in line with the ICO's guidance, "Privacy Notices, Transparency and Control Code of Practice".
Using third party suppliers
The examples in this chapter explain how to ensure compliance, both when providing third parties with personal data, and when receiving personal data from third parties.
The six real-life examples in this paper focus on the move to using opt-in consents, discussing matters such as why the charities chose to make the switch, the research they undertook, how they implemented change, the challenges they faced and the effects they have noticed.
Consent self-assessment tool
This is "designed to help charities self-assess their communications to better understand whether they hold consent to send Direct Marketing communications to an individual and determine where the risks lie in any existing Direct Marketing approach".
It begins with some initial questions to weed out unlawful approaches, then poses a series of questions, using a table with a "traffic light" system that – depending on the charity's answer – will indicate how certain it is that the consent meets the legal requirements of being freely given, specific and informed.
At the end of each section of the main guidance, there is a short checklist of actions relevant to the subjects just covered. These have been pulled out into this standalone three-page document, which sets out suggested actions on the principal topics, namely purpose, lawfulness, fairness and transparency, and using third party suppliers.
If you require further information on anything covered in this briefing please contact Rachel Holmes(firstname.lastname@example.org) or your usual contact at the firm on 020 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, April 2017
 These give people certain rights in connection with electronic communications, such as marketing calls and emails.
 The new European data protection law that will come into force next May.