ICO fines for data protection breaches: where are we now?

Although it is too soon to say that calm has returned to the sector, some of the initial panic is settling down; and, as the General Data Protection Regulation (GDPR) looms on the horizon, a number of cautious conclusions have emerged. We summarise them as follows:

1. The one safe way to ensure compliance, both under present law and when GDPR hits in May next year, will be to move to "opt-in only" consents for many common fundraising activities. However, while some charities are considering this move, many think it impractical or believe that it will involve an unacceptable loss of subscribers.
2. Conversely, a "legitimate interests" argument can still be used for many basic fundraising activities, including direct marketing itself, without consent. This involves a balancing of an organisation's interests against those of the individual, noting in particular their reasonable expectations and the steps taken by the organisation to communicate its intentions clearly and transparently to supporters.
3. Wealth screening – a form of profiling by information largely from the public arena – is dividing observers between those who believe it can fall within legitimate interests and those who consider it an activity that is now only safe with consent.

An additional complication arose in March 2017 when the ICO issued quite substantial fines to for-profit companies (Flybe and Honda) for doing something many charities had been planning to do as response to these pressures: namely, send out emails to large sections of their database with "unsure" consents hoping to capture a "good", opt-in consent.

All of which has led to understandable confusion. It might assist therefore to go back to basics.

Data protection – what does the law say?

At present, the law is contained in the Data Protection Act 1998 (the Act), which requires organisations to process personal data in accordance with eight data protection principles. The charities fined had, in the ICO's view, breached the first two principles.

The first data protection principle (DPP1) stipulates that personal data must be processed "fairly and lawfully" (“processing” is widely defined and includes collection and retention of personal data, and using it for marketing / fundraising purposes). Among other things, this means it can only be processed if one or more of a list of specified conditions is met and, in the case of sensitive personal data (such as information about a person's health, race or religious beliefs), at least one of another list of conditions is also met.

The condition most commonly relied on by charities historically has been consent, which in the case of sensitive personal data must be "explicit". To meet the fairness condition, the data controller (the person/organisation who decides how personal data is to be processed) must, in addition, ensure that individuals whose data it wishes to use are given certain information, including "the purpose or purposes for which the data are intended to be processed".

The second data protection principle (DPP2) requires personal data to be obtained "only for one or more specified and lawful purposes" and prohibits organisations from using the data in any manner incompatible with those purposes. A data controller may specify the purposes by setting them out in a notice. The Act expressly covers sharing personal data with other organisations: in considering whether disclosure is compatible with the purposes for which you obtained data, you need to think about what the party receiving it intends doing with it.

Although the fines were issued on the basis of DPPs 1 & 2, seven of the eleven charities also breached the law on using electronic means (such as email or telephone) for the purposes of direct marketing – a term that includes fundraising or promoting charitable causes. These laws prohibit the making of unsolicited telephone calls for direct marketing purposes to (a) numbers listed on the Telephone Preference Service or (b) numbers whose owners have notified the caller that they should not be phoned. There are exceptions to this: for instance, it is permissible to call a TPS-listed number if the person to whom it belongs has notified the caller that, for the time being, s/he does not mind being called on that number.

E-privacy laws (currently the Privacy and Electronic Communications Regulations 2003, or PECR) also prohibit the sending of unsolicited email for direct marketing purposes without the recipient's prior consent, except in limited, prescribed circumstances. Text messages are subject to the same restrictions.

What the charities did wrong

Sharing personal data with third parties

A number of charities shared data with other organisations, with some taking part in a scheme known as "Reciprocate". This was run by an independent company and enabled charities to share or swap the details of donors and potential donors. At its height this ran to several million donors’ details. It was closed down in June 2016.

Invariably, a major problem here was that the privacy notices of the charities in question (both in their privacy policies and on their collection forms) were too vaguely worded, asking for permission to contact "other reputable organisations" or "other charities". In some cases, an opt-out tick box was used (with supporters being given a separate address to write to if they wanted to stop the charity from sharing their data); in one, an opt-in box was used. But despite these unspecific “consents”, members of the public were in most cases broadly unaware of who had ended up in possession of their data and why. Selling of data, specifically, attracted the most criticism.

The ICO held that the charities breached DPP1 – sharing personal details was unfair because the wording of their privacy notices and/or purported consents did not give data subjects sufficient information about how their details would be used. Therefore there was no valid informed consent. The ICO did not distinguish on this point between opt-out and opt-in procedures: the problem was the ambiguity of the notices, meaning that neither amounted to valid consent.

The ICO did not offer a view on when sharing might be legitimate without consent, but said:

"Charities that wish to share/sell their marketing lists with other organisations must ensure that their donors were made aware of this when the personal data were collected and that specific consent to pass on the details was obtained. Consent must be freely given, specific and informed, and involve a positive indication signifying the data subject's agreement…Informing individuals that their details will be shared with 'other reputable organisations', is neither freely given nor specific and does not amount to a positive indication of consent."

They were also in breach of DPP2, because participating in data-sharing schemes was incompatible with the purposes set out in the privacy notices.

Wealth screening

Some charities used wealth screening companies to analyse supporter data and identify wealthy individuals. Again, their privacy notices did not indicate that personal data would be used for these purposes.

This amounted to unfair processing that was in breach of DPP1, since such use would "not be within the reasonable expectation of individuals, and [the charities] had not informed individuals that they would adopt these techniques".

Further, it constituted a breach of DPP2, since wealth screening was incompatible with the purposes for which data were obtained, namely for administering donations and, if the individual consented, for marketing purposes. The ICO wrote:

"In determining whether data are being processed for an incompatible purpose, consideration should be given to the data subjects' reasonable expectations, the potential effect of the processing on those individuals, and what information has been provided to them in any privacy notice. These are similar considerations to assessing whether processing is fair."

Once more, although the ICO’s public announcements suggested that this activity would require consent, its enforcement notices did not go so far as to suggest that was the law. It was more that the charities’ failures to conduct the activity fairly fell on the wrong side of the Act.

Data-matching and tele-matching

Some charities used external companies to track down the postal or email addresses and/or telephone numbers of current supporters (from publicly-available information), using the rather more limited data those supporters had supplied to the charity. Their privacy notices did not indicate that personal data would be used in this way.

Moreover, the ICO saw this as a means to work around specific choices made by those people about how they wished to be contacted and what they did not want to provide. As such the charities were deemed to have breached DPP1 and DPP2.

Data-matching may still be lawful without consent in limited scenarios, such as when genuinely seeking to correct inaccurate information seemingly given in the expectation of being contacted. But the ICO is very particular about respecting the channels of communication an individual has opted for when agreeing to be contacted.

Collection and use of data

One of the cases raised issues around using a standard form to collect personal details. This form did not give any indication that the personal data collected might be used for various types of marketing. Some time after providing details, individuals were sent a letter, telling them that the charity "would like to keep you informed about our projects and activities by post, telephone and email. If you don't want to receive this information in this way … please email our Supporter Care team on [address] … or call them on the above number".

The danger is that even this follow-up act, by whatever means, can itself be held direct marketing. Doing so by non-electronic means can be justified in some cases by legitimate interests, but using data, as here, that was provided in a form that gave no indication of the marketing intentions of the charity actually put the organisation in a worse position than if it had, say, been cold-calling from the phone book. Not only does this not constitute a valid consent, it can also it mislead individuals about how their data might be used. The right to rely on “legitimate interests” depends in part on the reasonable expectations of the individual.

PECR: unauthorised use of electronic means of marketing

Although no charities have yet been fined for breaches of PECR – unlike numerous commercial (and some political) marketers – issues under the electronic marketing law did form a less publicised aspect of some of the eleven more recent fines. 

One charity emailed supporters using addresses obtained via data-matching, in breach of PECR. Even if a generic consent had been provided by the data-matching organisation for fundraising, that did not amount to the specific consent to be contacted by email – and hence was not the quality of consent required by PECR.

Another charity relied on generic consents from individuals to call numbers it did not have from them directly, but had obtained through tele-matching. Again, the generic consents did not constitute a notification that the individuals concerned did not mind being called by the charity on that line, as required by PECR for the indication of wishes to override TPS. The ICO held that calling any of those numbers that were TPS-listed was therefore a contravention of PECR, despite the apparent consent to marketing generally.

Under this heading, the ICO also considered several cases in which charities used text messaging. The campaigns followed the same basic pattern: individuals who made initial SMS donations were sent a bounce-back message informing them that the charity would get in touch with them again, and providing details of whom to contact to stop receiving messages or telephone calls.

In the ICO's opinion, the bounce-back messages constituted direct marketing. This, again, had previously constituted quite common campaign practice for charities. However, since they automatically opted individuals in to receiving further marketing texts and telephone calls, the texts were in breach of PECR.

The ICO clarified in each case that it would not fine the charities for these breaches per se – possibly indicating a lack of confidence by the ICO that they constituted the type of “serious contravention” required under PECR for the ICO to issue monetary penalties. However, they were an aggravating factor for the ICO to consider when deciding how much the penalty should be for wider breaches of the Act.

The penalties

In all thirteen penalty notices since December, the Information Commissioner made the point that the fine could have been significantly higher (by a factor of ten in fact), but she was mindful of – among other things – the extra distress that imposing a higher penalty might cause to donors. Some have read this as a tactical climb-down to avoid the embarrassment of an appeal (because most trustees would not sanction the legal costs involved with appealing a fine of between £6,000 and £25,000).  However, she warns, "this should not be taken as an indication that the Commissioner will always reduce a penalty in such circumstances".

What can be learned?

Charities, and not simply those fined, found many reasons for grievance in these decisions: first, the sudden regulatory change in focus within the sector; and secondly, that the ICO was unclear in the enforcement notices and unhelpful in its guidance by not setting out a specific menu of good and bad practice, or indicating when consent is strictly necessary as opposed to when legitimate interests might apply.

But putting aside the controversy, there are some clear threads running through these cases. One is that the scale and volume of the activity contributed to the level of intrusion, and the level of fine. The other is how the wording of the charities' privacy notices was simply too vague to justify the kind of activities they were carrying out, or to let individuals know what they could object to. Frequently, too, charities have been relying on purported “consents” that were nothing of the sort – or at least, not a sufficiently specific consent (that is, consent to be contacted in particular ways for particular reasons), as it is now clear that the ICO will expect.

This standard is only being raised by GDPR, after which nearly all types of “opt-out” consent – such as silent acquiescence, or pre-ticked boxes – will fall short of lawful consent. The forthcoming ePrivacy Regulation, slated for the same date of 25 May 2018, is expected to be more of a continuum of existing practice.

The GDPR requirement for specific information and transparency should not necessarily be seen as an enemy of progress in the sector. Indeed, as a rule of thumb, if you suspect that very few people would sign up to an activity if asked outright, you should be hearing alarm bells in any event. For example, a great number of charities are now turning their back on the selling of databases, given that this activity is extremely hard to get consent for and extremely risky to try without consent. The era of mealy-mouthed wording in your consents or privacy notices is over: transparency is the new normal.

The requirement for consent to be specific to the use means that due diligence is important when using lists acquired from others: be wary of relying on the consents in lists you have bought in. Do people want to hear from you specifically? Will this generic “consent” really override the TPS? In addition, the Fundraising Regulator’s FPS scheme will shortly add to the resources available to charities to check if their lists are, in fact, toxic. But the ultimate responsibility to ensure you know what you are holding and what it permits you to do lies with the charity.

It remains the case that public trust in charities is still recovering from the fundraising stories of the last couple of years; some supporters may be put off charities by the idea that they still use certain disapproved methods. In truth, there is no reason in legal principle why a certain amount of research and due diligence into donors – what might be termed a form of wealth screening – is not in the legitimate interests of organisations. But what would continue to be a bad sell and a high risk would be the kind of large-scale, intrusive and undisclosed activities that have acted to industrialise the fundraising industry in an online world.

But as charities adapt to the “new normal”, so may the public. People still wish to support good causes, as much as ever in times of terrible headlines; and that also means supporting “good” charities, namely those who are transparent about what they do and the reasons they do it. Fundamentally, of course, that means raising money to support their aims. If, through transparency, public awareness of how fundraising actually works increases, there may be no reason in the future why charities would not be perfectly happy to ask openly for consent to carry out all their activities. But not all these activities strictly require consent, if undertaken proportionately and properly. At the very least, organisations should be prepared to account for – and willing to stand by – a full explanation of all activities carried out in their name: whether on their privacy notices, as required by the law, or in the pages of the Daily Mail.

If you require further information on anything covered in this briefing please contact Owen O'Rorke (owen.o'[email protected]; 020 3375 7348), Rachel Holmes ([email protected]; 020 3375 7561) or your usual contact at the firm on 020 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, July 2017