The Information Commissioner’s Office clampdown on the charity sector has stirred up a new hornet’s nest by seemingly banning organisations from using home-mover files and telephone appending services to trace their own customers without seeking adequate prior permission.
The ICO has already faced criticism for insisting that current wealth screening practices are unacceptable, with industry veteran Stephen Pidgeon accusing commissioner Elizabeth Denham of pandering to the Daily Mail.
Now, in a paper, published ahead of a conference organised by the Fundrasing Regulator, the Charity Commission and the ICO, the data regulator says charities must gain adequate permission in their privacy notices – including an explicit, detailed explanation of how a charity plans to use donors’ data – even if that information is in the public domain.
The 12-page document sets out how practices uncovered by ICO investigations into charity fundraising over the past 18 months “seriously violate” the principles of the Data Protection Act 1998.
In December, the ICO fined the RSPCA and the British Heart Foundation over their wealth screening and data matching practices, in a case which dragged down St Ives-owned Response One’s data sharing service Reciprocate. The ICO recently confirmed it is investigating 24 businesses as part of its probe into the sector; earlier this month 11 charities were warned they also face fines for data protection failings.
The paper states: “Your privacy notice must be detailed enough to ensure [donors] have a reasonable understanding of what wealth screening is and how you’ll use their personal information to do it. Simply stating that you may analyse their personal information to predict future levels of donation is likely to be too vague.”
This applies to both in-house and third-party operations.
In a separate section headed “So is data matching and tele-appending never ok?”, the ICO seems to suggest that data matching would rarely be acceptable, except under specific circumstances.
“It could be argued that individuals may have forgotten to give you the information or update you about moving house, for example,” the paper says. “But you cannot assume this is true. Even if they’ve forgotten, they still wouldn’t reasonably expect you to contact them via a phone number or email address they never gave you.”
Just because information about a person is publicly available, it cannot be considered “fair game” and charities cannot assume they consent to that data being used for any purpose, the regulator concludes.
It is not known whether these measures will be restricted to the charity sector, although it is hard to see how charities can be made a special case. As Pidgeon was quick to point out, wealth screening and data matching are well established practices in the commercial world, yet he could not find a single commercial firm censured for these practices during 2016.
Privacy chief accused of sucking up to the Daily Mail
ICO data abuse probe to trigger fines for 11 charities
24 firms under investigation for charity data failings
ICO donor data abuse inquiry probes Response One
Charities guilty of using Response One file illegally