The UK’s data protection regulator has fined two charities over how they have ‘wealth screened’ current and future donors. Ian MacQuillin ask whether the Information Commissioner’s Office is treating charities differently to companies.
It came as little surprise that the body in charge of enforcing the UK’s data protection rules – the Information Commissioner’s Office (ICO) – fined two charities last week for ‘wealth screening’ their databases (profiling to identify potential major donors and legators, and compiling information about prospective potential new donors from external sources). That’s because all this summer, a representative of the ICO has been touring fundraising conferences telling everyone who’d listen (and that was a lot of people) they were going to do just that.
Many have suspected that the ICO ‘had it in’ for wealth screening, and that the promised enforcement action would be less about punishing specific cases of noncompliant data process, and more about ending a practice – wealth screening – that for whatever reasons the ICO had decided was just wrong in point of principle.
Commercial organisations profile their customer databases for similar reasons that charities profile their donors. And commercial organisations search out new information about people who might invest in their business – venture capitalism would be next to impossible if you were not able to research a potential investor’s interests, through, say, sources such as Google and the Sunday Times Rich List. And, as John Middleton at CASE says, a potential investor would throw you out of a pitch meeting if you hadn’t done that research.
So the suspicion has been that ICO either currently does – or has plans to – regulate commercial and nonprofit organisations according to different standards.
The statement from ICO and the comments made by its representatives following the announcement of these fines suggest that might just be the case.
First, as has already been pointed out by the IoF’s Dan Fluskey in his UK Fundraising blog, we have the very pejorative and definitely unregulator-ish tone of the ICO’s statement, talking about how charities have been “exploiting” donors and “abusing” their trust. As Dan points out, compare this with the much more neutral language (as befits a statutory regulator) of a notice issued just a couple of days previously regasrding fines totalling £130,000 levied on commercial operations for sending texts offering payday loands. Nothing here about ‘preying on people in financially vulnerable circumstances’, just straight down the line regulatorese.
And then we have the quotes from the Data Commissioner, Elizabeth Denham.
Rather than focus on the breach of data protection rules by the British Heart Foundation (BHF) and RSPCA, the two charities concerned, Denham talks about how she (either personally or representing ICO’s corporate standpoint) thinks charities ought to ask for and spend donors money (a point that has been made by Adrian Beney and Chris Carnie):
“Millions of people who give their time and money to
benefit good causes will be saddened to learn that
their generosity wasn’t enough. And they will be upset to discover that charities abused their trust to target them for
even more money.”
Aside form the question of how the ICO knows what millions of people think about how charities use the money they donate, this is absolutely diddly squat to do with the ICO; it’s simply none of their business. How charities ask for money falls within the remit of the Fundraising Regulator. How charities then use donated income falls within the regulatory remit of the Charity Commission. The ICO only regulates how charities process their donors’ data, according to the letter of the law.
Ah, but does it?
The tone and comments of the press statement allow us to infer that just maybe ICO is taking a different approach to charities than it does to companies. But how could it actually do that. After all, the law is a law, and a data breach is a data breach, irrespective of whether a charity or company commits it? Well, you’d think.
There are eight principles of data protection listed in the Data Protection Act 1998 (listed in Schedule 1 of the act).
The first two of these are:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
In the penalty notices issued against the RSPCA and the British Heart Foundation, the ICO said these principles had been broken, and I’d urge everyone to read the full adjudication for themselves, as this contains the precise legal arguments and describes the precise data protection breaches.
The second data protection principle exists to ensure that:
“Organisations are open about their reasons for obtaining personal data, and that what they do with the information is in line with the reasonable expectations of the individuals concerned.”
This is the precise wording from the ICO’s website explaining this second principle. The key phrase here is “reasonable expectation” (though I can’t find this term anywhere in the 1998 act itself). This is where the ICO appears to be deriving it’s mandate – if it has one – to regulate nonprofit and for-profit organisations according to different standards.
Neither the BHF nor RSPCA adjudication mentions ‘reasonable expectation’. However, the day after ICO’s action against the two charities became public (via the Daily Mail – shocker!), ICO’s senior policy officer Victoria Cetinkaya appeared on a panel debate at the CASE Regular Giving conference in London.
Beyond reasonable expectations
Explaining the rationale behind these adjudications to the audience of higher education fundraisers, Cetinkaya said it was partly because both charities had “gone beyond” donors’ reasonable expectations of how they expected those charities to process their data.
The questions this leads to are:
First, how does ICO know what the reasonable expectations of charity donors are in this respect? Perhaps most people who give their details to a charity when they donate do so in the reasonable expectation that the charity will process that data to identify if they can give more. Perhaps high net worth individuals (HNWIs) expect charities to do their research before approaching them in the first step in a cultivation journey that might ultimate lead to a major gift.
Or perhaps they don’t. The point is, we don’t know, so ICO is making policy based on what it – the ICO – thinks donors’ reasonable expectations are, not what those reasonable expectations actually are.
Second, and here’s the crucial thing, if the ICO is regulating charities and nonprofits differently based on what they think people’s reasonable expectation are, are they therefore – or they planning to – hold charities to a different (higher) standard in their data protection practices than companies, based on the assumption (because there is currently no evidence) that people have a reasonable expectation that charities should have more stringent or constrained DP practices then companies.
The ICO has identified the way that BHF and RSPCA were conducting wealth screening in ways that were not compliant with data protection legislation. Therefore, you could expect that any commercial organisation that is doing similar would also not be compliant with the same data protection legislation.
Yet this paragraph contained in both the BHF and RSPCA notices suggests ICO may think that charities ought to act to a higher set of standards.
“Practices appear to have been driven by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.”
Shouldn’t all data processors be “especially vigilant” in complying with their legal obligations? Why should RSPCA and BHF be more vigilant than, say, Tesco, the Lawn Tennis Association and the UK Independence Party.
And how is financial gain relevant here? As Dignity in Dying’s David Pearce pointed out on Rogare’s regulation discussion forum, charities do not make a profit, so there is no ‘financial gain’ in that respect as ultimately all income generated by a charity is converted into goods and services for beneficiaries. Whereas company stakeholders really do receive financial gain form any data processing their companies undertake.
So we could take the ICO’s statement – contained, incidentally, in a section in the enforcement notices about ‘aggravating factors’ – and obvert it to read from the perspective of a company that had been found to be conducting customer profiling illegally:
“Practices have been driven by financial gain. This is no excuse. However, the public arguably expects companies to be less vigilant in complying with their legal obligations than charities.”
Would that be true? Is there any reason why we should expect Tesco to be less vigilant around data protection than the RSPCA?
It always sounds so intuitively plausible when people trumpet the clarion call that ‘charities are held to a higher standard than companies’. But the logical obverse of this is that companies may be permitted to have lower ethical standards than charities, which is far less ‘obvious’.
Different standards for companies and charities?
I have now directly asked two ICO officials – Victoria Cetinkaya at CASE and Richard Marbrow at IoF convention in July – if the ICO operates, or has aspirations to operate, different standards for nonprofit and for-profit organisations based on the reasonable expectations provision. I’ve not had an unequivocal answer, but the answers I’ve received led me to think: Yes, they do.
If the ‘reasonable expectations’ provision were to be interpreted differently according to sector, we would arrive at the rather odd situation whereby two organisations could be profiling their databases in exactly the same way, yet ICO would find that one was compliant with the 1998 Data Protection Act, and one was not. This would be because ICO would make this adjudication not on what the law says an organisation can or can’t do, but on what (the ICO thinks) the public would expect that organisation ought to do.
I am not a lawyer, but it strikes me as rather odd that the legality of an act is not dependent on what the law says, but on how the public would expect the law to be interpreted: Schrödinger’s Regulator – an act is both simultaneously compliant and noncompliant with the legislation, and we won’t know which it is until we open the box of public opinion to find out what their reasonable expectations of it are.
At the point that the law is the law, where the data protection rules prohibit certain actions – such as emailing individuals without their consent – then there is nothing more to be said: you cannot do what the law proscribes, even if so doing would help your beneficiaries.
The ICO adjudications against BHF and RSPCA show several cases where this is the case.
In this respect, all regulators’ hands are tied, because they enforce what the law prescribes and proscribes.
However, at the point where regulators need to interpret the law, they need to use their own discretion and make a choice in how they do this.
ICO now has this choice. It can choose to use the reasonable expectations provision to hold nonprofit organisations to higher standards than for-profits, and in so doing, permit commercial organisations to continue with particular practices that are forbidden for charities.
But that is a choice that ICO will make. It doesn’t have to make this choice. Nothing is forcing it to make this choice. It could, if it so wishes, choose to hold charities and companies to the same standards. It could even choose to hold companies to higher standards. Or it could decide that ‘reasonable expectation’ is not relevant in this case, or has less relevance than it currently assumes it to have.
But what if it does continue down the route it appears to be taking, what are the implications of that?
Rogare’s theory of Rights Balancing Fundraising Ethics puts into context the ethical issues the ICO has got itself embroiled in. Fundraisers owe different ethical duties to their donors and their beneficiaries. The duty they owe to the beneficiaries is to raise the money needed to provide the services they beneficiaries on. Their duty to donors (and non-donors) is not to subject them to undue pressure to donate, which includes respecting whatever rights they have to privacy.
In the case of wealth screening, it is not just that the ICO appears to be giving greater weight to donor’s interests in how their data is used, according to what the law requires, than it is giving to the needs of beneficiaries. As I’ve said, if this were the case, ICO’s hands would be tied as the law is the law and is inalienable.
But what ICO appears that it might be doing is giving greater weight to donors’ expectations of how their data will be used, and prioritizing those (unevidenced) expectations over the needs and interests of beneficiaries.
However, far from being a ‘reasonable’ expectation of how charities use data, if the public thinks charities should do that in a way that will make it harder to raise money for beneficiary services than it would were they selling yachts to oligarchs, then perhaps what the public actually has is a very unreasonable expectation – an unreasonable expectation that the ICO ought to discount or even disregard totally in order to balance against a duty to help beneficiaries.
The path the ICO seems intent on pursuing could lead to the decimation of major gift fundraising and millions being lost to charities because they would face the double whammy of no longer being able to assess which of their current prospects are future high value givers, while being prevented from searching for new potential HNWIs outside their current donor pool.
ICO’s position on this could be caricatured as one of ‘not my problem mate’. They see themselves as interpreting the law, and the law says that charities cannot wealth screen. The consequences of that are therefore nothing to do with the ICO, sitting as it does inside its own regulatory bubble.
But they are.
ICO’s moral responsbility
For sure, ICO has the legal authority to ensure charities’ data processing is done in compliance with law. That in no way confers on ICO the moral authority to interpret the law in a way that is looking increasingly like an ideological attack on wealth screening, based on some vague point of principle that people think it’s OK for companies to process their data in a particular way, but charities should not be entitled to do the same.
ICO no doubt thinks it is fighting a good fight in defence of the individual rights of charity donors. In doing so, it is totally ignoring the rights and interests of a different class of individuals – charity beneficiaries – and, were it to do this by interpreting the law in such a way as to allow it to prioritise donors’ interests, then, according to Rights Balancing Fundraising Ethics, it would be acting unethically.
The very real likely impact of ICO’s crusade against wealth screening is that art galleries and hospital wings will not get built, and charities will need to cut services for beneficiaries because they can no longer fund them.
If this comes to pass, then Elizabeth Denham and her team must accept moral responsibility for those consequences, because they chose the course of action that led to them, even though they had could have made a different choice.
- Ian MacQuillin is director of Rogare – The Fundraising Think Tank.
- NB – the third to last paragraph has been edited to make it clearer that the claim that ICO would be acting unethically is a conditional argument based on whether it chooses to operate a higher standard for charities than companies.
5 thoughts on “OPINION: Does the ICO have ‘unreasonable’ expectations about wealth screening?”
Having taken a stand against the RSPCA and the BHF for the manner in which they “secretly” screened their databases, I wonder if we can now expect the ICO to take similar action against the hundreds (thousands?) of other charities who have screened their databases, without explicitly telling their donors, over the last 18 years?
To single out just two charities when there are so many hundreds of guilty parties seems rather unfair. Come on, ICO, show how ethical you truly are, and fine all of them!
After all, there is a moral principle at stake!
Ignore those who say that your silence and inactivity over the last 18 years regarding data screening may have led charities to believe that they were acting in accordance with the DPA – these charities deserve to be held to account.
And if that means wasting their supporters’ valuable donations by fining them, well so be it. You can rest easy knowing you are taking the moral high ground.
The ICO has not prevented charities from doing anything. By choosing to fine them for past breaches (and in the process, massively reducing the fine from what it could and should have been), they have not used the alternative Enforcement Notice power. The Enforcement Notice is a tool which allows the ICO explicitly to ban activities which are in breach of the DPA. They didn’t do this.
If charities can find a way of conducting wealth screening (or whichever euphemism for profiling you choose) without breaching the clear requirement in Data Protection to process data transparently, they can. The ICO’s actions do not affect future strategy in any way, unless charities are saying that they cannot profile donors in a way that is compatible with the Data Protection Act.
‘Reasonable expectations’ is a concept invented by the ICO to make processing easier. The idea is that if a person would obviously expect something to happen, you don’t need to tell them. This allows organisations to cut down what they include in privacy policies or terms and conditions by focussing only on the unexpected and possibly objectionable uses of data. It’s actually a pragmatic reading of the law. The ICO’s point here is that no donor would have expected their generosity to be rewarded with secret profiling or data sharing. You might not agree with it, but it’s not an ideological attack on fundraising.
A question for Tim Turner (no relation!): Can you be sure that “no donor” would have expected that they might be profiled? I remember as a child noticing the “special offers just for you” that came through the letterbox, and my dad explaining that companies worked out which postcodes might contain the most “special” customers. This has never struck me as offensive. Wealth screening is a bit different if it goes down to the household level, but still it is hardly a new invention, or exclusive to the charity sector.
And what do we mean by “expect” – do we mean an explicit expectation (“I’ve just give £10 to this charity, so naturally I expect that they shall be sending my data off for profiling at some point”), or do we mean that the donor wouldn’t necessarily be thinking about it, but wouldn’t be especially surprised to learn about it? I’m sure very few donors (or customers of a retailer, for that matter) meet the former definition, but many more would fit the latter.
Thank you for your perspective, though – it is interesting (as I’ve read elsewhere) to look at the relationship between the ICO and the IoF, and how they have (variously) communicated and interpreted the law over the years. Let’s hope we will have more consistent guidelines in future from all parties.
Clear, helpful guidance on fair processing and privacy notices has been on the ICO’s website for the past 18 years. Nobody who read it could believe that secret profiling was in any way tacitly or explicitly allowed. Expecting to have everything served up to you on a plate is a ridiculous demand to make on a regulator who regulates every organisation that processes personal data. Some charities have put their donors’ money at risk by operating an essentially unlawful business model. The current state of denial only increases that risk.
Excellent article Ian, thanks.It is true that the expectation of charities is different – people give us their money ‘on trust’ rather than in return for goods or services on the whole and companies compete on price in a way that charities don’t. But as Chris Carnie has said, it still goes back to a Victorian view of what a charity should be – I give you my £2 a week and you pay your CEO more than £100k? There is still no coherent response from the sector to this fundamental issue and so we should expect to be kicked by the likes of the Mail for the foreseeable. A recent study said that charities invest far less in leadership development and training than commercial organisations – is anyone surprised? Two sides of the same coin.