The UK’s data protection regulator has fined two charities over how they have ‘wealth screened’ current and future donors. Ian MacQuillin ask whether the Information Commissioner’s Office is treating charities differently to companies.
It came as little surprise that the body in charge of enforcing the UK’s data protection rules – the Information Commissioner’s Office (ICO) – fined two charities last week for ‘wealth screening’ their databases (profiling to identify potential major donors and legators, and compiling information about prospective potential new donors from external sources). That’s because all this summer, a representative of the ICO has been touring fundraising conferences telling everyone who’d listen (and that was a lot of people) they were going to do just that.
Many have suspected that the ICO ‘had it in’ for wealth screening, and that the promised enforcement action would be less about punishing specific cases of noncompliant data process, and more about ending a practice – wealth screening – that for whatever reasons the ICO had decided was just wrong in point of principle.
Commercial organisations profile their customer databases for similar reasons that charities profile their donors. And commercial organisations search out new information about people who might invest in their business – venture capitalism would be next to impossible if you were not able to research a potential investor’s interests, through, say, sources such as Google and the Sunday Times Rich List. And, as John Middleton at CASE says, a potential investor would throw you out of a pitch meeting if you hadn’t done that research.
So the suspicion has been that ICO either currently does – or has plans to – regulate commercial and nonprofit organisations according to different standards.
The statement from ICO and the comments made by its representatives following the announcement of these fines suggest that might just be the case.
First, as has already been pointed out by the IoF’s Dan Fluskey in his UK Fundraising blog, we have the very pejorative and definitely unregulator-ish tone of the ICO’s statement, talking about how charities have been “exploiting” donors and “abusing” their trust. As Dan points out, compare this with the much more neutral language (as befits a statutory regulator) of a notice issued just a couple of days previously regasrding fines totalling £130,000 levied on commercial operations for sending texts offering payday loands. Nothing here about ‘preying on people in financially vulnerable circumstances’, just straight down the line regulatorese.
And then we have the quotes from the Data Commissioner, Elizabeth Denham.
Rather than focus on the breach of data protection rules by the British Heart Foundation (BHF) and RSPCA, the two charities concerned, Denham talks about how she (either personally or representing ICO’s corporate standpoint) thinks charities ought to ask for and spend donors money (a point that has been made by Adrian Beney and Chris Carnie):
“Millions of people who give their time and money to
benefit good causes will be saddened to learn that
their generosity wasn’t enough. And they will be upset to discover that charities abused their trust to target them for
even more money.”
Aside form the question of how the ICO knows what millions of people think about how charities use the money they donate, this is absolutely diddly squat to do with the ICO; it’s simply none of their business. How charities ask for money falls within the remit of the Fundraising Regulator. How charities then use donated income falls within the regulatory remit of the Charity Commission. The ICO only regulates how charities process their donors’ data, according to the letter of the law.
Ah, but does it?
The tone and comments of the press statement allow us to infer that just maybe ICO is taking a different approach to charities than it does to companies. But how could it actually do that. After all, the law is a law, and a data breach is a data breach, irrespective of whether a charity or company commits it? Well, you’d think.
The first two of these are:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
In the penalty notices issued against the RSPCA and the British Heart Foundation, the ICO said these principles had been broken, and I’d urge everyone to read the full adjudication for themselves, as this contains the precise legal arguments and describes the precise data protection breaches.
The second data protection principle exists to ensure that:
“Organisations are open about their reasons for obtaining personal data, and that what they do with the information is in line with the reasonable expectations of the individuals concerned.”
This is the precise wording from the ICO’s website explaining this second principle. The key phrase here is “reasonable expectation” (though I can’t find this term anywhere in the 1998 act itself). This is where the ICO appears to be deriving it’s mandate – if it has one – to regulate nonprofit and for-profit organisations according to different standards.
Neither the BHF nor RSPCA adjudication mentions ‘reasonable expectation’. However, the day after ICO’s action against the two charities became public (via the Daily Mail – shocker!), ICO’s senior policy officer Victoria Cetinkaya appeared on a panel debate at the CASE Regular Giving conference in London.
Beyond reasonable expectations
Explaining the rationale behind these adjudications to the audience of higher education fundraisers, Cetinkaya said it was partly because both charities had “gone beyond” donors’ reasonable expectations of how they expected those charities to process their data.
The questions this leads to are:
First, how does ICO know what the reasonable expectations of charity donors are in this respect? Perhaps most people who give their details to a charity when they donate do so in the reasonable expectation that the charity will process that data to identify if they can give more. Perhaps high net worth individuals (HNWIs) expect charities to do their research before approaching them in the first step in a cultivation journey that might ultimate lead to a major gift.
Or perhaps they don’t. The point is, we don’t know, so ICO is making policy based on what it – the ICO – thinks donors’ reasonable expectations are, not what those reasonable expectations actually are.
Second, and here’s the crucial thing, if the ICO is regulating charities and nonprofits differently based on what they think people’s reasonable expectation are, are they therefore – or they planning to – hold charities to a different (higher) standard in their data protection practices than companies, based on the assumption (because there is currently no evidence) that people have a reasonable expectation that charities should have more stringent or constrained DP practices then companies.
The ICO has identified the way that BHF and RSPCA were conducting wealth screening in ways that were not compliant with data protection legislation. Therefore, you could expect that any commercial organisation that is doing similar would also not be compliant with the same data protection legislation.
Yet this paragraph contained in both the BHF and RSPCA notices suggests ICO may think that charities ought to act to a higher set of standards.
“Practices appear to have been driven by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.”
Shouldn’t all data processors be “especially vigilant” in complying with their legal obligations? Why should RSPCA and BHF be more vigilant than, say, Tesco, the Lawn Tennis Association and the UK Independence Party.
And how is financial gain relevant here? As Dignity in Dying’s David Pearce pointed out on Rogare’s regulation discussion forum, charities do not make a profit, so there is no ‘financial gain’ in that respect as ultimately all income generated by a charity is converted into goods and services for beneficiaries. Whereas company stakeholders really do receive financial gain form any data processing their companies undertake.
So we could take the ICO’s statement – contained, incidentally, in a section in the enforcement notices about ‘aggravating factors’ – and obvert it to read from the perspective of a company that had been found to be conducting customer profiling illegally:
“Practices have been driven by financial gain. This is no excuse. However, the public arguably expects companies to be less vigilant in complying with their legal obligations than charities.”
Would that be true? Is there any reason why we should expect Tesco to be less vigilant around data protection than the RSPCA?
It always sounds so intuitively plausible when people trumpet the clarion call that ‘charities are held to a higher standard than companies’. But the logical obverse of this is that companies may be permitted to have lower ethical standards than charities, which is far less ‘obvious’.
Different standards for companies and charities?
I have now directly asked two ICO officials – Victoria Cetinkaya at CASE and Richard Marbrow at IoF convention in July – if the ICO operates, or has aspirations to operate, different standards for nonprofit and for-profit organisations based on the reasonable expectations provision. I’ve not had an unequivocal answer, but the answers I’ve received led me to think: Yes, they do.
If the ‘reasonable expectations’ provision were to be interpreted differently according to sector, we would arrive at the rather odd situation whereby two organisations could be profiling their databases in exactly the same way, yet ICO would find that one was compliant with the 1998 Data Protection Act, and one was not. This would be because ICO would make this adjudication not on what the law says an organisation can or can’t do, but on what (the ICO thinks) the public would expect that organisation ought to do.
I am not a lawyer, but it strikes me as rather odd that the legality of an act is not dependent on what the law says, but on how the public would expect the law to be interpreted: Schrödinger’s Regulator – an act is both simultaneously compliant and noncompliant with the legislation, and we won’t know which it is until we open the box of public opinion to find out what their reasonable expectations of it are.
At the point that the law is the law, where the data protection rules prohibit certain actions – such as emailing individuals without their consent – then there is nothing more to be said: you cannot do what the law proscribes, even if so doing would help your beneficiaries.
The ICO adjudications against BHF and RSPCA show several cases where this is the case.
In this respect, all regulators’ hands are tied, because they enforce what the law prescribes and proscribes.
However, at the point where regulators need to interpret the law, they need to use their own discretion and make a choice in how they do this.
ICO now has this choice. It can choose to use the reasonable expectations provision to hold nonprofit organisations to higher standards than for-profits, and in so doing, permit commercial organisations to continue with particular practices that are forbidden for charities.
But that is a choice that ICO will make. It doesn’t have to make this choice. Nothing is forcing it to make this choice. It could, if it so wishes, choose to hold charities and companies to the same standards. It could even choose to hold companies to higher standards. Or it could decide that ‘reasonable expectation’ is not relevant in this case, or has less relevance than it currently assumes it to have.
But what if it does continue down the route it appears to be taking, what are the implications of that?
Rogare’s theory of Rights Balancing Fundraising Ethics puts into context the ethical issues the ICO has got itself embroiled in. Fundraisers owe different ethical duties to their donors and their beneficiaries. The duty they owe to the beneficiaries is to raise the money needed to provide the services they beneficiaries on. Their duty to donors (and non-donors) is not to subject them to undue pressure to donate, which includes respecting whatever rights they have to privacy.
In the case of wealth screening, it is not just that the ICO appears to be giving greater weight to donor’s interests in how their data is used, according to what the law requires, than it is giving to the needs of beneficiaries. As I’ve said, if this were the case, ICO’s hands would be tied as the law is the law and is inalienable.
But what ICO appears that it might be doing is giving greater weight to donors’ expectations of how their data will be used, and prioritizing those (unevidenced) expectations over the needs and interests of beneficiaries.
However, far from being a ‘reasonable’ expectation of how charities use data, if the public thinks charities should do that in a way that will make it harder to raise money for beneficiary services than it would were they selling yachts to oligarchs, then perhaps what the public actually has is a very unreasonable expectation – an unreasonable expectation that the ICO ought to discount or even disregard totally in order to balance against a duty to help beneficiaries.
The path the ICO seems intent on pursuing could lead to the decimation of major gift fundraising and millions being lost to charities because they would face the double whammy of no longer being able to assess which of their current prospects are future high value givers, while being prevented from searching for new potential HNWIs outside their current donor pool.
ICO’s position on this could be caricatured as one of ‘not my problem mate’. They see themselves as interpreting the law, and the law says that charities cannot wealth screen. The consequences of that are therefore nothing to do with the ICO, sitting as it does inside its own regulatory bubble.
But they are.
ICO’s moral responsbility
For sure, ICO has the legal authority to ensure charities’ data processing is done in compliance with law. That in no way confers on ICO the moral authority to interpret the law in a way that is looking increasingly like an ideological attack on wealth screening, based on some vague point of principle that people think it’s OK for companies to process their data in a particular way, but charities should not be entitled to do the same.
ICO no doubt thinks it is fighting a good fight in defence of the individual rights of charity donors. In doing so, it is totally ignoring the rights and interests of a different class of individuals – charity beneficiaries – and, were it to do this by interpreting the law in such a way as to allow it to prioritise donors’ interests, then, according to Rights Balancing Fundraising Ethics, it would be acting unethically.
The very real likely impact of ICO’s crusade against wealth screening is that art galleries and hospital wings will not get built, and charities will need to cut services for beneficiaries because they can no longer fund them.
If this comes to pass, then Elizabeth Denham and her team must accept moral responsibility for those consequences, because they chose the course of action that led to them, even though they had could have made a different choice.
- Ian MacQuillin is director of Rogare – The Fundraising Think Tank.
- NB – the third to last paragraph has been edited to make it clearer that the claim that ICO would be acting unethically is a conditional argument based on whether it chooses to operate a higher standard for charities than companies.