In December 2016, the Information Commissioner’s Office took enforcement action against the British Heart Foundation and RSPCA for breaching data protection legislation. This page collects the ICO statements and blogs responding to ICO’s action, both critical and in support of ICO, as well as any best practice advice. We’ll add to this as and when blogs are published.
ICO outputs
- ICO statement on enforcement action
- ICO statement on charity fundraising practices
- RSPCA adjudication
- BHF adjudication
- ICO ‘notice of intent‘ to fine 11 further charities for data protection breaches
Analysis and best practice advice:
ICO fines – what are the legal implications for charities?
Lawrence Simanowitz, Hannah Lyons, and Melanie Carter (Bates, Wells and Braithwaite) on Institute of Fundraising website.
Choice quote:”There are alternatives to consent to ensure that processing is fair. In particular, if processing is in an organisation’s ‘legitimate interests’, and such processing does not disproportionately prejudice the rights and freedoms or legitimate interests of the data subject, then it will be lawful to process the data without consent. In other words, a balance between the interests of the organisation and the rights of the individual must therefore be achieved.”
UK fundraising and European data protection ruling: what it means and what your organisation should do right now
Adrian Salmon (Grenzbach Glier and Associates) on GG+A blog.
Choice quote:
“In our understanding, adding wealth and updated contact information to individuals’ records is not in itself illegal. What was deemed to be a breach of the law was that the charities in question did not have wording anywhere in their Privacy Notices to alert individuals that such external data might be gathered and appended to their records, and for what purpose.”
In defence of ICO/critical of charities:
Fair cop
Tim Turner (data protection trainer) on 2040 Information Law blog.
Choice quote:
“Some big charities have run an end-justifies-the-means approach to marketing and they have got away with it for a decade. Fundraisers ruled the roost, and compliance has been sidelined or ignored. Given how much money the RSPCA and the BHF have raised from fundamentally unlawful practices, they should pull back and rethink how they get donations in the future.”
Small Change
Tim Turner (data protection trainer) on 2040 Information Law blog.
Choice quote:
“Despite years of ignoring the Data Protection and PECR requirements in favour of a flawed, fundraiser-driven approach, the ICO has not taken disproportionate action against the charities. The action taken is a small percentage of the overall total. Special pleading and blame-shifting will not help the sector. Compliance with the law will.”
Critical of ICO/in defence of charities:
Why ICO’s rulings are a job half done
Dan Fluskey (Institute of Fundraising) on UK Fundraising
Choice quote:
“Yesterday the ICO confirmed that it is fining two charities for breaches of data protection law. Well, that wasn’t quite the headline or tone of the language used. Instead it was ‘exploiting supporters’, ‘secretly screening’ and ‘disregard for people’s privacy.’…It is disappointing that an independent and serious regulator seemed to be trying to write the tabloid headlines for them.”
Does the ICO have ‘unreasonable’ expectations about wealth screening?
Ian MacQuillin (Rogare) on Critical Fundraising
Choice quote:
“ICO now has a choice. It can choose to use the reasonable expectations provision to hold nonprofit organisations to higher standards than for-profits, and in so doing, permit commercial organisations to continue with particular practices that are forbidden for charities.”
The philosophical dispute between fundraising and data protection
Ian MacQuillin (Rogare) on Critical Fundraising
Choice quote:
“A possible Social Contract Theory argument in respect of wealth screening could be that citizens ought to/could consider modifying certain of their data protection rights in return for the aggregate added protection and benefits this brings overall for members of society (not just services for those in desperate need, but new art galleries, theatres, sports facilities and museums).”
Disentangling facts and values in the UK’s wealth screening controversy
Ian MacQuillin (Rogare) on Intelligent Edge blog
Choice quote:
“Whether it is right or wrong that charities ‘exploit’ their donors (however you choose to interpret ‘exploit’ in this context) is a very interesting ethical question. But providing they ‘exploit’ their donors in a way that is compliant with the data protection legislation, it is of absolutely no concern to the data protection regulator, acting as a data protection regulator.”
Isn’t it all a bit illegal?
Susie Hills (Graham Pelton Consulting) on LinkedIn
Choice quote:
“If we want to build long-term, meaningful (and consensual!) relationships with our supporters and explain to them why we’re doing so, then knowledge of their philanthropic interests and ability to give is vital. It is not distasteful; it is professional, thoughtful, and responsive.”
A response to the ICO’s findings that RSPCA and British Heart Foundation broke data protection laws
Christian Propper (Graham Pelton Consutlting) on LinkedIn
Choice quote:
“A good privacy policy will make it clear that you may engage in this activity – an even better privacy policy would expand this to include the fact that the charity may review publicly available information about an individual to help them gain a better understanding about their supporters.”
Annus horribilis
Chris Carnie (The Factary) on The Factary blog.
Choice quote:
“This lack of research will drive a wrecking-ball through relationships between high-value philanthropists and non-profits. It is not coincidental that so many people of wealth are now establishing their own foundations; it is already hard enough to persuade them that they should build a relationship with an existing non-profit.”
We need to talk about money. A response to the ICO fines on RSCPA and BHF
Adrian Beney (More Partnerships) on LinkedIn.
Choice quote:
“I am dismayed when we see a state regulator joining in what appears to be a visceral and emotionally unexplored reaction against the “outrage” that a charity might plan to ask people for money and then to do it again.”
In defence of the public domain
Chris Carnie (The Factary) on The Factary blog.
Choice quote:
“People in the public domain – in Who’s Who, or LinkedIn, the Times or Companies House – are there for a variety of ‘purposes.’ They expect that the information will be used in a variety of ways – including, yes, by people who will lead them into great philanthropic acts.”
Why the ICO and its investigation into charity data practices is completely self-defeating
Matt Ide (Giving Insight) on LinkedIn
Choice quote:
“Who’d have thought a government institution whose remit is to ‘uphold information rights in the public interest’; an institution so important to our everyday lives….a protector of the people as it were, would write a press release with the delicacy of a pile of tabloid dross.”
Neutral:
Hard lessons in fundraising as the ICO shifts the goalposts
Alan Barker and Owen O’Rorke on Farrer and Co blog.
Choice quote:
“It will be of little comfort to others (notably those already under investigation) to note that many would agree with the BHF that the ICO is in fact wrong on this question: for example, in its insistence on the need to obtain clear individual consent for this kind of activity.”
Let’s push our own re-set button
Charlie Hulme (DonorVoice) on UK Fundraising.
Choice quote:
“If our immediate defence is to say, ‘but commercials can do it, why can’t we?’ we miss the point. It goes without saying that it’s just as intrusive and irritating when done by a commercial. But do people feel the same sense of guilt ignoring what they send as they do when it’s sent on behalf of someone in desperate need?”
Critical Fundraising 
One thought on “KNOWLEDGE/OPINION: ICO and enforcement action against charities”