ICO rulings and Database Screenings

The ICO fines for BHF and RSPCA that were announced this week have caused understandable concern for prospect researchers and wider fundraising teams across the sector. This blog post is Factary’s initial response to this news.

The ICO has so far issued two statements about the fines levied (these can be seen here and here). The statements outline that the fines are being issued for various infringements of the Data Protection Act through wealth screening, data appending and data sharing. To be clear, this blog post refers only to the situation with wealth screening, or, as we call it, Database Screening. Data appending and data sharing of bulk data are not services we provide at Factary so we won’t comment on the situation with these fines.

The first thing to mention is that we are expecting more comprehensive information about these fines to be issued on Friday 9th December by the ICO. The full penalty notices will be published on the ICO website and Twitter feed along with details of the enforcement action. Until we have reviewed the full documents it will be difficult to respond properly to this situation. That said, since the Daily Mail broke the story (ahead of the ICO announcement) of the fines on Tuesday 6th, we have received many emails from concerned clients, colleagues and friends worrying about the implication of these fines for non-profits and prospect research, so we wanted to issue a response as soon as possible to answer some of the most pressing questions, some of which are…

Can we still carry out Database Screenings?

It seems that one of the main reasons for the fines levied for ‘wealth screenings’, as explained in the information we have seen from the ICO so far, was because “Donors were not informed of these [Screening] practices, and so were unable to consent or object” to them. The lesson here is not that Screening is unlawful from the ICO’s viewpoint, but that non-profits and Screening service providers need to be open and transparent about what they will use personal data for. This is something that we mentioned in our previous blog on data protection.

The problem still remains, of course, that we feel neither the ICO nor the Fundraising Regulator have been too clear on how this information should be presented to supporters or indeed what information is necessary / sufficient. Hopefully they will do more to educate the sector and provide greater clarity. In the meantime we would expect that the vast majority of non-profits have completed and published, or are working on, improved privacy notices that include information about prospect research so that their supporters are fully aware of what their data is used for. The RiF ‘data protection working group’ will be drawing together samples of these, and this is something Factary will be helping with. We’ll post news on this here on the blog, on our Twitter feed and the RiF committee will also post on their Twitter feed, so keep an eye out.

If you’d like to discuss privacy notices or statements please do email me.

What about previous Screenings?

One of the questions many are asking now is, “When I last undertook a Screening, the non-profit I work for did not have a robust privacy policy in place. Is there a chance that we will be fined, too?” The short answer to this is, of course, that it is entirely possible more fines will be issued. The long answer may have to wait until we have received more information from the ICO on the nature of the fines against BHF and RSPCA in relation to Screening; until we know the full extent of the infringement, it will be difficult to understand the full impact.

Either way, there is very little you can do about previous Screenings; you can really only make sure you are fully prepared and compliant for the next.

What can the sector do?

From our point of view, some of the ICO’s latest statements set a tone which portrays Screening (and prospect research more generally) negatively. The ICO statements said, “The millions of people who give their time and money to benefit good causes…will be upset to discover that charities abused their trust to target them for even more money”. This kind of reporting will no doubt result in harmful press articles (aside from the inevitable articles from the Daily Mail which I won’t reference here) such as the BBC and even Third Sector where they have reported negatively that charities are “secretly screening donors” with a “disregard for people’s privacy”.

We feel the general tone used to report on these fines suggests a lack of understanding of what Screening is and why it is used – and, by extension, what prospect research is and what it is for. We should, as a sector, take some responsibility for this as we have not historically been very open in explaining how Screening and prospect research benefits donors and helps to improve their relationships with the causes they support. That said, we can’t shoulder all the blame, as many people I have spoken to have found the ICO’s approach to communication on these issues (and when directly speaking at conferences during 2016) to also be quite negative. For example, many of the emails I have received since Tuesday start with, “One of my trustees has read the Daily Mail article…” or, “Our compliance team has seen the ICO report…”, followed by concerned questions about the legality of Screening / research. This highlights that the negative and sometimes misleading reports that are in the public domain are already having a troubling impact on our abilities to carry out the normal functions of prospect research. We understand the genuine reasons for the ICO’s actions, but it serves no purpose to paint a negative image of the sector, who largely do incredible work for people and society.

This means it is up to us push back on the negativity and educate our supporters, the wider public and even (in some instances) our own colleagues about prospect research. This echoes what was said at the RiF Conference; we need to take ownership of communicating the need, impact and benefits of prospect research through privacy statements, protocol and policies. We need to be positive in our communication and underline the benefits to donors and non-profits of prospect research – and, to highlight the negative consequences of fundraising without prospect research.

What should we do now?

  • Be clear on why prospect research is vital for fundraising in your organisation
  • Educate trustees (and wider colleagues) if necessary on the need and impact of research
  • Ensure privacy notices are robust and include information on Screening and research
  • Share best practice with colleagues from other non-profits on privacy notices
  • Also, note that when including information on Screening in a privacy notice you’ll need to link to the privacy statements of your chosen Screening company to ensure that the company is also compliant with data protection (as examples, Factary’s is here and Prospecting for Gold’s can be found here)

What happens next?

  • Friday 9 December: The penalty notices will be published on the ICO website along with details of the enforcement action. Hopefully this will give us more of an idea of what the scale of the Screening problem is (in comparison to the data appending and sharing), and exactly what the RSPCA and BHF have been fined for
  • The Institute of Fundraising is likely to respond properly to these fines when the full report has been released, keep an eye on their Twitter feed or the feed of Dan Fluskey, IoF Head of Policy and Research, who has been working with RiF on this issue. He wrote a great piece in fundraising.co.uk about this issue yesterday
  • The ICO is organising “an educational event in partnership with the Charity Commission and the Fundraising Regulator” (no date for this has been announced, presumably early 2017), keep an eye on their announcements for more information on this
  • The ICO will also present an in-depth report in regards to charity fundraising practices to Parliament in 2017; based on the negative stance the ICO has taken on fundraising practices, this has the potential to be damaging and as a sector we need to be ready to respond to this

As ever, if anyone has any questions on this please do not hesitate to contact me at nicolaw@factary.com.

We would also like to take this opportunity to thank many of our colleagues and friends from the sector who have contacted us with messages of support in the past 48 hours – we really appreciate it!

3 thoughts on “ICO rulings and Database Screenings

  1. Excellent article, thank you Nicola! Has to be said, I’m not looking forward to that ICO report to Parliament in 2017…

  2. Really helpful summary. We really need to make sure the “joint educational event” that the Charity Commission, ICO and Fundraising Regulator is promising really does tell us what a compliant privacy notice would look like.

    Let’s hope there’s a willingness to engage, rather than the judgmental approach that the ICO expressed in its press release

Comments are closed.