Tag: ICO

Factary’s Privacy Notice Project

Posted on by NicolaW

For the past few months we have been engaged in a project to understand the reaction of donors, supporters and alumni when they receive a privacy notice from a non-profit organisation or university which is relying on its legitimate interest to process data for prospect research purposes.

We undertook the project because, under GDPR, in order to be able to rely on legitimate interest as a basis to process personal data for prospect research purposes (and therefore not obtain consent), non-profits must ensure they have fulfilled certain criteria – including undertaking a balancing exercise to ensure that the legitimate interests of the organisation do not override individuals’ interests, rights & freedoms and to ensure that the data processing does not have a disproportionate impact on data subjects.

Whilst many non-profits and universities feel they have successfully carried out balancing exercises and provided fair and transparent privacy notices detailing prospect research activities, the decision they have taken to rely on their legitimate interests is not without its risks. The opinion of the Information Commissioner’s Office (ICO) in early 2017 was that “millions of people” would “be upset to discover that charities [would] target them for even more money” by undertaking activities such as prospect research. If it is indeed the case that millions of people would feel this way then it could be argued that prospect research activities do have a disproportionate impact on data subjects.

However, so far the ICO have provided no evidence that “millions of people” would be upset to discover that non-profit organisations undertake prospect research. In fact, in a recent ongoing correspondence in relation to a Freedom of Information request, the ICO state they have “no specific evidence” to support their assertion that donors, supporters or alumni would not reasonably expect non-profits to undertake prospect research, much less that people would be upset about it.

That said, the non-profit sector itself cannot currently provide any empirical evidence that millions of people would not feel this way. The lack of evidence to support some aspects of the decision many non-profits have taken to rely on the legitimate interest condition is something that concerns us at Factary and for this reason we decided to try and understand the reaction of donors, supporters and alumni when they are told about prospect research via a privacy notice.

The project

This project aimed to capture data on the reactions of data subjects when they received a privacy notice containing information about prospect research activities. To do this, a questionnaire was sent only to non-profits which:

  • undertake prospect research activities (such as profiling and screening)
  • have decided to rely on legitimate interests for prospect research purposes
  • have included specific information about prospect research activities in their privacy notice
  • have provided the privacy notice to their constituents (not just made it available on their website)
  • told recipients how they could opt out of their data being used for prospect research and how they could complain about data being used in this way

Results

To date, 17 non-profits organisations (a mixture of charities and universities) have completed the questionnaire.

In total 2,433,901 privacy notices have been provided by the 17 organisations.

Privacy notices (or links to privacy notices) have been provided using the following methods:

  • 1,174,930 sent by email
  • 947,791 sent by post
  • 307,180 sent by SMS
  • 4,000 provided face to face (by one higher education institution at an alumni event)
Graph comparing the methods by which organisations have provided privacy notices to data subjects.

From the 2.4m privacy notices that were provided by the 17 different organisations, we asked:

  • How many recipients contacted the non-profit to opt-out of their data being used for prospect research purposes?
  • How many recipients contacted the non-profit to complain about the use of personal data for prospect research purposes?

The results show:

  • Overall 0.0000411% of recipients complained about prospect research
  • Overall 0.00825% of recipients opted out of prospect research

What do these results mean?

As is shown, the number of individuals complaining about prospect research, or requesting to ‘opt out’ of their data being used in prospect research, is infinitesimal.

This data therefore provides an evidence base that can be used to argue that the balancing exercise carried out by non-profit organisations to review individuals’ interests, rights and freedoms was fairly judged because, if it hadn’t been, then presumably the number of individuals complaining about or opting out of prospect research would be significantly higher.

Whilst we do not necessarily feel the results of the project can be used to argue that people ‘reasonably expect’ to be researched, the data can be used to argue that prospect research activities do not appear to have a disproportionate impact on data subjects. The ICO state that

You should avoid using legitimate interests if you are using personal data in ways … you think some people would object [to] if you explained it to them.

This data shows that the rate of objection is negligible which makes the legitimate interests condition an entirely viable option for non-profits.

Of course, one of the limitations of this data is that it is difficult to know how many individuals have actually read the privacy notices that they were sent in various formats (our research shows that, on average, around 30% of individuals who received privacy notices via email clicked to open the email but we have no way of knowing how many people read the copies that were posted to them or that were given to them face to face). However, we do not believe that this invalidates the results. In fact, given the widespread negative publicity afforded to the use of personal data in fundraising by charities and universities over the past few years in the national press, it would be difficult to state that there is a total lack of awareness amongst donors, supporters and alumni of how personal data is used in fundraising. It could be argued that the open rate indicates that, despite negative press reports about wealth screening and research, people trust their chosen charities and universities to use their data responsibly.

Of course, more can be done to ensure donors, supporters and alumni are engaged in matters of data privacy over and above just sending a privacy notice – for example, many organisations are speaking directly with donors about data privacy matters to make sure individuals have a thorough understanding of what happens with their data and to gauge reasonable expectations. That said, each organisation that completed our questionnaire provided a clear privacy notice to data subjects to enable them to exercise their rights (to be informed, to object the processing, to minimise processing, to access their data etc.) and so they have met the standards of transparency required under the legitimate interests condition, regardless of how many recipients found it necessary to read the privacy notice.

What next?

We would like to continue to add to this evidence base if possible so if your organisation is relying on legitimate interests to process data for prospect research and you would like to share your data on privacy notices, please do contact us at the details below. If we do receive more data on this, we’ll update this blog with fresh results.

We also believe there is more work that can to be done to gather wider evidence to support the justification to rely on legitimate interests for prospect research. This includes gathering and disseminating data on the reasonable expectations of supporters (particularly major donors), the purposes of prospect research, how necessary research is to fundraising and the benefits of doing it. There is more to come from us on some of these issues, so keep an eye on the blog – but if you are engaging in any evidence gathering on these matters we’d love to hear from you!

And, last but not least, we’d like to thank the organisations and higher ed institutions that submitted data to us for this project.

If you have any questions about any of the above (or GDPR or research in general) please do get in touch with Nicola Williams, Research Director, at nicolaw@factary.com.

It ends with Google

Posted on by Chris

On Tuesday I spent the morning at the Ship2B Foundation in Barcelona. Ship2B brings together social change organisations – charities and social enterprises – with grant-making foundations, companies, family offices and venture philanthropists. The social change organisations work on themes in ‘Laboratories’ where the foundations, companies and philanthropists provide advice, contacts and money to accelerate their growth, to ‘scale.’

I sat in on a presentation by the Water4Life lab group. Here were a range of projects on water use and water management. One project was using data from Aigües de Barcelona, the Barcelona water utility, to pinpoint areas of poverty in the city based on how much water each household was using. The project was analysing mass data gathered for one purpose (water supply bills) and using it for another (mapping and understanding poverty).

Which led me to think about the Information Commissioner’s current focus on public domain information collected for one purpose, being used for another.

The ICO have told charities that “publicly available data…is not fair game.” It is not enough to claim that you have a “legitimate interest” in using data from public registers such as Companies House, and news and press reports; you “must balance this against the prejudice to the rights and freedoms of individuals.”

The team at Factary is working hard to ensure we are fully compliant with this new emphasis from the ICO. So this week we contacted one of our suppliers to check that their data was fully compliant. They told us that “…in light of the new GDPR legislation we are currently in discussions…” with suppliers. This is a leading data house that provides data drawn from Companies House. Their end supplier is Companies House.

The Supply Chain

Factary – and any prospect researcher who uses UK companies information from one of the large data houses – is in a supply chain that starts at Companies House. At some point, someone is going to knock on the door of Companies House and ask “are you compliant?”

Before they made their data freely available to anyone, Companies House earned £8.7m in a year, selling it to data users. I have been registered at Companies House as a director since 1990. I have never, ever, had a letter from them asking me if it’s OK to publish my name and address in their register, and then to sell that data on to the big data houses.

I was never asked, because Companies House had a duty in law to gather my personal information and publish it. They turned my private information into public information. They promoted my private information “to power a great range of products” and to encourage “even more people to explore and use [the] data.”

Companies House represents the contradictions at the heart of the legislation that ICO is forced to apply. Data from Companies House that we all believed to be publicly available, and in which we all had a legitimate interest, is no longer “fair game.”

So who is the biggest supplier of publicly available data?

Google, of course.

A Little Light Googling

Every day, millions of people in Britain type the name of a person – a celebrity, a footballer, a friend, a company owner – into Google. Google returns thousands or millions of results; “Theresa May” returns 24 million publicly available results this morning, ranging from press reports to biographic reference sites.

I did not ask the Prime Minister if I might check her name in Google. I am certainly prejudicing her right to privacy by putting her name into Google, because thanks to Google I can see all sorts of scurrilous, unrepeatable stuff about our glorious leader.

Google is a massive re-purposer of publicly available data. Data gathered for one purpose (selling newspapers, or adverts in scurrilous blogs) is re-purposed every single day by Google on behalf of its millions of users.

This is where the contradictions in UK privacy legislation are crystallised. This is where the ICO is heading in its search for the right balance between legitimate interest and the rights and freedoms of individuals.

I want to be a fly on the wall when the ICO knock on the door of number 6, Pancras Square, London N1, the UK headquarters of Google. That battle – between the ICO and Google – will be one to watch.

5 Questions to Ask the ICO

Posted on by NicolaW

The Information Commissioner, the Fundraising Regulator and the Charity Commission are due to meet fundraisers in Manchester tomorrow, on Tuesday 21st February, for the Fundraising and Regulatory Compliance Conference. The ICO have produced a conference paper for delegates to read prior to 21st, which can be accessed here.

The paper, amongst other things, sets out the ICO’s view of data protection in relation to Database Screening and, it seems, prospect research – although, whilst it mentions ‘Screening’ specifically, the paper rather ambiguously only refers to other [research] “…activities such as profiling individuals”. We do need to get some clarification on what they mean by this but, from the context, it does appear to refer to researching donors and supporters using public domain sources and/or using information not supplied directly by the data subject (so, prospect research).

The paper initially outlines why an organisation should use a privacy policy to explain how they make use of data. It then explains the ‘legitimate interests’ condition in relation to the DPA. In this sense, the paper is useful in outlining that charities need to be honest and fair in their processing of data. This is something that cannot and should not be argued with. As we have said before (e.g. here and here), all charities must make sure they have robust, fair and easily accessible privacy policies which openly explain how they collect, store, use and process data.

The conference paper outlines situations in which such a policy must be communicated to a supporter, some ways this can be done, and even when it is not necessary / practical to do so. This is all useful and welcome information. We now hope that perhaps the Fundraising Regulator will issue some sample privacy policies at the conference on Tuesday that provide examples of the language that charities can use to comply with fair processing of data for fundraising.

However, the paper then states that it is ‘highly unlikely’ that charities will be able to rely on legitimate interests as a condition to process data for Database Screening – specifically using third party providers or involving any personal data not supplied by the data subject – or for ‘profiling individuals’. Instead these activities will require explicit consent from data subjects. This is because, the ICO states, these activities are a) not ‘compatible’ with processing data collected from a donor at the point of donation and b) not within the ‘reasonable expectations’ of a donor.

Please read the conference paper. Think about how it will affect you and your work and highlight any areas you feel are not clear. The conference on 21st February is a very important event and the questions we ask (and the answers we receive) about this paper are likely to have a long-term effect on fundraising and research. If you are not going to be at the conference on Tuesday, you can pass any questions that you may have about it directly to the ICO (send them to events@ico.org.uk and ask for them to be forwarded to the relevant dept).

Below are 5 of the questions we would like to ask, now that we have read the paper:

  1. The ICO say in its paper for this conference that individuals are “highly unlikely to expect” certain types of data processing. In the ICO’s press release announcing the British Heart Foundation and RSPCA monetary penalties they are quoted as saying “millions of people who give their time and money to benefit good causes will be saddened…” to know that charities would ask them for more money.
    1. Does the ICO have evidence that shows what donors expect?
    2. There is, in fact, strong evidence to support the fact that processing of personal data for research is within the reasonable expectations of many donors; a recent study concluded that 78% of donors said that better research before they are approached by a non-profit is the most significant area of improvement in fundraising in the past 10 years. Therefore, if fair processing is adhered to and prospect research is within the reasonable expectations of donors, then can the ICO confirm that charities can rely on legitimate interests to undertake this type of activity?
    3. Sources
      1. ICO, Fundraising and regulatory compliance, 21st February 2017
      2. ICO investigation reveals how charities have been exploiting supporters, 16th December 2016
      3. Breeze & Lloyd, (2013); Why Rich People Give. London, DSC.
  2. Tesco’s Privacy Policy, which customers using its loyalty card must accept, says: “We may also use personal data from other sources, such as specialist companies that supply information, online media channels (online media channels include websites, social media sites, pay TV providers and any other channels that become available to us), our Retail Partners and public registers (for example, the electoral roll)”. They state that they do this in order to provide a better service and experience to their customers.
    1. If a charity used this same statement in its privacy policy, could charities use the public and private domain sources listed by Tesco in research so as to provide a better service and experience to donors?
    2. If not, why not?
    3. Source: Tesco Privacy and Cookie Policy
  3. The paper for the conference says: “It’s legitimate for you to process personal data in order to properly administer donations received from individuals”. The paper suggests throughout, as highlighted above, that “administering donations” is the only purpose for which a charity would use data collected at the point of donation or at the point a supporter joins a charity database. It suggests, therefore, that fundraising (including the market research necessary for raising funds) is not a compatible purpose for processing donation information.
    1. Is it?
    2. If not, why can, for example, Tesco use transaction information for more than simply administering a transaction (see their privacy policy linked above)?
    3. As charities rely on fundraising to carry out their work, is it not within their legitimate interests to use data collected from supporters for fundraising purposes, providing that fair processing and the rules of PECR, the MPS/TPS/FPS etc. are all adhered to?
  4. Here is a common story: a charity Board member meets an individual at, say, a cocktail party. The Board member comes back to the charity fundraiser with the individual’s name and says “X is interested in what we do. And he is wealthy.” The ICO says in its paper for this conference: “Far more intrusive are activities such as profiling individuals, particularly where this involves getting more information that the individual has not given you, either directly or via third-party companies. In these cases the legitimate interest condition is highly unlikely to apply. So you’d need to seek the consent of individuals before doing such processing.”
    1. The X named by our Board member is not a donor. We have no permissions or opt-ins or opt-outs. Can we look him up on Google or LinkedIn or Companies House without his permission?
  5. The Charity Commission imposes a duty to check on donors and potential donors. The Charity Commission recommends that trustees understand their donors and asks: “Have any public concerns been raised about the donors or their activities?” The Commission suggests that “full use should be made of internet websites” to check on donors. This is directly contrary to the ICO guidance which would not permit the use of public domain information until the donor has signed up to our privacy policy.
    1. Given that we want to research a potential donor before she does this, whose guidance should we follow – that of the ICO or that of the Charity Commission?
    2. Source: Charity Commission for England and Wales, Tool 6: Know Your Donor – Key Questions

These are just some of the questions we feel require clarification from the ICO and we’ll be submitting these prior to the event. We will also be attending the event on Tuesday and we’ll report back on what happened as soon as possible afterwards through this blog.

Please also keep an eye on Factary’s Twitter feed during the day as we will attempt, where possible, to Tweet any significant points or answers to any questions raised during the conference.

Mind the Gap

Posted on by Chris

Thank you for your comments in the Factary blog over the last few weeks. Even the ones we disagree with.

Really.

Because your comments – Adrian, Charlotte, Elizabeth, Finbar, Gareth, Jay, Jeremy, Jon, Julie, Luke, Nicola, Oliver, Peter, Philip, Sarah, Tim, – show the size of the gap between two camps.

In one camp are the people who work with philanthropists in charities, universities, theatres and museums. These people know that in order to manage a relationship with a customer – in this case, a philanthropist – we need to do what the banks, the supermarkets, the accountants, lawyers, architects and many others do. We need to be able to access public domain information in order to understand our customer, and we know that we have a legitimate interest in doing so. Sometimes we are required to do this research – for example by our supervisors at the Charity Commission.

Sometimes, we need to do this research before we have met the person. Which is why we have a range of controls, including legal controls and codes of conduct that set limits on this type of research.

In the other camp are the people who believe that precisely this type of research is an intrusion into an individual’s privacy. That searching for a named individual in Companies House fundamentally affects the rights of that person.

This is out of our hands now. The Fundraising Regulator and the Information Commissioner are putting together guidance that – we hope – will resolve this difference.

So we are closing, for now, this thread of conversation. We are not going to take any more comments in this area, for now. The debate needs much more hallowed halls than Factary can offer – it should be taking place in Parliament, or at the NCVO, not in our blog.

We have a job to do – to provide ethically sourced public domain information for our many non-profit clients, and we’d better get back to that.

The Future of Philanthropy, in 1 Question

Posted on by Chris

You are at a board meeting of your charity. Board member Jane mentions her friend Peter, and says he might be interested in making a donation. Peter, she says, is the owner of a large software company.

Peter, to be clear, is NOT A CURRENT DONOR. He has not opted in or opted out or opted for anything at your charity.

Back at the office you put Peter’s name into Google. It’s in your legitimate interests to do so, and Peter would expect you to do this.

Turns out that Peter’s business is based in Newcastle.

You are in London, so there is time and travel cost to consider if you are to visit him. You use Companies House to find out about Peter’s shareholding and the company’s profits. These figures help you estimate Peter’s gift capacity. Again, it’s legitimate for a charity to estimate the size of a potential donation before it decides to spend money on a visit to Newcastle.

At an invitation-only event on the 21st of February, the Information Commissioner’s staff will tell charities and the Fundraising Regulator whether or not they can do this search.

The future of philanthropy in the UK hangs on the ICO’s reply to this one question.

Can a prospect researcher do the search outlined above?

If the answer to the question is “No”, then high-value philanthropy in the UK will change dramatically.

It will no longer be possible to use public-domain information to identify or understand potential donors. Charities, universities, museums, hospitals and theatres will have to stop, immediately, all proactive forms of reaching out to new high-value supporters.

How will high-value philanthropists react? They will give less. When charities stop asking, people of wealth will stop giving, or give less and less often.This is not just an assertion – it is demonstrated by research. In “Richer Lives: why rich people give”, Theresa Lloyd and Beth Breeze report that 69% of rich donors give ‘If I am asked by someone I know and respect.’ Charities, from cancer research to the lifeboats, will have to adapt to a dramatic cut in their income.

Some philanthropists will respond by setting up their own foundations. We know from Factary’s New Trust Update that they are already doing this in some numbers. They will manage their own projects via these foundations, meaning less money for mainstream charities.

If the answer to the question is “No”, then the ICO is taking on not just the charity sector, but pretty much every business in the UK. Because every day hundreds of thousands of secretaries, assistants and marketing people do this exact search to check up on potential customers. Can that really be the ICO’s intent?

If the answer is “Yes”, then the ICO is affirming prospect research. We CAN continue to research, understand, and evaluate potential donors and, with permission, actual donors.

We will know the future of philanthropy in the UK on the 21st of February.


Chris Carnie is the author of “How Philanthropy is Changing in Europe”, published by Policy Press. He writes in a personal capacity.

Divided Rules

Posted on by Chris

Prospect researchers are at the nexus of a storm between five government agencies. Thanks to the monetary penalties imposed by the Information Commissioner in December 2016 on two leading charities we can now see the extent of the battlefield.

In one corner is the Information Commissioner’s Office, ICO. In its press release announcing fines for the RSPCA and the British Heart Foundation, ICO condemned the use of “information from publically[sic]-available sources to investigate income, property values, lifestyle and even friendship circles.”

This appears to put the ICO in direct opposition to the Charity Commission. In a series of papers entitled ‘The Compliance Toolkit’ the Commission reminds charities that they have a duty to check on donors and potential donors. Tool 6 in the suite is called ‘Know Your Donor’, and here the Charity Commission asks;

“Have any public concerns been raised about the donors or their activities? If so, what was the nature of the concerns and how long ago were they raised? Did the police or a regulator investigate the concerns? What was the outcome?”

How would you find out whether “public concerns” have been raised, if you did not use “publically-available sources”?

You simply have to use newspapers, government sources, and a search engine if you are to find out whether public concerns have been raised. There is no other way. And of course the Charity Commission says so, recommending that “full use should be made of internet websites” to check donors.

Your duty

The Commission goes further, and reminds trustees that “…if the trustees have reasonable cause to suspect that a donation is related to terrorist financing, they are under specific legal duties under the Counter-Terrorism Act to report the matter to the police. In the case of money laundering, reports can be made to the police, a customs officer (HMRC), or an officer of the National Crime Agency.” The Commission suggests a threshold for reporting – donations of £25,000 or more.

But we are not done yet. Because if you have the slightest suspicion that the donor may be a bit iffy, the Charity Commission requires you to “…check the donor against the consolidated lists of financial sanctions targets and proscribed organisations.”

Gosh.

That means this list.

The list contains 8,885 names of individuals who are under sanctions. It includes their date and place of birth, their passport or ID number, and a biographic note such as “Manager of the branch of Syrian Scientific Studies and research Centre.”

That is personal information held in the public domain, that the Charity Commission requires us to review.

The Libya Connection

Why are four government agencies – the Police, HMRC, the National Crime Agency and the Charity Commission – interested in these checks?

In part, the story is linked to the London School of Economics, and the controversy over a gift from Libya. The result of the controversy was the Woolf Inquiry, which published its report in October 2011.

After a detailed study of the history of this gift, Lord Woolf made a series of recommendations on accepting funds from “less well known” high-value philanthropists including an inquiry into the sources of their funds (p. 69) and a thorough due diligence assessment (p. 22).

These searches are only possible with public domain information.

Catch-22

Under questioning at last year’s CASE conference, ICO spokesperson Richard Marbrow did allow that we could use public domain information for due diligence purposes. But he went on to say that this same information could not be used for assessing gift capacity because that would be an “incompatible purpose” for the use of data.

But that leaves us prospect researchers in Catch-22.

I cannot carry out full due diligence on all my prospects. To do so would be a scandalous waste of charity resources. The Charity Commission suggests that the threshold should be £25,000. So if I am to decide that Mrs A or Mr B must be checked via due diligence…I have to assess their gift capacity.

To do that, I need the help of a fifth government agency, Companies House.

Open for Business

Mr Marbrow cited Companies House various times during 2016, telling fundraisers and prospect researchers that because the information in Companies House was collected for one purpose – regulation – it could not be used for another – prospect research.

What does Companies House say? Here is their July 2014 press release*

“Companies House is to make all of its digital data available free of charge. This will make the UK the first country to establish a truly open register of business information.
As a result, it will be easier for businesses and members of the public to research and scrutinise the activities and ownership of companies and connected individuals. … This is a considerable step forward in improving corporate transparency…

It will also open up opportunities for entrepreneurs to come up with innovative ways of using the information.”

So, Companies House wants us to “research and scrutinise the activities and ownership of companies and connected individuals,” and to find “innovative ways of using the information.”

The Battle for Philanthropy

Prospect researchers are caught in the centre of a battlefield between government agencies, between “innovative ways” of using information, terrorism legislation, due diligence and privacy.

We must defend our corner of this bloody battlefield.

We need our friends in fundraising and philanthropy, in Parliament and in civil society, to support the sensible, ethical, managed use of public domain information in the search for philanthropists.

 

 

*I am grateful to a colleague at a leading University for pointing this out.

Chris Carnie is the author of “How Philanthropy is Changing in Europe”, published by Policy Press. He writes in a personal capacity.

In Defence of the Public Domain

Posted on by Chris

A university, a museum, or a charity does not raise £10m or £50m or more by accident. An alumna did not wake up one morning thinking “I must give £1m to my alma mater.”

This happened because a dedicated group of professionals managed a process that led to the alumna being asked for a very large philanthropic gift.

At the heart of that process was, and is, the prospect research team. The team used – like we all do – public domain information to identify and understand potential supporters.

But now one government agency, the Information Commissioner’s Office, wants to stop us using public domain information. In the emotionally-worded press release that accompanied the penalties for the British Heart Foundation and RSPCA, the ICO says that “companies used other information from publically [sic]-available sources to investigate income, property values, lifestyle and even friendship circles.” ICO staff members at fundraising and research conferences throughout 2016 told us that the information on directors held by Companies House is compiled for one purpose (regulation of business) and therefore cannot be used for another (prospect research.)

So perhaps we cannot use public domain information to identify and understand potential supporters.

Purposes

But think for a moment.

Why do I have my profile in LinkedIn? What is my ‘purpose’? Is it just a marketing tool, showing potential clients what a clever chap I am? No! I had all sorts of purposes in mind when I created my profile in LinkedIn. I wanted to reassure clients that I was, and am, a decent person. I am proud of what I have done and wanted – sorry folks, this gets personal – to boast a wee bit about setting up Factary, about the books I have written and the languages I speak. I wanted access to the profiles of other people with whom I might work or even play. I wanted to explain who I am and how I got here – it’s cathartic. And I wanted a useful depository for my lifeline – to remind me of exactly when I went to school or which year I started in fundraising.

I had a whole variety of ‘purposes.’

Expectations

As a result, I have a very wide variety of ‘expectations.’ This word is important, because the ICO believes that “millions of people who give their time and money to benefit good causes will be saddened” by the news that charities targeted them for more money; in other words, this is about what people expect. With my profile in LinkedIn I expected that people would look at my personal story. I expected that Southampton Uni, my alma mater, would contact me about a donation (they did.) I expected that I would be networked to, and with (and indeed welcomed that opportunity.)

The person who has her biography in Who’s Who, or who gives a personal interview in the Times, or who is listed as the director of a company, or as the trustee of a charitable foundation has the same wide range of expectations.

The ‘purpose’ of a personal interview in the Times is to sell advertising space on the facing page of the newspaper; “All the papers that matter live off their advertisements,” said George Orwell, in Why I Write*.

But that is not the ‘purpose’ that the interviewee had in mind when she was approached by the journalist. Nor is it the ‘expectation’ of the interviewee. She knows, when she agrees to give the interview, that her warts-and-all will be exposed to public view. She expects that she will receive praise, opprobrium, investor pitches, car sales teams and an approach from a headhunter as the result of her interview.

The Public Domain

Information on company directors in Companies House – the Registrar of Companies for England and Wales – is made public for various purposes. The Registrar was created by The Joint Stock Companies Act of 1844. In the debate of the Bill that would create the Act (3rd July 1844), Mr Gladstone said “The principal object of the Bill was, that there should be established a public office, to which all parties soliciting to take part in Joint Stock Companies might repair, in order to know the real history of these companies.” Mr Gladstone was talking very clearly about corruption; “…it was most important that the Legislature should put a stop to the system that had been so long carried on of attaching the names of hon. Members, and men of importance and property, to schemes in order to entrap the unwary.”

So here again, at Companies House, we have a variety of purposes for information in the public domain. It is right and proper that prospect researchers use Companies House information to establish the “real history” of “men of importance and property”, and, 172 years after Mr Gladstone’s speech, of women of importance and property too.

All the universities that are engaged in raising funds, along with our theatres, museums and charities, manage a process that results in high-value philanthropy. At the heart of that managed process is prospect research. And alongside every prospect researcher is public domain information.

People in the public domain – in Who’s Who, or LinkedIn, the Times or Companies House – are there for a variety of ‘purposes.’ They expect that the information will be used in a variety of ways – including, yes, by people who will lead them into great philanthropic acts.

We prospect researchers do great works with public domain information. It is wholly legitimate that we use public domain information for this purpose. We must defend our right to do so.

Chris Carnie is the author of “How Philanthropy is Changing in Europe”, published by Policy Press in January 2017. He writes in a personal capacity.

*The fuller quote, given here is:

“Is the English press honest or dishonest? At normal times it is deeply dishonest. All the papers that matter live off their advertisements, and the advertisers exercise an indirect censorship over news.”

ICO rulings and Database Screenings

Posted on by NicolaW

The ICO fines for BHF and RSPCA that were announced this week have caused understandable concern for prospect researchers and wider fundraising teams across the sector. This blog post is Factary’s initial response to this news.

The ICO has so far issued two statements about the fines levied (these can be seen here and here). The statements outline that the fines are being issued for various infringements of the Data Protection Act through wealth screening, data appending and data sharing. To be clear, this blog post refers only to the situation with wealth screening, or, as we call it, Database Screening. Data appending and data sharing of bulk data are not services we provide at Factary so we won’t comment on the situation with these fines.

The first thing to mention is that we are expecting more comprehensive information about these fines to be issued on Friday 9th December by the ICO. The full penalty notices will be published on the ICO website and Twitter feed along with details of the enforcement action. Until we have reviewed the full documents it will be difficult to respond properly to this situation. That said, since the Daily Mail broke the story (ahead of the ICO announcement) of the fines on Tuesday 6th, we have received many emails from concerned clients, colleagues and friends worrying about the implication of these fines for non-profits and prospect research, so we wanted to issue a response as soon as possible to answer some of the most pressing questions, some of which are…

Can we still carry out Database Screenings?

It seems that one of the main reasons for the fines levied for ‘wealth screenings’, as explained in the information we have seen from the ICO so far, was because “Donors were not informed of these [Screening] practices, and so were unable to consent or object” to them. The lesson here is not that Screening is unlawful from the ICO’s viewpoint, but that non-profits and Screening service providers need to be open and transparent about what they will use personal data for. This is something that we mentioned in our previous blog on data protection.

The problem still remains, of course, that we feel neither the ICO nor the Fundraising Regulator have been too clear on how this information should be presented to supporters or indeed what information is necessary / sufficient. Hopefully they will do more to educate the sector and provide greater clarity. In the meantime we would expect that the vast majority of non-profits have completed and published, or are working on, improved privacy notices that include information about prospect research so that their supporters are fully aware of what their data is used for. The RiF ‘data protection working group’ will be drawing together samples of these, and this is something Factary will be helping with. We’ll post news on this here on the blog, on our Twitter feed and the RiF committee will also post on their Twitter feed, so keep an eye out.

If you’d like to discuss privacy notices or statements please do email me.

What about previous Screenings?

One of the questions many are asking now is, “When I last undertook a Screening, the non-profit I work for did not have a robust privacy policy in place. Is there a chance that we will be fined, too?” The short answer to this is, of course, that it is entirely possible more fines will be issued. The long answer may have to wait until we have received more information from the ICO on the nature of the fines against BHF and RSPCA in relation to Screening; until we know the full extent of the infringement, it will be difficult to understand the full impact.

Either way, there is very little you can do about previous Screenings; you can really only make sure you are fully prepared and compliant for the next.

What can the sector do?

From our point of view, some of the ICO’s latest statements set a tone which portrays Screening (and prospect research more generally) negatively. The ICO statements said, “The millions of people who give their time and money to benefit good causes…will be upset to discover that charities abused their trust to target them for even more money”. This kind of reporting will no doubt result in harmful press articles (aside from the inevitable articles from the Daily Mail which I won’t reference here) such as the BBC and even Third Sector where they have reported negatively that charities are “secretly screening donors” with a “disregard for people’s privacy”.

We feel the general tone used to report on these fines suggests a lack of understanding of what Screening is and why it is used – and, by extension, what prospect research is and what it is for. We should, as a sector, take some responsibility for this as we have not historically been very open in explaining how Screening and prospect research benefits donors and helps to improve their relationships with the causes they support. That said, we can’t shoulder all the blame, as many people I have spoken to have found the ICO’s approach to communication on these issues (and when directly speaking at conferences during 2016) to also be quite negative. For example, many of the emails I have received since Tuesday start with, “One of my trustees has read the Daily Mail article…” or, “Our compliance team has seen the ICO report…”, followed by concerned questions about the legality of Screening / research. This highlights that the negative and sometimes misleading reports that are in the public domain are already having a troubling impact on our abilities to carry out the normal functions of prospect research. We understand the genuine reasons for the ICO’s actions, but it serves no purpose to paint a negative image of the sector, who largely do incredible work for people and society.

This means it is up to us push back on the negativity and educate our supporters, the wider public and even (in some instances) our own colleagues about prospect research. This echoes what was said at the RiF Conference; we need to take ownership of communicating the need, impact and benefits of prospect research through privacy statements, protocol and policies. We need to be positive in our communication and underline the benefits to donors and non-profits of prospect research – and, to highlight the negative consequences of fundraising without prospect research.

What should we do now?

  • Be clear on why prospect research is vital for fundraising in your organisation
  • Educate trustees (and wider colleagues) if necessary on the need and impact of research
  • Ensure privacy notices are robust and include information on Screening and research
  • Share best practice with colleagues from other non-profits on privacy notices
  • Also, note that when including information on Screening in a privacy notice you’ll need to link to the privacy statements of your chosen Screening company to ensure that the company is also compliant with data protection (as examples, Factary’s is here and Prospecting for Gold’s can be found here)

What happens next?

  • Friday 9 December: The penalty notices will be published on the ICO website along with details of the enforcement action. Hopefully this will give us more of an idea of what the scale of the Screening problem is (in comparison to the data appending and sharing), and exactly what the RSPCA and BHF have been fined for
  • The Institute of Fundraising is likely to respond properly to these fines when the full report has been released, keep an eye on their Twitter feed or the feed of Dan Fluskey, IoF Head of Policy and Research, who has been working with RiF on this issue. He wrote a great piece in fundraising.co.uk about this issue yesterday
  • The ICO is organising “an educational event in partnership with the Charity Commission and the Fundraising Regulator” (no date for this has been announced, presumably early 2017), keep an eye on their announcements for more information on this
  • The ICO will also present an in-depth report in regards to charity fundraising practices to Parliament in 2017; based on the negative stance the ICO has taken on fundraising practices, this has the potential to be damaging and as a sector we need to be ready to respond to this

As ever, if anyone has any questions on this please do not hesitate to contact me at nicolaw@factary.com.

We would also like to take this opportunity to thank many of our colleagues and friends from the sector who have contacted us with messages of support in the past 48 hours – we really appreciate it!

Data Protection, Consent and Prospect Research

Posted on by NicolaW

Many of Factary’s clients and colleagues have been in touch with us recently voicing their concerns, frustrations and confusion over recent news regarding the use of personal data in fundraising and prospect research. It’s not surprising that there is confusion; this year has seen a whirlwind of news and opinion from various regulatory bodies, some of it conflicting.

Our clients have asked if we can provide some clarity – this is a tall order right now as the situation is not completely clear and evolving more-or-less by the day, but below we have outlined recent events, the current situation and news on what is happening over the next few months.

The current situation – how did we get here?

As we know, 2015 was a challenging year for fundraising and charities in the UK. Negative press reports regarding certain fundraising practices ultimately resulted in a review of all fundraising and the publication of the Etherington Review in September 2015, which outlined recommendations for the future of fundraising.

Recommendations in the Etherington Review included that a new Fundraising Regulator be established (to set and promote standards for fundraising practice) and a ‘Fundraising Preference Service’ (FPS) be launched. The Fundraising Regulator launched in July 2016 and is in the process of setting up the FPS so that “individuals only get the fundraising communications they want and need”.

Whether or not people feel the FPS is necessary (alongside the MPS, the TPS and PECR), the decision has been made and the Regulator is aiming to launch it sometime in 2017. The official consultation period on the FPS has passed but the proposal papers can be viewed here.

The Etherington Review also worked closely with the ICO in developing the recommendations. It was outlined in the Review that the ICO had not been communicated with sufficiently in the past by either the Institute of Fundraising or the (now defunct) Fundraising Standards Board and that a stronger relationship between the new Regulator and the ICO should be established.

The upshot of this is that the ICO turned its attention to the non-profit sector and began reviewing if and/or how charities were adhering to the Data Protection Act (DPA) and PECR through fundraising practices such as direct marketing, telephone fundraising and electronic communications.

The general issue of consent

The ICO have been in attendance at many fundraising conferences, seminars and events this year, usually alongside representatives from the Regulator. The ICO have outlined their concerns over how well (or otherwise) non-profits have been adhering to the DPA, with a particular focus on the apparent lack of evidence around ‘consent’ for non-profits to use the personal data of their supporters. This is not just about obtaining consent from supporters for non-profits to hold personal data on a database but also about obtaining consent for how the data is then used for marketing, fundraising and, importantly for us, in prospect research.

The issue of gaining consent is simultaneously very clear and also incredibly complex. On the one hand, it is straightforward because there is universal agreement in the sector that supporters and donors should have proper control over their data, be able to communicate preferences to their chosen charities and have those preferences acted upon. The complexity comes with how and to what extent non-profits are expected to communicate with current and future supporters to gain consent for the use of personal data.

With the looming presence of the GDPR, scheduled to come into force in May 2018, the issue of consent becomes even more important (that said, to what extent the current format of the GDPR will be implemented is Brexit-dependent, so even this is unclear).

Current guidance on consent – where can you go for help?

There are several documents detailing regulations and guidance from the ICO in relation to consent and data protection:

Unfortunately, whilst useful, these aren’t hugely specific to the non-profit sector and only go some way towards clarifying the situation.

Helpfully, there are some other places where we can gain more clarity:

  • The Fundraising Regulator will be translating the ICO regulations and issuing some guidance on the consents that charities should obtain, sometime in the autumn/winter of 2016 (so, very soon).
  • In February 2017, the Regulator will also be starting a 3-month consultation period on updates/changes to the Code of Fundraising Practice, which will include reviewing guidance on data protection and consent (this is according to Head of Policy, Gerald Oppenheimer, speaking at the CASE Development Services conference in October 2016). Keep an eye on the Regulator’s website and Twitter feed and try to make sure you are a part of the consultation next year. The Code will potentially have a huge impact on fundraising practice – including prospect research – so try to make sure you and the organisations you work for have a say on the development and changes.
  • The NCVO have produced a report ‘Charities relationships with donors; a vision for a better future’. This report contains sample statements showing how non-profits can obtain consent to use personal data and it will inform the Regulator’s development of guidelines for the Code of Fundraising Practice. It is worth noting that these guidelines conflict with the ICO’s recent statements around how consent for prospect research should be obtained (see below).
  • CASE are also in the process of writing guidelines on consent for education institutions. These will be available on 25th January 2017. These guidelines will contain example privacy policies and sample donor communications, hopefully also including information on prospect research. Whilst the guidelines will inevitably be steered towards alumni databases and communications, they will no doubt be helpful to all non-profits, so they’ll be worth looking out for. Keep an eye on the CASE Twitter feed for more information.

But what does this all mean for prospect research?

All the guidance and regulation noted above is (or probably will be) quite broad, relating to consent for all forms of fundraising/marketing – but the ICO review process has also had some interesting consequences for those of us working in prospect research and, by extension, major donor fundraising.

Throughout the course of 2016, a representative of the ICO has stated at various events that non-profits will not only need to obtain consent to use personal data for fundraising/marketing but also for all forms of prospect research. This could mean that consent will need to be obtained for each part of the research process (e.g. data screening, segmentation, data modelling, appending wealth, profiling etc.). Additionally, the ICO have outlined that this isn’t just about gaining consent to use the personal data given when a supporter, for example, makes a donation, but also for any data pertaining to the person in the public domain; so, in practice, this might mean obtaining consent from individual supporters to access their details on Companies House or other common research sources.

There are clearly numerous concerns with this.

The main problem is that, as this has been a relatively fast moving situation, there is currently very little guidance on how non-profits should go about incorporating prospect research consent into their privacy policies, consent forms or fundraising communications. Nor has then been any clarity on how explicit the consent will need to be. Our view is that it is unworkable to expect supporters to give separate consent to each and every fundraising, marketing and research option that they may be presented with.

Also, on a practical note, in this post on the GDPR, Christian Propper at Graham Pelton Consultants asks two pertinent questions:

  • How can we ask for consent for database screening, profiling and other research techniques in a way that doesn’t unduly worry supporters?
  • How can non-profits future-proof their current consent/privacy statements to encompass research practices they may adopt in the future (but might not yet even know about)?

In short, how can prospect research ensure it is on the right side of regulation whilst also being able to continue contributing to fundraising in all its myriad, wonderful ways? The short answer right now is that, unfortunately, there is no clear guidance on this. All we know is that (as outlined above) the Regulator is working on best practice guidelines on consent which we assume will include consent for prospect research.

There are a few papers/articles that might be helpful to review around this issue;

  • The NCVO report, mentioned above, which can be downloaded here, is useful to read if only from the point of view that the ‘best practice’ sample statements on consent only mention research in passing and certainly not to the extent that the ICO has suggested is necessary, e.g. ‘We may from time to time use your data for profiling, targeting and research purposes so that our communications to you are as appropriate and cost effective as possible’ . It will be interesting to see if this approach is adopted by the Regulator when they bring out their official guidance.
  • The team at the Commission on the Donor Experience are working on a project around ‘giving choices and managing preferences’. Ken Burnett from the Commission wrote this article in which he outlines a practical way to ensure ‘continuous donor choice’. This step-by-step guide could easily be modified to include information on prospect research and is one sensible option for communicating with supporters. The Commission is working with the Regulator so something akin to this approach may be adopted in the guidelines for the Code of Practice.
  • Adrian Beney at More Partnership produced an excellent briefing paper on ‘More Partnership briefing for NCVO on Wealth Screening and Profiling’ earlier this year in response to the initial draft report from the NCVO. The paper puts prospect research into context and questions some of the ICO’s opinions on how data is used in fundraising and the types of consents non-profits should reasonably be expected to ask for. If your role encompasses prospect research this paper would be an excellent reference guide to understanding ICO regulations and prospect research.

So, what should I do now?

Our advice would be, first of all, not to panic about the conflicting news and opinion you may have heard. If you feel there are possibly areas where your organisation needs to improve communications around consent to use personal data then, alongside your day job, you could perhaps:

  • look into the consent options, donor communications, privacy policies and data processes that are in place in your organisation, alongside reviewing the ICO documents for direct marketing and PECR (links above)
  • consider undertaking a ‘privacy impact assessment’ to highlight areas your organisation may falling short on data protection
  • ensure you are a part of the Fundraising Regulator’s consultation process in 2017; the more involved we all are, the more likely that the guidelines will be workable for us
  • attend the Researchers in Fundraising conference in November 2016 – a representative from the ICO is speaking on the topic of data protection and consent
  • support the Researchers in Fundraising ‘data protection working group’, who are working with the ICO and the Fundraising Regulator to ensure prospect research is part of the conversation – keep an eye on the RiF news webpage and Twitter feed for developments on this

Also, keep an eye on Factary’s Twitter feed or let me know if you’d like to join our mailing list to be kept informed of any further news or announcements relating to this topic. We’re keeping a close eye on developments and would be happy to disseminate information.

And finally; remember that prospect research has an enormously positive role to play in fundraising. We need to keep in mind that our work is of tremendous consequence. So, when it comes to drafting future communications / privacy policies with supporters, please keep in mind this excellent Tweet from Adrian Beney at More Partnership wherein he encourages us to, “Tell people what you’re doing. Be honest. And open. And unashamed of what we do to help create a better world.”

If you’d like to discuss any of this in more detail or if you are concerned about consent or data protection, please contact me nicolaw@factary.com.