Tag Archives: data protection

Prospect Research and Legitimate Interests

Something quite remarkable happened a few weeks ago. I went to a conference on GDPR (the CASE Regulation and Compliance Conference) and, by the end of the day, I was actually feeling upbeat, hopeful and – even – vaguely excited about the future of prospect research. This was not at all how I was expecting to feel after a GDPR conference, based on the countless other GDPR conferences and events that I have attended over the past 18 months which have mostly left me feeling a mixture of despondency and frustration.

So, why the sudden shift? Well, a few things. Firstly, the brilliant presentations were, for the first time, practical, focusing on what people are working on and achieving as they build towards compliancy for GDPR. To be at a GDPR event which was about positive action in regards to things like privacy notices or data analysis, and not just about all the things we can’t or mustn’t do, felt like progress.

Secondly, there was a real focus on analysing the ‘legitimate interest’ condition for processing data for prospect research. This is a huge step forwards. For too long now ‘legitimate interest’ has been viewed as a second-best option, a condition for processing that non-profits can maybe use, which is kind of OK, but probably just not quite as good or as ‘safe’ as consent. Obviously, this is due in no small part to the Regulator and ICO’s view that non-profits should probably get consent for wealth screening (by which they seem to imply most forms of prospect research). Alongside this, as Adrian Salmon’s recent blogpost highlights, one of the problems of principles’ based regulation is that, whilst it should encourage flexibility, it tends to lead to a “very conservative compliance mind-set”. So, it was great to see the all the relevant conditions for processing being analysed in an informed and practical way at the conference.

And lastly, many Higher Education Institutions (HEIs) are actively choosing legitimate interests (after careful analysis) as their condition for processing data for prospect research. This is another good, positive step.

All that said…

There is still confusion and misinformation. In the past two weeks alone I have received a number of emails from researchers who are still asking if wealth screening is illegal or if they need to get consent from all their donors before doing research. I also speak to many organisations that have suspended some or all forms of prospect research whilst they try to work out their next steps. Occasionally, I speak to smaller charities who have no idea that any of this is even happening.

So, despite great advances in the HE sector and with some charities, it is clear that there is still a long way to go for prospect research before we reach May 2018, when GDPR becomes law.

The main aspect which seems to be paralysing many organisations is the question of whether to rely on consent or legitimate interests as the condition for processing for prospect research. Many researchers have been tasked with coming up with a plan for assessing this and making recommendations, which is a tall order. Much has already been written about consent (see, for example, The Fundraising Regulator’s Guidance on Consent) and we thought, therefore, that it might be useful to add some thoughts around legitimate interests, specifically in relation to prospect research.

Please click here to download our paper on this, which is a meander around the topic (you’ll be asked to subcribe to Factary Updates, so you’ll receive other reports and updates like this in the future). We hope the report is useful. Please do come back to us with any questions or comments. Also, remember that we are not data protection lawyers, so don’t make any decisions based solely on the information we provide!


It ends with Google

On Tuesday I spent the morning at the Ship2B Foundation in Barcelona. Ship2B brings together social change organisations – charities and social enterprises – with grant-making foundations, companies, family offices and venture philanthropists. The social change organisations work on themes in ‘Laboratories’ where the foundations, companies and philanthropists provide advice, contacts and money to accelerate their growth, to ‘scale.’

I sat in on a presentation by the Water4Life lab group. Here were a range of projects on water use and water management. One project was using data from Aigües de Barcelona, the Barcelona water utility, to pinpoint areas of poverty in the city based on how much water each household was using. The project was analysing mass data gathered for one purpose (water supply bills) and using it for another (mapping and understanding poverty).

Which led me to think about the Information Commissioner’s current focus on public domain information collected for one purpose, being used for another.

The ICO have told charities that “publicly available data…is not fair game.” It is not enough to claim that you have a “legitimate interest” in using data from public registers such as Companies House, and news and press reports; you “must balance this against the prejudice to the rights and freedoms of individuals.”

The team at Factary is working hard to ensure we are fully compliant with this new emphasis from the ICO. So this week we contacted one of our suppliers to check that their data was fully compliant. They told us that “…in light of the new GDPR legislation we are currently in discussions…” with suppliers. This is a leading data house that provides data drawn from Companies House. Their end supplier is Companies House.

The Supply Chain

Factary – and any prospect researcher who uses UK companies information from one of the large data houses – is in a supply chain that starts at Companies House. At some point, someone is going to knock on the door of Companies House and ask “are you compliant?”

Before they made their data freely available to anyone, Companies House earned £8.7m in a year, selling it to data users. I have been registered at Companies House as a director since 1990. I have never, ever, had a letter from them asking me if it’s OK to publish my name and address in their register, and then to sell that data on to the big data houses.

I was never asked, because Companies House had a duty in law to gather my personal information and publish it. They turned my private information into public information. They promoted my private information “to power a great range of products” and to encourage “even more people to explore and use [the] data.”

Companies House represents the contradictions at the heart of the legislation that ICO is forced to apply. Data from Companies House that we all believed to be publicly available, and in which we all had a legitimate interest, is no longer “fair game.”

So who is the biggest supplier of publicly available data?

Google, of course.

A Little Light Googling

Every day, millions of people in Britain type the name of a person – a celebrity, a footballer, a friend, a company owner – into Google. Google returns thousands or millions of results; “Theresa May” returns 24 million publicly available results this morning, ranging from press reports to biographic reference sites.

I did not ask the Prime Minister if I might check her name in Google. I am certainly prejudicing her right to privacy by putting her name into Google, because thanks to Google I can see all sorts of scurrilous, unrepeatable stuff about our glorious leader.

Google is a massive re-purposer of publicly available data. Data gathered for one purpose (selling newspapers, or adverts in scurrilous blogs) is re-purposed every single day by Google on behalf of its millions of users.

This is where the contradictions in UK privacy legislation are crystallised. This is where the ICO is heading in its search for the right balance between legitimate interest and the rights and freedoms of individuals.

I want to be a fly on the wall when the ICO knock on the door of number 6, Pancras Square, London N1, the UK headquarters of Google. That battle – between the ICO and Google – will be one to watch.


5 Questions to Ask the ICO

The Information Commissioner, the Fundraising Regulator and the Charity Commission are due to meet fundraisers in Manchester tomorrow, on Tuesday 21st February, for the Fundraising and Regulatory Compliance Conference. The ICO have produced a conference paper for delegates to read prior to 21st, which can be accessed here.

The paper, amongst other things, sets out the ICO’s view of data protection in relation to Database Screening and, it seems, prospect research – although, whilst it mentions ‘Screening’ specifically, the paper rather ambiguously only refers to other [research] “…activities such as profiling individuals”. We do need to get some clarification on what they mean by this but, from the context, it does appear to refer to researching donors and supporters using public domain sources and/or using information not supplied directly by the data subject (so, prospect research).

The paper initially outlines why an organisation should use a privacy policy to explain how they make use of data. It then explains the ‘legitimate interests’ condition in relation to the DPA. In this sense, the paper is useful in outlining that charities need to be honest and fair in their processing of data. This is something that cannot and should not be argued with. As we have said before (e.g. here and here), all charities must make sure they have robust, fair and easily accessible privacy policies which openly explain how they collect, store, use and process data.

The conference paper outlines situations in which such a policy must be communicated to a supporter, some ways this can be done, and even when it is not necessary / practical to do so. This is all useful and welcome information. We now hope that perhaps the Fundraising Regulator will issue some sample privacy policies at the conference on Tuesday that provide examples of the language that charities can use to comply with fair processing of data for fundraising.

However, the paper then states that it is ‘highly unlikely’ that charities will be able to rely on legitimate interests as a condition to process data for Database Screening – specifically using third party providers or involving any personal data not supplied by the data subject – or for ‘profiling individuals’. Instead these activities will require explicit consent from data subjects. This is because, the ICO states, these activities are a) not ‘compatible’ with processing data collected from a donor at the point of donation and b) not within the ‘reasonable expectations’ of a donor.

Please read the conference paper. Think about how it will affect you and your work and highlight any areas you feel are not clear. The conference on 21st February is a very important event and the questions we ask (and the answers we receive) about this paper are likely to have a long-term effect on fundraising and research. If you are not going to be at the conference on Tuesday, you can pass any questions that you may have about it directly to the ICO (send them to events@ico.org.uk and ask for them to be forwarded to the relevant dept).

Below are 5 of the questions we would like to ask, now that we have read the paper:

  1. The ICO say in its paper for this conference that individuals are “highly unlikely to expect” certain types of data processing. In the ICO’s press release announcing the British Heart Foundation and RSPCA monetary penalties they are quoted as saying “millions of people who give their time and money to benefit good causes will be saddened…” to know that charities would ask them for more money.
    1. Does the ICO have evidence that shows what donors expect?
    2. There is, in fact, strong evidence to support the fact that processing of personal data for research is within the reasonable expectations of many donors; a recent study concluded that 78% of donors said that better research before they are approached by a non-profit is the most significant area of improvement in fundraising in the past 10 years. Therefore, if fair processing is adhered to and prospect research is within the reasonable expectations of donors, then can the ICO confirm that charities can rely on legitimate interests to undertake this type of activity?
    3. Sources
      1. ICO, Fundraising and regulatory compliance, 21st February 2017
      2. ICO investigation reveals how charities have been exploiting supporters, 16th December 2016
      3. Breeze & Lloyd, (2013); Why Rich People Give. London, DSC.
  2. Tesco’s Privacy Policy, which customers using its loyalty card must accept, says: “We may also use personal data from other sources, such as specialist companies that supply information, online media channels (online media channels include websites, social media sites, pay TV providers and any other channels that become available to us), our Retail Partners and public registers (for example, the electoral roll)”. They state that they do this in order to provide a better service and experience to their customers.
    1. If a charity used this same statement in its privacy policy, could charities use the public and private domain sources listed by Tesco in research so as to provide a better service and experience to donors?
    2. If not, why not?
    3. Source: Tesco Privacy and Cookie Policy
  3. The paper for the conference says: “It’s legitimate for you to process personal data in order to properly administer donations received from individuals”. The paper suggests throughout, as highlighted above, that “administering donations” is the only purpose for which a charity would use data collected at the point of donation or at the point a supporter joins a charity database. It suggests, therefore, that fundraising (including the market research necessary for raising funds) is not a compatible purpose for processing donation information.
    1. Is it?
    2. If not, why can, for example, Tesco use transaction information for more than simply administering a transaction (see their privacy policy linked above)?
    3. As charities rely on fundraising to carry out their work, is it not within their legitimate interests to use data collected from supporters for fundraising purposes, providing that fair processing and the rules of PECR, the MPS/TPS/FPS etc. are all adhered to?
  4. Here is a common story: a charity Board member meets an individual at, say, a cocktail party. The Board member comes back to the charity fundraiser with the individual’s name and says “X is interested in what we do. And he is wealthy.” The ICO says in its paper for this conference: “Far more intrusive are activities such as profiling individuals, particularly where this involves getting more information that the individual has not given you, either directly or via third-party companies. In these cases the legitimate interest condition is highly unlikely to apply. So you’d need to seek the consent of individuals before doing such processing.”
    1. The X named by our Board member is not a donor. We have no permissions or opt-ins or opt-outs. Can we look him up on Google or LinkedIn or Companies House without his permission?
  5. The Charity Commission imposes a duty to check on donors and potential donors. The Charity Commission recommends that trustees understand their donors and asks: “Have any public concerns been raised about the donors or their activities?” The Commission suggests that “full use should be made of internet websites” to check on donors. This is directly contrary to the ICO guidance which would not permit the use of public domain information until the donor has signed up to our privacy policy.
    1. Given that we want to research a potential donor before she does this, whose guidance should we follow – that of the ICO or that of the Charity Commission?
    2. Source: Charity Commission for England and Wales, Tool 6: Know Your Donor – Key Questions

These are just some of the questions we feel require clarification from the ICO and we’ll be submitting these prior to the event. We will also be attending the event on Tuesday and we’ll report back on what happened as soon as possible afterwards through this blog.

Please also keep an eye on Factary’s Twitter feed during the day as we will attempt, where possible, to Tweet any significant points or answers to any questions raised during the conference.


Mind the Gap

Thank you for your comments in the Factary blog over the last few weeks. Even the ones we disagree with.

Really.

Because your comments – Adrian, Charlotte, Elizabeth, Finbar, Gareth, Jay, Jeremy, Jon, Julie, Luke, Nicola, Oliver, Peter, Philip, Sarah, Tim, – show the size of the gap between two camps.

In one camp are the people who work with philanthropists in charities, universities, theatres and museums. These people know that in order to manage a relationship with a customer – in this case, a philanthropist – we need to do what the banks, the supermarkets, the accountants, lawyers, architects and many others do. We need to be able to access public domain information in order to understand our customer, and we know that we have a legitimate interest in doing so. Sometimes we are required to do this research – for example by our supervisors at the Charity Commission.

Sometimes, we need to do this research before we have met the person. Which is why we have a range of controls, including legal controls and codes of conduct that set limits on this type of research.

In the other camp are the people who believe that precisely this type of research is an intrusion into an individual’s privacy. That searching for a named individual in Companies House fundamentally affects the rights of that person.

This is out of our hands now. The Fundraising Regulator and the Information Commissioner are putting together guidance that – we hope – will resolve this difference.

So we are closing, for now, this thread of conversation. We are not going to take any more comments in this area, for now. The debate needs much more hallowed halls than Factary can offer – it should be taking place in Parliament, or at the NCVO, not in our blog.

We have a job to do – to provide ethically sourced public domain information for our many non-profit clients, and we’d better get back to that.


The Future of Philanthropy, in 1 Question

You are at a board meeting of your charity. Board member Jane mentions her friend Peter, and says he might be interested in making a donation. Peter, she says, is the owner of a large software company.

Peter, to be clear, is NOT A CURRENT DONOR. He has not opted in or opted out or opted for anything at your charity.

Back at the office you put Peter’s name into Google. It’s in your legitimate interests to do so, and Peter would expect you to do this.

Turns out that Peter’s business is based in Newcastle.

You are in London, so there is time and travel cost to consider if you are to visit him. You use Companies House to find out about Peter’s shareholding and the company’s profits. These figures help you estimate Peter’s gift capacity. Again, it’s legitimate for a charity to estimate the size of a potential donation before it decides to spend money on a visit to Newcastle.

At an invitation-only event on the 21st of February, the Information Commissioner’s staff will tell charities and the Fundraising Regulator whether or not they can do this search.

The future of philanthropy in the UK hangs on the ICO’s reply to this one question.

Can a prospect researcher do the search outlined above?

If the answer to the question is “No”, then high-value philanthropy in the UK will change dramatically.

It will no longer be possible to use public-domain information to identify or understand potential donors. Charities, universities, museums, hospitals and theatres will have to stop, immediately, all proactive forms of reaching out to new high-value supporters.

How will high-value philanthropists react? They will give less. When charities stop asking, people of wealth will stop giving, or give less and less often.This is not just an assertion – it is demonstrated by research. In “Richer Lives: why rich people give”, Theresa Lloyd and Beth Breeze report that 69% of rich donors give ‘If I am asked by someone I know and respect.’ Charities, from cancer research to the lifeboats, will have to adapt to a dramatic cut in their income.

Some philanthropists will respond by setting up their own foundations. We know from Factary’s New Trust Update that they are already doing this in some numbers. They will manage their own projects via these foundations, meaning less money for mainstream charities.

If the answer to the question is “No”, then the ICO is taking on not just the charity sector, but pretty much every business in the UK. Because every day hundreds of thousands of secretaries, assistants and marketing people do this exact search to check up on potential customers. Can that really be the ICO’s intent?

If the answer is “Yes”, then the ICO is affirming prospect research. We CAN continue to research, understand, and evaluate potential donors and, with permission, actual donors.

We will know the future of philanthropy in the UK on the 21st of February.


Chris Carnie is the author of “How Philanthropy is Changing in Europe”, published by Policy Press. He writes in a personal capacity.


Divided Rules

Prospect researchers are at the nexus of a storm between five government agencies. Thanks to the monetary penalties imposed by the Information Commissioner in December 2016 on two leading charities we can now see the extent of the battlefield.

In one corner is the Information Commissioner’s Office, ICO. In its press release announcing fines for the RSPCA and the British Heart Foundation, ICO condemned the use of “information from publically[sic]-available sources to investigate income, property values, lifestyle and even friendship circles.”

This appears to put the ICO in direct opposition to the Charity Commission. In a series of papers entitled ‘The Compliance Toolkit’ the Commission reminds charities that they have a duty to check on donors and potential donors. Tool 6 in the suite is called ‘Know Your Donor’, and here the Charity Commission asks;

“Have any public concerns been raised about the donors or their activities? If so, what was the nature of the concerns and how long ago were they raised? Did the police or a regulator investigate the concerns? What was the outcome?”

How would you find out whether “public concerns” have been raised, if you did not use “publically-available sources”?

You simply have to use newspapers, government sources, and a search engine if you are to find out whether public concerns have been raised. There is no other way. And of course the Charity Commission says so, recommending that “full use should be made of internet websites” to check donors.

Your duty

The Commission goes further, and reminds trustees that “…if the trustees have reasonable cause to suspect that a donation is related to terrorist financing, they are under specific legal duties under the Counter-Terrorism Act to report the matter to the police. In the case of money laundering, reports can be made to the police, a customs officer (HMRC), or an officer of the National Crime Agency.” The Commission suggests a threshold for reporting – donations of £25,000 or more.

But we are not done yet. Because if you have the slightest suspicion that the donor may be a bit iffy, the Charity Commission requires you to “…check the donor against the consolidated lists of financial sanctions targets and proscribed organisations.”

Gosh.

That means this list.

The list contains 8,885 names of individuals who are under sanctions. It includes their date and place of birth, their passport or ID number, and a biographic note such as “Manager of the branch of Syrian Scientific Studies and research Centre.”

That is personal information held in the public domain, that the Charity Commission requires us to review.

The Libya Connection

Why are four government agencies – the Police, HMRC, the National Crime Agency and the Charity Commission – interested in these checks?

In part, the story is linked to the London School of Economics, and the controversy over a gift from Libya. The result of the controversy was the Woolf Inquiry, which published its report in October 2011.

After a detailed study of the history of this gift, Lord Woolf made a series of recommendations on accepting funds from “less well known” high-value philanthropists including an inquiry into the sources of their funds (p. 69) and a thorough due diligence assessment (p. 22).

These searches are only possible with public domain information.

Catch-22

Under questioning at last year’s CASE conference, ICO spokesperson Richard Marbrow did allow that we could use public domain information for due diligence purposes. But he went on to say that this same information could not be used for assessing gift capacity because that would be an “incompatible purpose” for the use of data.

But that leaves us prospect researchers in Catch-22.

I cannot carry out full due diligence on all my prospects. To do so would be a scandalous waste of charity resources. The Charity Commission suggests that the threshold should be £25,000. So if I am to decide that Mrs A or Mr B must be checked via due diligence…I have to assess their gift capacity.

To do that, I need the help of a fifth government agency, Companies House.

Open for Business

Mr Marbrow cited Companies House various times during 2016, telling fundraisers and prospect researchers that because the information in Companies House was collected for one purpose – regulation – it could not be used for another – prospect research.

What does Companies House say? Here is their July 2014 press release*

“Companies House is to make all of its digital data available free of charge. This will make the UK the first country to establish a truly open register of business information.
As a result, it will be easier for businesses and members of the public to research and scrutinise the activities and ownership of companies and connected individuals. … This is a considerable step forward in improving corporate transparency…

It will also open up opportunities for entrepreneurs to come up with innovative ways of using the information.”

So, Companies House wants us to “research and scrutinise the activities and ownership of companies and connected individuals,” and to find “innovative ways of using the information.”

The Battle for Philanthropy

Prospect researchers are caught in the centre of a battlefield between government agencies, between “innovative ways” of using information, terrorism legislation, due diligence and privacy.

We must defend our corner of this bloody battlefield.

We need our friends in fundraising and philanthropy, in Parliament and in civil society, to support the sensible, ethical, managed use of public domain information in the search for philanthropists.

 

 

*I am grateful to a colleague at a leading University for pointing this out.

Chris Carnie is the author of “How Philanthropy is Changing in Europe”, published by Policy Press. He writes in a personal capacity.


In Defence of the Public Domain

A university, a museum, or a charity does not raise £10m or £50m or more by accident. An alumna did not wake up one morning thinking “I must give £1m to my alma mater.”

This happened because a dedicated group of professionals managed a process that led to the alumna being asked for a very large philanthropic gift.

At the heart of that process was, and is, the prospect research team. The team used – like we all do – public domain information to identify and understand potential supporters.

But now one government agency, the Information Commissioner’s Office, wants to stop us using public domain information. In the emotionally-worded press release that accompanied the penalties for the British Heart Foundation and RSPCA, the ICO says that “companies used other information from publically [sic]-available sources to investigate income, property values, lifestyle and even friendship circles.” ICO staff members at fundraising and research conferences throughout 2016 told us that the information on directors held by Companies House is compiled for one purpose (regulation of business) and therefore cannot be used for another (prospect research.)

So perhaps we cannot use public domain information to identify and understand potential supporters.

Purposes

But think for a moment.

Why do I have my profile in LinkedIn? What is my ‘purpose’? Is it just a marketing tool, showing potential clients what a clever chap I am? No! I had all sorts of purposes in mind when I created my profile in LinkedIn. I wanted to reassure clients that I was, and am, a decent person. I am proud of what I have done and wanted – sorry folks, this gets personal – to boast a wee bit about setting up Factary, about the books I have written and the languages I speak. I wanted access to the profiles of other people with whom I might work or even play. I wanted to explain who I am and how I got here – it’s cathartic. And I wanted a useful depository for my lifeline – to remind me of exactly when I went to school or which year I started in fundraising.

I had a whole variety of ‘purposes.’

Expectations

As a result, I have a very wide variety of ‘expectations.’ This word is important, because the ICO believes that “millions of people who give their time and money to benefit good causes will be saddened” by the news that charities targeted them for more money; in other words, this is about what people expect. With my profile in LinkedIn I expected that people would look at my personal story. I expected that Southampton Uni, my alma mater, would contact me about a donation (they did.) I expected that I would be networked to, and with (and indeed welcomed that opportunity.)

The person who has her biography in Who’s Who, or who gives a personal interview in the Times, or who is listed as the director of a company, or as the trustee of a charitable foundation has the same wide range of expectations.

The ‘purpose’ of a personal interview in the Times is to sell advertising space on the facing page of the newspaper; “All the papers that matter live off their advertisements,” said George Orwell, in Why I Write*.

But that is not the ‘purpose’ that the interviewee had in mind when she was approached by the journalist. Nor is it the ‘expectation’ of the interviewee. She knows, when she agrees to give the interview, that her warts-and-all will be exposed to public view. She expects that she will receive praise, opprobrium, investor pitches, car sales teams and an approach from a headhunter as the result of her interview.

The Public Domain

Information on company directors in Companies House – the Registrar of Companies for England and Wales – is made public for various purposes. The Registrar was created by The Joint Stock Companies Act of 1844. In the debate of the Bill that would create the Act (3rd July 1844), Mr Gladstone said “The principal object of the Bill was, that there should be established a public office, to which all parties soliciting to take part in Joint Stock Companies might repair, in order to know the real history of these companies.” Mr Gladstone was talking very clearly about corruption; “…it was most important that the Legislature should put a stop to the system that had been so long carried on of attaching the names of hon. Members, and men of importance and property, to schemes in order to entrap the unwary.”

So here again, at Companies House, we have a variety of purposes for information in the public domain. It is right and proper that prospect researchers use Companies House information to establish the “real history” of “men of importance and property”, and, 172 years after Mr Gladstone’s speech, of women of importance and property too.

All the universities that are engaged in raising funds, along with our theatres, museums and charities, manage a process that results in high-value philanthropy. At the heart of that managed process is prospect research. And alongside every prospect researcher is public domain information.

People in the public domain – in Who’s Who, or LinkedIn, the Times or Companies House – are there for a variety of ‘purposes.’ They expect that the information will be used in a variety of ways – including, yes, by people who will lead them into great philanthropic acts.

We prospect researchers do great works with public domain information. It is wholly legitimate that we use public domain information for this purpose. We must defend our right to do so.

Chris Carnie is the author of “How Philanthropy is Changing in Europe”, published by Policy Press in January 2017. He writes in a personal capacity.

*The fuller quote, given here is:

“Is the English press honest or dishonest? At normal times it is deeply dishonest. All the papers that matter live off their advertisements, and the advertisers exercise an indirect censorship over news.”


Annus Horribilis

2016 has been my personal annus horribilis, at least in the public domain. (Privately, I’m fine thanks.)

It has been the year when two of my working-life projects have fallen apart.

First, my life as a European was cut off at a stroke by England’s vote for Brexit.

And then as an early Christmas present, the Information Commissioner decided that more or less everything that I had dedicated my working life to doing – understanding philanthropists so that charities could work better with them – was illegal, immoral and subject to multi-thousand pound fines.

The Brexit decision is too political a story for this blog. Suffice it to say that when one choses as a UK citizen to live in another EU country, learn its languages, learn and enjoy its rich cultural traditions, and feel thoroughly welcome as an immigrant, it is physically painful to know that a cabal of alt-right Ministers in Westminster are determined to throw you out.

So let’s focus on the Information Commissioner’s announcement yesterday. We would expect the Commissioner to use cautious language. She does not. She piles right into the topic by claiming that ‘millions of people who give their time and money to benefit good causes will be saddened to learn that their generosity wasn’t enough.’

This is a clear example of evidence-based policy making. The Commissioner has evidence, we assume, that there are ‘millions of people’ who will be saddened that their generosity did not suffice. Given the paucity of information on donors in the UK, it would be so helpful if the Commissioner would share this data with the rest of us.

If the subjects gave their permission, of course.

Given that we are living in an age of austerity in which the ICO’s paymasters in government (of whichever colour) are cutting back on benefits, rights and payments, I would be utterly astonished if there were even ten donors, let alone millions, who would feel that their generosity was enough. It is never enough. Ask any of the homeless people in London if it is enough. Or the 960,000 people living in poverty in Scotland.

The Commissioner then applies the same broad brush approach to what she describes as ‘wealth screening.’ The language is purposefully vague and catches within its apparent scope almost all customer-focused, relationship-building, fundraising. It appears, on one reading of the statement, that it is somehow wrong to use information including ‘supporters’ names and addresses, dates of birth and the value and date of the last donation.’ It appears that to investigate ‘income, property values, lifestyle and even friendship circles,’ may be illegal, along with the ability to model ‘donors most likely to leave money in their wills.’

Adrian Beney has pointed out in an excellent blog that this is to do not with information or privacy, but our attitudes to money.

For me, it’s an Edwardian view of ‘charity.’ It’s a penny in an old man’s hat. Thanks guv’nor. Lord bless your little ones. It is about a one-way relationship, donor to ‘charity.’

There is a load of evidence (yes, actual evidence Commissioner) that this is not how donors want to relate to ‘charities’ (or, as we now call them, non-profits, or Social Purpose Organisations.)

Here is just one of dozens of research reports I could cite; ‘Donors respond to personalised communications from charities that they have a relationship with, and prompts from family, friends or colleagues.’ (source, Bagwell, Sally, Lucy de las Casas, Matt van Poortvliet, and Robb Abercrombie. ‘Money for Good UK: Understanding Donor Motivation and Behaviour’. London: New Philanthropy Capital, March 2013. http://www.thinknpc.org/publications/money-for-good-uk/., page 3).

And yet the Commissioner rails against non-profits that identify ‘friendship circles.’

The Commissioner has, either purposely or unwittingly, threatened the development of high-value philanthropy in the UK. By using this broad language, by focusing on an evidently outdated view of ‘charity’, and above all by fining organisations that are trying to build relationships with their supporters based on mutual understanding and knowledge, she has ensured that UK charities will step back, return to the door-knock and the ‘appeal’, never knowing (because the ICO bans such research) who is behind the door or receiving the letter.

This lack of research will drive a wrecking-ball through relationships between high-value philanthropists and non-profits. It is not coincidental that so many people of wealth are now establishing their own foundations; it is already hard enough to persuade them that they should build a relationship with an existing non-profit.

Thanks to the ICO, that job just become harder.

 

Chris Carnie is the author of ‘How Philanthropy is Changing in Europe‘, to be published by Policy Press in January 2017.


The Edge of Privacy

We live in interesting times, privately.

Confusing, contradictory times, when lawmakers require us to lock-down data whilst revealing their intimate thoughts on Twitter. Times when it is OK for a dominant search engine to track our billions of tiny searches, for our wrist watch to measure and transmit our sleeping and walking in the name of fitness. Times when we choose to tell our life stories in Facebook.

And times when our private underbelly is revealed to the world. Two stories have exposed privacy in all its moral complexity; the Panama Papers, and the Ashley Madison data breach. Both have been stories about activities that are legal (being a director of an offshore company and having an affair, or both simultaneously, are not illegal activities.) Both are about normal immorality.

Both stories are to some degree about power. The Panama Papers show us that the powerful are willing to mix their businesses with drug dealers, dictators and money launderers in order to avoid taxes. If you need to be reminded about just how powerful these people are, bear in mind that just one person was prosecuted out of the 1,000 UK names released in the last big tax-related data breach; the Falciani/HSBC affair [Source: ‘Tax Havens don’t need reform, but abolition’, Richard Brooks, Guardian Weekly, 8/4/16]

Both the Panama Papers and Ashley Madison are about relationships, a subject at the heart of prospect research. John knows Jane because both of them invest in the same company in the British Virgin Islands. And John knows Mary because he signed up for Ashley Madison and she’s his new friend.

John is a donor to your charity. He’s in your database, and he has turned up in a screening (carried out, naturally, by Factary). We’ve spotted him in Companies House, a public domain data set, as a director of an investment firm in Holborn, so we have flagged him as interesting.

When you transferred the data to Factary you took the utmost care over the process, using our sFTP (secure FTP) site and thus ensuring that John’s details were encrypted and safe. You checked that the computer link was over a HTTPS network. You made sure that the data would be stored in servers in the UK, in a physically safe and secured building. You did that because you are a conscientious prospect researcher, using the best practice required by the law.

John did not take the same care. When he invested in the British Virgin Islands via Mossack Fonseca he did so through the open web, by email. He joined Ashley Madison the same way, signing up on their website; no encryption, no security. Worse, he was voluntarily exporting his data outside of the protection offered by the European Union through its Data Directive.

And now John has a photograph of him and Mary together at a work conference and he’s posted it on his Facebook page.

Where is the edge of privacy?

Is it the frontier between long standing public domain records and the new stuff, between Companies House and Facebook, for example?

Is it between voluntarily released information and stuff that is Wikileaked?

Is it between Victorian morality and modern – between a marriage notice in the Telegraph, and Ashley Madison?

Above all, is it where people of power dictate it should be? So that we are allowed to see the company directorships of the little people, but cannot see into the murky world of British Virgin Islands connections? Or into the equally dark corners of political connection and patronage?

This is where we are, like it or not, in prospect research. Prospect researchers live on the edge of privacy, using personal information that is in the public domain, for public good. We research John Doe in order to help our fundraising colleagues reach out to him for a donation that will benefit a poor person, or a scholarship kid, or an eye-opening cultural event.

But the power of research comes with a responsibility; it is our profession that must lead the debates on power and privacy, on public domain and private.

Thank goodness it is us, because prospect researchers have a special moral compass. We have chosen to work for causes we believe in, to make sacrifices (anyone want to talk about pay rates for researchers?) for something we believe to be right and good. We have chosen not to sit in the glory seat in fundraising; we are clearly not in this for vanity or fame. We know the value of information, and we have seen the intimacies and the inanities that people are willing to share on the web. We chose every day between information that is right and relevant, and rubbish.

Prospect researchers are the best placed people in the non-profit sector to describe where a private life becomes public.

But we had better get out there and get talking; our donors, our colleagues and our organisations need our guidance as we walk, together, along the edge of privacy.


Safe Harbour in a Storm

On Wednesday it was headline news in Luxembourg where I was working with clients: the European Court of Justice had struck down the Safe Harbor agreement. Max Schrems had won a battle with Facebook and the Irish data protection authorities.

The court ruling that European Commission Decision 2000/520 is invalid means that we can no longer share data easily with US colleagues: Texting your New York colleague with your UK donor’s data of birth just became illegal.

There have always been two routes to data transfer from the EU to the USA: Safe Harbor, and the use of a model contract. The latter route is still open, according to the lawyers; there are useful posts on the ruling and its implications from Norton Rose here and from Clifford Chance here.

So how will this affect prospect research, fundraising and philanthropy?

First, it underlines the relevance of employing prospect researchers. Increasingly, prospect researchers are the custodians of personal data relating to potential and actual supporters. We act as the interface between fundraisers who want to know everything about everybody and the law which restricts what we can record and what we can share. Especially, what we can share with colleagues outside the EU.

Second, it reminds us that personal data is personal. There is an increasingly uncertain frontier between what is public and what is private as social media carries more and more of our donor’s lives. At Factary we have long had concerns about the material that people post in their Facebook pages, and have excluded it from profiles as a general policy. All of us in prospect research should continue to review and re-review our protocols to ensure that we are up-to-the-minute in data protection.

Third, it will mean some hard work over the coming weeks for organisations (universities, arts and culture, NGOs…) with sisters outside the EU (for example, your “Friends of” organisation in Washington DC) to revise or renew agreements that allow data transfer.

Fourth, it means UK suppliers such as Factary should review their data processes to ensure that all of their data is held inside the EU. At Factary we did this some time ago, and yes, all our data and servers are inside the EU.

Finally, this will be especially difficult time for fundraising and philanthropy. Increasingly philanthropists are international – a home here, a business there, and a foundation somewhere else. To work with a donor who lives in Paris but works out of New York we need to be able to share data quickly and effectively with our team. Our philanthropists (major donors, strategic donors) want us to react quickly and to provide coordinated, joined-up service. That is going to be a delicate, difficult job following this ruling.

The closure of Safe Harbor means choppy seas for all of us.