Tag Archives: fundraising research

Prospect Research and Legitimate Interests

Something quite remarkable happened a few weeks ago. I went to a conference on GDPR (the CASE Regulation and Compliance Conference) and, by the end of the day, I was actually feeling upbeat, hopeful and – even – vaguely excited about the future of prospect research. This was not at all how I was expecting to feel after a GDPR conference, based on the countless other GDPR conferences and events that I have attended over the past 18 months which have mostly left me feeling a mixture of despondency and frustration.

So, why the sudden shift? Well, a few things. Firstly, the brilliant presentations were, for the first time, practical, focusing on what people are working on and achieving as they build towards compliancy for GDPR. To be at a GDPR event which was about positive action in regards to things like privacy notices or data analysis, and not just about all the things we can’t or mustn’t do, felt like progress.

Secondly, there was a real focus on analysing the ‘legitimate interest’ condition for processing data for prospect research. This is a huge step forwards. For too long now ‘legitimate interest’ has been viewed as a second-best option, a condition for processing that non-profits can maybe use, which is kind of OK, but probably just not quite as good or as ‘safe’ as consent. Obviously, this is due in no small part to the Regulator and ICO’s view that non-profits should probably get consent for wealth screening (by which they seem to imply most forms of prospect research). Alongside this, as Adrian Salmon’s recent blogpost highlights, one of the problems of principles’ based regulation is that, whilst it should encourage flexibility, it tends to lead to a “very conservative compliance mind-set”. So, it was great to see the all the relevant conditions for processing being analysed in an informed and practical way at the conference.

And lastly, many Higher Education Institutions (HEIs) are actively choosing legitimate interests (after careful analysis) as their condition for processing data for prospect research. This is another good, positive step.

All that said…

There is still confusion and misinformation. In the past two weeks alone I have received a number of emails from researchers who are still asking if wealth screening is illegal or if they need to get consent from all their donors before doing research. I also speak to many organisations that have suspended some or all forms of prospect research whilst they try to work out their next steps. Occasionally, I speak to smaller charities who have no idea that any of this is even happening.

So, despite great advances in the HE sector and with some charities, it is clear that there is still a long way to go for prospect research before we reach May 2018, when GDPR becomes law.

The main aspect which seems to be paralysing many organisations is the question of whether to rely on consent or legitimate interests as the condition for processing for prospect research. Many researchers have been tasked with coming up with a plan for assessing this and making recommendations, which is a tall order. Much has already been written about consent (see, for example, The Fundraising Regulator’s Guidance on Consent) and we thought, therefore, that it might be useful to add some thoughts around legitimate interests, specifically in relation to prospect research.

Please click here to download our paper on this, which is a meander around the topic (you’ll be asked to subcribe to Factary Updates, so you’ll receive other reports and updates like this in the future). We hope the report is useful. Please do come back to us with any questions or comments. Also, remember that we are not data protection lawyers, so don’t make any decisions based solely on the information we provide!


It ends with Google

On Tuesday I spent the morning at the Ship2B Foundation in Barcelona. Ship2B brings together social change organisations – charities and social enterprises – with grant-making foundations, companies, family offices and venture philanthropists. The social change organisations work on themes in ‘Laboratories’ where the foundations, companies and philanthropists provide advice, contacts and money to accelerate their growth, to ‘scale.’

I sat in on a presentation by the Water4Life lab group. Here were a range of projects on water use and water management. One project was using data from Aigües de Barcelona, the Barcelona water utility, to pinpoint areas of poverty in the city based on how much water each household was using. The project was analysing mass data gathered for one purpose (water supply bills) and using it for another (mapping and understanding poverty).

Which led me to think about the Information Commissioner’s current focus on public domain information collected for one purpose, being used for another.

The ICO have told charities that “publicly available data…is not fair game.” It is not enough to claim that you have a “legitimate interest” in using data from public registers such as Companies House, and news and press reports; you “must balance this against the prejudice to the rights and freedoms of individuals.”

The team at Factary is working hard to ensure we are fully compliant with this new emphasis from the ICO. So this week we contacted one of our suppliers to check that their data was fully compliant. They told us that “…in light of the new GDPR legislation we are currently in discussions…” with suppliers. This is a leading data house that provides data drawn from Companies House. Their end supplier is Companies House.

The Supply Chain

Factary – and any prospect researcher who uses UK companies information from one of the large data houses – is in a supply chain that starts at Companies House. At some point, someone is going to knock on the door of Companies House and ask “are you compliant?”

Before they made their data freely available to anyone, Companies House earned £8.7m in a year, selling it to data users. I have been registered at Companies House as a director since 1990. I have never, ever, had a letter from them asking me if it’s OK to publish my name and address in their register, and then to sell that data on to the big data houses.

I was never asked, because Companies House had a duty in law to gather my personal information and publish it. They turned my private information into public information. They promoted my private information “to power a great range of products” and to encourage “even more people to explore and use [the] data.”

Companies House represents the contradictions at the heart of the legislation that ICO is forced to apply. Data from Companies House that we all believed to be publicly available, and in which we all had a legitimate interest, is no longer “fair game.”

So who is the biggest supplier of publicly available data?

Google, of course.

A Little Light Googling

Every day, millions of people in Britain type the name of a person – a celebrity, a footballer, a friend, a company owner – into Google. Google returns thousands or millions of results; “Theresa May” returns 24 million publicly available results this morning, ranging from press reports to biographic reference sites.

I did not ask the Prime Minister if I might check her name in Google. I am certainly prejudicing her right to privacy by putting her name into Google, because thanks to Google I can see all sorts of scurrilous, unrepeatable stuff about our glorious leader.

Google is a massive re-purposer of publicly available data. Data gathered for one purpose (selling newspapers, or adverts in scurrilous blogs) is re-purposed every single day by Google on behalf of its millions of users.

This is where the contradictions in UK privacy legislation are crystallised. This is where the ICO is heading in its search for the right balance between legitimate interest and the rights and freedoms of individuals.

I want to be a fly on the wall when the ICO knock on the door of number 6, Pancras Square, London N1, the UK headquarters of Google. That battle – between the ICO and Google – will be one to watch.


5 Questions to Ask the ICO

The Information Commissioner, the Fundraising Regulator and the Charity Commission are due to meet fundraisers in Manchester tomorrow, on Tuesday 21st February, for the Fundraising and Regulatory Compliance Conference. The ICO have produced a conference paper for delegates to read prior to 21st, which can be accessed here.

The paper, amongst other things, sets out the ICO’s view of data protection in relation to Database Screening and, it seems, prospect research – although, whilst it mentions ‘Screening’ specifically, the paper rather ambiguously only refers to other [research] “…activities such as profiling individuals”. We do need to get some clarification on what they mean by this but, from the context, it does appear to refer to researching donors and supporters using public domain sources and/or using information not supplied directly by the data subject (so, prospect research).

The paper initially outlines why an organisation should use a privacy policy to explain how they make use of data. It then explains the ‘legitimate interests’ condition in relation to the DPA. In this sense, the paper is useful in outlining that charities need to be honest and fair in their processing of data. This is something that cannot and should not be argued with. As we have said before (e.g. here and here), all charities must make sure they have robust, fair and easily accessible privacy policies which openly explain how they collect, store, use and process data.

The conference paper outlines situations in which such a policy must be communicated to a supporter, some ways this can be done, and even when it is not necessary / practical to do so. This is all useful and welcome information. We now hope that perhaps the Fundraising Regulator will issue some sample privacy policies at the conference on Tuesday that provide examples of the language that charities can use to comply with fair processing of data for fundraising.

However, the paper then states that it is ‘highly unlikely’ that charities will be able to rely on legitimate interests as a condition to process data for Database Screening – specifically using third party providers or involving any personal data not supplied by the data subject – or for ‘profiling individuals’. Instead these activities will require explicit consent from data subjects. This is because, the ICO states, these activities are a) not ‘compatible’ with processing data collected from a donor at the point of donation and b) not within the ‘reasonable expectations’ of a donor.

Please read the conference paper. Think about how it will affect you and your work and highlight any areas you feel are not clear. The conference on 21st February is a very important event and the questions we ask (and the answers we receive) about this paper are likely to have a long-term effect on fundraising and research. If you are not going to be at the conference on Tuesday, you can pass any questions that you may have about it directly to the ICO (send them to events@ico.org.uk and ask for them to be forwarded to the relevant dept).

Below are 5 of the questions we would like to ask, now that we have read the paper:

  1. The ICO say in its paper for this conference that individuals are “highly unlikely to expect” certain types of data processing. In the ICO’s press release announcing the British Heart Foundation and RSPCA monetary penalties they are quoted as saying “millions of people who give their time and money to benefit good causes will be saddened…” to know that charities would ask them for more money.
    1. Does the ICO have evidence that shows what donors expect?
    2. There is, in fact, strong evidence to support the fact that processing of personal data for research is within the reasonable expectations of many donors; a recent study concluded that 78% of donors said that better research before they are approached by a non-profit is the most significant area of improvement in fundraising in the past 10 years. Therefore, if fair processing is adhered to and prospect research is within the reasonable expectations of donors, then can the ICO confirm that charities can rely on legitimate interests to undertake this type of activity?
    3. Sources
      1. ICO, Fundraising and regulatory compliance, 21st February 2017
      2. ICO investigation reveals how charities have been exploiting supporters, 16th December 2016
      3. Breeze & Lloyd, (2013); Why Rich People Give. London, DSC.
  2. Tesco’s Privacy Policy, which customers using its loyalty card must accept, says: “We may also use personal data from other sources, such as specialist companies that supply information, online media channels (online media channels include websites, social media sites, pay TV providers and any other channels that become available to us), our Retail Partners and public registers (for example, the electoral roll)”. They state that they do this in order to provide a better service and experience to their customers.
    1. If a charity used this same statement in its privacy policy, could charities use the public and private domain sources listed by Tesco in research so as to provide a better service and experience to donors?
    2. If not, why not?
    3. Source: Tesco Privacy and Cookie Policy
  3. The paper for the conference says: “It’s legitimate for you to process personal data in order to properly administer donations received from individuals”. The paper suggests throughout, as highlighted above, that “administering donations” is the only purpose for which a charity would use data collected at the point of donation or at the point a supporter joins a charity database. It suggests, therefore, that fundraising (including the market research necessary for raising funds) is not a compatible purpose for processing donation information.
    1. Is it?
    2. If not, why can, for example, Tesco use transaction information for more than simply administering a transaction (see their privacy policy linked above)?
    3. As charities rely on fundraising to carry out their work, is it not within their legitimate interests to use data collected from supporters for fundraising purposes, providing that fair processing and the rules of PECR, the MPS/TPS/FPS etc. are all adhered to?
  4. Here is a common story: a charity Board member meets an individual at, say, a cocktail party. The Board member comes back to the charity fundraiser with the individual’s name and says “X is interested in what we do. And he is wealthy.” The ICO says in its paper for this conference: “Far more intrusive are activities such as profiling individuals, particularly where this involves getting more information that the individual has not given you, either directly or via third-party companies. In these cases the legitimate interest condition is highly unlikely to apply. So you’d need to seek the consent of individuals before doing such processing.”
    1. The X named by our Board member is not a donor. We have no permissions or opt-ins or opt-outs. Can we look him up on Google or LinkedIn or Companies House without his permission?
  5. The Charity Commission imposes a duty to check on donors and potential donors. The Charity Commission recommends that trustees understand their donors and asks: “Have any public concerns been raised about the donors or their activities?” The Commission suggests that “full use should be made of internet websites” to check on donors. This is directly contrary to the ICO guidance which would not permit the use of public domain information until the donor has signed up to our privacy policy.
    1. Given that we want to research a potential donor before she does this, whose guidance should we follow – that of the ICO or that of the Charity Commission?
    2. Source: Charity Commission for England and Wales, Tool 6: Know Your Donor – Key Questions

These are just some of the questions we feel require clarification from the ICO and we’ll be submitting these prior to the event. We will also be attending the event on Tuesday and we’ll report back on what happened as soon as possible afterwards through this blog.

Please also keep an eye on Factary’s Twitter feed during the day as we will attempt, where possible, to Tweet any significant points or answers to any questions raised during the conference.


Thanks, Alastair

I have just had this lovely email from Alastair James, Senior Consultant at Global Philanthropic. He read my book, ‘How Philanthropy is Changing in Europe’ and wrote:

Dear Chris

I just wanted to say what a wonderful book you have written.

It is a fascinating volume, full of interesting and well-researched material, and I have learned a lot by reading it. You have approached the subject with the rigour of a true academic, but you have written it in a very engaging and accessible style.

I have come away with an overwhelmingly positive impression of philanthropy in Europe from reading your book, although you have also been very clear about the lack of information available in the sector. The fact that foundations are starting to be more open is a very good sign.

I also think that, in the current difficult climate, the book provides a lot of encouraging messages for fundraisers – not least the fact that fundraising has been going on for a long time in Europe, and will, for sure, continue to do so.

My warmest congratulations to you on this superb book.

Best wishes.

Alastair

Alastair James
Senior Consultant
Global Philanthropic
a.j@globalphilanthropic.com

 

Chris Carnie is the author of “How Philanthropy is Changing in Europe”, published by Policy Press. He writes in a personal capacity.