Tag: Information Commissioner’s Office

Factary’s Privacy Notice Project

Posted on by NicolaW

For the past few months we have been engaged in a project to understand the reaction of donors, supporters and alumni when they receive a privacy notice from a non-profit organisation or university which is relying on its legitimate interest to process data for prospect research purposes.

We undertook the project because, under GDPR, in order to be able to rely on legitimate interest as a basis to process personal data for prospect research purposes (and therefore not obtain consent), non-profits must ensure they have fulfilled certain criteria – including undertaking a balancing exercise to ensure that the legitimate interests of the organisation do not override individuals’ interests, rights & freedoms and to ensure that the data processing does not have a disproportionate impact on data subjects.

Whilst many non-profits and universities feel they have successfully carried out balancing exercises and provided fair and transparent privacy notices detailing prospect research activities, the decision they have taken to rely on their legitimate interests is not without its risks. The opinion of the Information Commissioner’s Office (ICO) in early 2017 was that “millions of people” would “be upset to discover that charities [would] target them for even more money” by undertaking activities such as prospect research. If it is indeed the case that millions of people would feel this way then it could be argued that prospect research activities do have a disproportionate impact on data subjects.

However, so far the ICO have provided no evidence that “millions of people” would be upset to discover that non-profit organisations undertake prospect research. In fact, in a recent ongoing correspondence in relation to a Freedom of Information request, the ICO state they have “no specific evidence” to support their assertion that donors, supporters or alumni would not reasonably expect non-profits to undertake prospect research, much less that people would be upset about it.

That said, the non-profit sector itself cannot currently provide any empirical evidence that millions of people would not feel this way. The lack of evidence to support some aspects of the decision many non-profits have taken to rely on the legitimate interest condition is something that concerns us at Factary and for this reason we decided to try and understand the reaction of donors, supporters and alumni when they are told about prospect research via a privacy notice.

The project

This project aimed to capture data on the reactions of data subjects when they received a privacy notice containing information about prospect research activities. To do this, a questionnaire was sent only to non-profits which:

  • undertake prospect research activities (such as profiling and screening)
  • have decided to rely on legitimate interests for prospect research purposes
  • have included specific information about prospect research activities in their privacy notice
  • have provided the privacy notice to their constituents (not just made it available on their website)
  • told recipients how they could opt out of their data being used for prospect research and how they could complain about data being used in this way

Results

To date, 17 non-profits organisations (a mixture of charities and universities) have completed the questionnaire.

In total 2,433,901 privacy notices have been provided by the 17 organisations.

Privacy notices (or links to privacy notices) have been provided using the following methods:

  • 1,174,930 sent by email
  • 947,791 sent by post
  • 307,180 sent by SMS
  • 4,000 provided face to face (by one higher education institution at an alumni event)
Graph comparing the methods by which organisations have provided privacy notices to data subjects.

From the 2.4m privacy notices that were provided by the 17 different organisations, we asked:

  • How many recipients contacted the non-profit to opt-out of their data being used for prospect research purposes?
  • How many recipients contacted the non-profit to complain about the use of personal data for prospect research purposes?

The results show:

  • Overall 0.0000411% of recipients complained about prospect research
  • Overall 0.00825% of recipients opted out of prospect research

What do these results mean?

As is shown, the number of individuals complaining about prospect research, or requesting to ‘opt out’ of their data being used in prospect research, is infinitesimal.

This data therefore provides an evidence base that can be used to argue that the balancing exercise carried out by non-profit organisations to review individuals’ interests, rights and freedoms was fairly judged because, if it hadn’t been, then presumably the number of individuals complaining about or opting out of prospect research would be significantly higher.

Whilst we do not necessarily feel the results of the project can be used to argue that people ‘reasonably expect’ to be researched, the data can be used to argue that prospect research activities do not appear to have a disproportionate impact on data subjects. The ICO state that

You should avoid using legitimate interests if you are using personal data in ways … you think some people would object [to] if you explained it to them.

This data shows that the rate of objection is negligible which makes the legitimate interests condition an entirely viable option for non-profits.

Of course, one of the limitations of this data is that it is difficult to know how many individuals have actually read the privacy notices that they were sent in various formats (our research shows that, on average, around 30% of individuals who received privacy notices via email clicked to open the email but we have no way of knowing how many people read the copies that were posted to them or that were given to them face to face). However, we do not believe that this invalidates the results. In fact, given the widespread negative publicity afforded to the use of personal data in fundraising by charities and universities over the past few years in the national press, it would be difficult to state that there is a total lack of awareness amongst donors, supporters and alumni of how personal data is used in fundraising. It could be argued that the open rate indicates that, despite negative press reports about wealth screening and research, people trust their chosen charities and universities to use their data responsibly.

Of course, more can be done to ensure donors, supporters and alumni are engaged in matters of data privacy over and above just sending a privacy notice – for example, many organisations are speaking directly with donors about data privacy matters to make sure individuals have a thorough understanding of what happens with their data and to gauge reasonable expectations. That said, each organisation that completed our questionnaire provided a clear privacy notice to data subjects to enable them to exercise their rights (to be informed, to object the processing, to minimise processing, to access their data etc.) and so they have met the standards of transparency required under the legitimate interests condition, regardless of how many recipients found it necessary to read the privacy notice.

What next?

We would like to continue to add to this evidence base if possible so if your organisation is relying on legitimate interests to process data for prospect research and you would like to share your data on privacy notices, please do contact us at the details below. If we do receive more data on this, we’ll update this blog with fresh results.

We also believe there is more work that can to be done to gather wider evidence to support the justification to rely on legitimate interests for prospect research. This includes gathering and disseminating data on the reasonable expectations of supporters (particularly major donors), the purposes of prospect research, how necessary research is to fundraising and the benefits of doing it. There is more to come from us on some of these issues, so keep an eye on the blog – but if you are engaging in any evidence gathering on these matters we’d love to hear from you!

And, last but not least, we’d like to thank the organisations and higher ed institutions that submitted data to us for this project.

If you have any questions about any of the above (or GDPR or research in general) please do get in touch with Nicola Williams, Research Director, at nicolaw@factary.com.

ICO rulings and Database Screenings

Posted on by NicolaW

The ICO fines for BHF and RSPCA that were announced this week have caused understandable concern for prospect researchers and wider fundraising teams across the sector. This blog post is Factary’s initial response to this news.

The ICO has so far issued two statements about the fines levied (these can be seen here and here). The statements outline that the fines are being issued for various infringements of the Data Protection Act through wealth screening, data appending and data sharing. To be clear, this blog post refers only to the situation with wealth screening, or, as we call it, Database Screening. Data appending and data sharing of bulk data are not services we provide at Factary so we won’t comment on the situation with these fines.

The first thing to mention is that we are expecting more comprehensive information about these fines to be issued on Friday 9th December by the ICO. The full penalty notices will be published on the ICO website and Twitter feed along with details of the enforcement action. Until we have reviewed the full documents it will be difficult to respond properly to this situation. That said, since the Daily Mail broke the story (ahead of the ICO announcement) of the fines on Tuesday 6th, we have received many emails from concerned clients, colleagues and friends worrying about the implication of these fines for non-profits and prospect research, so we wanted to issue a response as soon as possible to answer some of the most pressing questions, some of which are…

Can we still carry out Database Screenings?

It seems that one of the main reasons for the fines levied for ‘wealth screenings’, as explained in the information we have seen from the ICO so far, was because “Donors were not informed of these [Screening] practices, and so were unable to consent or object” to them. The lesson here is not that Screening is unlawful from the ICO’s viewpoint, but that non-profits and Screening service providers need to be open and transparent about what they will use personal data for. This is something that we mentioned in our previous blog on data protection.

The problem still remains, of course, that we feel neither the ICO nor the Fundraising Regulator have been too clear on how this information should be presented to supporters or indeed what information is necessary / sufficient. Hopefully they will do more to educate the sector and provide greater clarity. In the meantime we would expect that the vast majority of non-profits have completed and published, or are working on, improved privacy notices that include information about prospect research so that their supporters are fully aware of what their data is used for. The RiF ‘data protection working group’ will be drawing together samples of these, and this is something Factary will be helping with. We’ll post news on this here on the blog, on our Twitter feed and the RiF committee will also post on their Twitter feed, so keep an eye out.

If you’d like to discuss privacy notices or statements please do email me.

What about previous Screenings?

One of the questions many are asking now is, “When I last undertook a Screening, the non-profit I work for did not have a robust privacy policy in place. Is there a chance that we will be fined, too?” The short answer to this is, of course, that it is entirely possible more fines will be issued. The long answer may have to wait until we have received more information from the ICO on the nature of the fines against BHF and RSPCA in relation to Screening; until we know the full extent of the infringement, it will be difficult to understand the full impact.

Either way, there is very little you can do about previous Screenings; you can really only make sure you are fully prepared and compliant for the next.

What can the sector do?

From our point of view, some of the ICO’s latest statements set a tone which portrays Screening (and prospect research more generally) negatively. The ICO statements said, “The millions of people who give their time and money to benefit good causes…will be upset to discover that charities abused their trust to target them for even more money”. This kind of reporting will no doubt result in harmful press articles (aside from the inevitable articles from the Daily Mail which I won’t reference here) such as the BBC and even Third Sector where they have reported negatively that charities are “secretly screening donors” with a “disregard for people’s privacy”.

We feel the general tone used to report on these fines suggests a lack of understanding of what Screening is and why it is used – and, by extension, what prospect research is and what it is for. We should, as a sector, take some responsibility for this as we have not historically been very open in explaining how Screening and prospect research benefits donors and helps to improve their relationships with the causes they support. That said, we can’t shoulder all the blame, as many people I have spoken to have found the ICO’s approach to communication on these issues (and when directly speaking at conferences during 2016) to also be quite negative. For example, many of the emails I have received since Tuesday start with, “One of my trustees has read the Daily Mail article…” or, “Our compliance team has seen the ICO report…”, followed by concerned questions about the legality of Screening / research. This highlights that the negative and sometimes misleading reports that are in the public domain are already having a troubling impact on our abilities to carry out the normal functions of prospect research. We understand the genuine reasons for the ICO’s actions, but it serves no purpose to paint a negative image of the sector, who largely do incredible work for people and society.

This means it is up to us push back on the negativity and educate our supporters, the wider public and even (in some instances) our own colleagues about prospect research. This echoes what was said at the RiF Conference; we need to take ownership of communicating the need, impact and benefits of prospect research through privacy statements, protocol and policies. We need to be positive in our communication and underline the benefits to donors and non-profits of prospect research – and, to highlight the negative consequences of fundraising without prospect research.

What should we do now?

  • Be clear on why prospect research is vital for fundraising in your organisation
  • Educate trustees (and wider colleagues) if necessary on the need and impact of research
  • Ensure privacy notices are robust and include information on Screening and research
  • Share best practice with colleagues from other non-profits on privacy notices
  • Also, note that when including information on Screening in a privacy notice you’ll need to link to the privacy statements of your chosen Screening company to ensure that the company is also compliant with data protection (as examples, Factary’s is here and Prospecting for Gold’s can be found here)

What happens next?

  • Friday 9 December: The penalty notices will be published on the ICO website along with details of the enforcement action. Hopefully this will give us more of an idea of what the scale of the Screening problem is (in comparison to the data appending and sharing), and exactly what the RSPCA and BHF have been fined for
  • The Institute of Fundraising is likely to respond properly to these fines when the full report has been released, keep an eye on their Twitter feed or the feed of Dan Fluskey, IoF Head of Policy and Research, who has been working with RiF on this issue. He wrote a great piece in fundraising.co.uk about this issue yesterday
  • The ICO is organising “an educational event in partnership with the Charity Commission and the Fundraising Regulator” (no date for this has been announced, presumably early 2017), keep an eye on their announcements for more information on this
  • The ICO will also present an in-depth report in regards to charity fundraising practices to Parliament in 2017; based on the negative stance the ICO has taken on fundraising practices, this has the potential to be damaging and as a sector we need to be ready to respond to this

As ever, if anyone has any questions on this please do not hesitate to contact me at nicolaw@factary.com.

We would also like to take this opportunity to thank many of our colleagues and friends from the sector who have contacted us with messages of support in the past 48 hours – we really appreciate it!