The Fundraising Regulator has warned that 59 charities could be in breach of data protection law for failing to apply suppression requests made via the Fundraising Preference Service (FPS) and has referred the charities to the Information Commissioner’s Office (ICO).
In the past charities, in particular, found themselves thrust in to the regulatory spotlight after high-profile media campaigns highlighted how people, often vulnerable people, were being unduly targeted. For example the Olive Cook case.
In light of this, the rules charities had to adhere to were toughened up and they’ve been moved to change their approach to compliance.
Why have charities been referred?
When a member of public registers with the FPS on behalf of themselves (or on behalf of someone else) requests that a charity stop communicating with them, the FPS sends an email to the charity’s nominated contact which asks them to log into the FPS platform within a 21-day period and act on the request.
The FPS gives the public control over the contact they receive from charities and enables individuals to select charities that they no longer want to receive communications from. Around 8,300 individuals have requested a total of 25,000 suppressions and these opt-outs mean charities must cease direct marketing.
Gerald Oppenheim, chief executive of the Fundraising Regulator, said: “The FPS is an important tool in helping to rebuild trust between members of the public, particularly those who are vulnerable, and the charity sector. Charities that fail to respect requests made by the public to stop unwanted communication risk damaging the good work done by the rest of the sector. Some charities may think they have valid reasons for not accessing the suppression request. Despite this, they are still in breach of the code and possibly in breach of the Data Protection Act, because the request is an individual’s wish to stop receiving direct marketing.”
The Fundraising Regulator has said that it has made ‘repeated attempts’ to contact the charities’ Chief Executives, but requests had been ignored on a number of occasions and now action has been taken.
However, Adrian Beney a partner at More Partnership is concerned that the Regulator’s action may, in part, have been a bit heavy handed, ““There is no facility built in to the process by which an individual submits a Fundraising Preference Service (FPS) suppression request, to check that the charity actually does carry out direct marketing, or indeed any fundraising at all. (It would be very hard for the FPS service to do this, but the fact is that not all charities fundraise, relying instead on endowment or other income.)
Beney continues, ‘In this case, some (but importantly not all) of the charities named by the Fundraising Regulator are charities that do not carry out any direct marketing. For this reason they may have felt that, despite the fact that someone made a suppression request, registration in order to access that data would be pointless since the charity would never carry out the activity the FPS is designed to suppress. Indeed, it could be argued there would be no lawful ground for processing this data since its processing would have no purpose.”
The requirement for good governance applies to businesses across different sectors and perhaps more so to charities of all sizes, who have arguably been under a higher degree of scrutiny. A lack of resource and funding (in particular, the smaller charities) can lead to shortfalls in risk management. It’s important to highlight areas of risk and put in procedures and policies to mitigate these.
What Are the Key Risk Areas for Charities?
- Unsolicited direct marketing where there’s no evidence of valid consent (when not relying on Legitimate Interests as a basis) – including where data comes from third parties or online sources.
- ‘Invisible’ processing – you must notify supporters of all types of processing, including any data appending or wealth screening.
- Handling sensitive data without due care & protection.
- Data security risks, e.g. insecure systems/processes and data transfers.
- Accidental disclosure of data – Training can play a key part in minimising this risk.
- Fundraising activities must be managed carefully – face to face, telemarketing.
- Volunteers who have access to personal data and don’t keep it safe.
This action by the Fundraising Regulator serves as a reminder to charities to ensure their compliance program is regularly monitored and the Data Protection principles adhered to.
Stephen Eckersley, ICO’s director of investigations, added: “Charities that ignore the Fundraising Preference Service run the real risk of causing distress and offence to people who just don’t want to receive their marketing communications. The ICO has written to these charities to remind them they must act lawfully and responsibly in protecting people’s personal data, and in how they communicate with them.
Our advice for charities is clear: they must not contact people registered on the FPS and, where we see this happening, we will investigate and take enforcement action where necessary.”
Gemma Johnson, Published 8th March 2019 (updated June 2019)
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.