A little while ago, I noticed an interesting story on the website of the Fundraising Regulator. They reported a case where a woman had applied for a job with a charity and subsequently, she started to receive marketing from them. She asked for her details to be removed from their donor list, and the request was ignored. The story was still there when they reworked their website recently, but it now appears to have vanished.
This is a breach of Data Protection and (potentially) PECR – the charity would not have informed the person that their data was being used for marketing which is a breach of the first DP principle, they breached the second principle by re-using the data for an incompatible purpose. By ignoring her request for the marketing to stop, they breached her rights under Section 11 of the old DPA and if they sent emails, they breached PECR as well.
Given that this is a quite a serious breach of DP fundamentals, you might think that the Fundraising Regulator isn’t really the right person to deal with it. Although direct marketing forms part of the Code of Fundraising Practice, the proper regulator for both DP and PECR is the Information Commissioner. For both possible breaches, the issue of fundraising is probably the least important aspect – a charity that misuses personal data in such a profound way should be investigated by the Information Commissioner, not a non-statutory body with a relatively narrow focus.
I asked the Fundraising Regulator whether they had passed the complaint to the Information Commissioner’s Office. After a little while, I received a reply from a senior officer asking why I wanted to know. I said that I thought this was a relatively serious breach of data protection, and I wanted to know whether it had been shared with the right people. Shortly after that, I received a reply saying that they couldn’t tell me. This is an anonymised case study – the description of the case did not name the charity, or give any identifying information about the donor. The Fundraising Regulator has already decided to use the story to promote their work, and so asking whether they have shared it with the appropriate regulator (a question that has a Yes / No answer) seems entirely reasonable to me. I pushed a little, and apparently my request went up to Gerald Oppenheim, the FR’s eminently sensible Chief Executive. He also said no.
So I made an FOI request to the ICO, asking for the number of complaints the Fundraising Regulator has passed on to them, and a summary of each complaint. The ICO replied, saying that 100 complaints have been passed from the FR, and in response to my request for a summary of each complaint, they gave me whatever this is:
“Charities who have failed to on-board onto the Fundraising Preference Service (FPS) portal despite receiving a request to stop communications from a member of the public.”
Weirdly they claimed that “We do not hold information in regard to the details of each complaint” but in reply to my question about what action they have taken as a result of these complaints, the answer was: “No further action, logged for future intelligence purposes”. This means that they don’t hold any information about complaints that they have logged for future intelligence purposes.
Leaving that aside, the ICO’s response doesn’t suggest that the complaint I am interested in was shared, and so I am going out on a limb to say that I think the reason that the Fundraising Regulator didn’t want to tell me whether they had shared the complaint is because they hadn’t and didn’t want to admit it.
Why does this matter? The Fundraising Regulator’s predecessor, the Fundraising Standards Board, was an inherent part of the Data Protection problems in the charity sector that exploded spectacularly with stories in the Daily Mail. Thousands of complaints were soaked up by the FRSB and never passed on, meaning that the ICO was largely unaware of marketing problems in the sector. The last thing that the FR should be doing is sitting on serious data protection issues in the same way. The ICO and the FR have signed a memorandum of understanding agreeing to share information to assist each other in carrying out their functions, and so there is a clear gateway for the FR to inform the Commissioner of complaints like this.
The problem is, I only know about this complaint because the FR was incautious enough to try to get some PR out of it. Who knows how many more complaints they have dealt with that reveal genuine data protection problems – it may be an isolated case, or there may be loads of them. The organisation’s refusal to be open about the fate of this case means it’s unlikely they’d be forthcoming if it wasn’t a one-off. The FR’s role in operating a glorified opt-out service which is arguably not really required has already attracted some justifiable criticism from the charity sector, but this issue also deserves scrutiny.
Charities have had a torrid time over the way in which some of them handled personal data – as unpopular as this will make me (again), I think much of the flack was deserved. But it isn’t helping the sector for cases like this to be buried – bad practice should be rooted out publicly and by the right people, so all can learn by example. I can’t make Freedom of Information requests to the Fundraising Regulator because they’re not covered, and given the track record of the FRSB, being told rather haughtily that “it is for our organisation and the ICO to discuss and agree what issues we should and shouldn’t be investigating” doesn’t fill me with very much confidence that the right lessons have been learned. The Fundraising Regulator should be transparent about what cases are passing through their doors, which get passed on, and which don’t. Otherwise, perhaps the Mail should start digging again.