Very recently, the Information Commissioners Office (ICO) has handed out penalty fines to two well-known charities for secretly screening their donors’ personal information, and then using an external wealth management company to analyse the data to find the most generous donors and work out who would be most likely to give again.
With this effective but illegal method, the charities then used direct marketing communications to ask targeted donors to make more donations. This is, however, a breach, of data protection legislation.
The ICO has fined the Royal Society for the Prevention of Cruelty to Animals £25,000, and the British Heart Foundation £18,000 for the same thing.
The personal information shared included:
- Unique donor reference numbers;
- Full names;
- Addresses;
- Date of last donation;
- Amount of last donation;
- Gift aid status;
- Donation type and method, and if the donor gave quite regularly by setting up a direct debit or if they donated by participating in a raffle fundraiser.
This is all classed as personal information, and according to our Data Protection laws, they must be protected. The ICO investigates situations where this is a suspected breach, and if they find one, like the case here with RSPCA, they have a range of enforcement powers to stop them and prevent it from happening again.
Charities found in breach
Both charities breached Data Protection laws by failing to comply with the legal principles of:
- Processing any data they have in a fair and lawful way;
- Ensuring that personal information is only to be used for a specified and lawful purpose.
The charities typically only have their donors’ personal information in relation to their donations for that purpose only. Donors don’t expect their information to be shared with wealth management companies to be analysed to see which ones are most likely to donate again. The RSPCA was fined for doing this as they did not have permission from their donors.
Since the donors didn’t know this was happening, they couldn’t give their consent to their information being passed around. Without this consent, the RSPCA was breaching their legal duties.
Larger fine for the RSPCA
The RSCPA was given a larger fine because some 15,028 supporters had their information passed along to a third party even though they had actually explicitly selected to ‘opt out’ of their personal information being shared.
Even though the charity may have been doing this to raise money for a good cause, they still have an obligation to protect the personal information they store and use.
The ICO’s action here shows that no one is exempt from data protection laws.
The ICO’s enforcement actions are not only to punish, but also to incentivise companies and organisations to make sure they are always complying with the law. When we hand over our personal information, we give it with trust and confidence, and companies and organisations cannot be allowed to abuse that trust and confidence.