Data Protection for Fundraisers

Transcription

1 The Charity First Series Data Protection for Fundraisers Lawrence Simanowitz and Mairéad O Reilly

2 The Charity First series aims to provide practical and straightforward guidance on the challenges confronting charity operations today, with fundraising in the spotlight. Its individual subjects range from those concentrating on the UK and Ireland to non-profit issues in the EU and other jurisdictions, from traditional to digital fundraising and from basic help for those just entering the third sector to specialist areas for the more experienced. For further information and orders see This sample consists of brief extracts from one title in the series. 3

3 DATA PROTECTION FOR FUNDRAISERS Lawrence Simanowitz and Mairéad O Reilly 5

4 The publication from which this material is taken was first published electronically in 2012 by Social Partnership Marketing LLP 38 Leconfield Road, London N5 2SN Bates Wells & Braithwaite LLP, London, 2012 Please note that you have bought copyright material. You have the right to save one electronic copy for yourself, to print out one copy, and to show the material if required to colleagues. However, you cannot republish the material beyond that. If you wish to do so, contact the publisher for permission. Full version: ISBN Limit of Liability/Disclaimer. While the publisher and author have used their best efforts in preparing this publication, they make no representations or warranties in respect of the accuracy or completeness of the contents of this publication. If legal advice or other expert assistance is required, the services of a competent professional should be sought. 6

5 CONTENTS Preface. 11 Introduction Overview of Legal Background. 15 What does the Data Protection Act (DPA) do? ~ Who is responsible for enforcing the DPA? ~ What is personal data? ~ What is sensitive personal data? ~ What comes within the definition of processing? ~ What is a data controller? ~ What is a data processor? ~ What are the Data Protection Principles? ~ What does the DPA say about direct marketing?~ The Privacy and Electronic Communications (EC Directive) Regulations Fair Processing. 23 The First and Second Data Protection Principles ~ What are legitimate interests? ~ Consent and personal data ~ Consent and sensitive personal data 3 Fundraising by Post and Telephone. 29 Sending fundraising materials by post ~ Making fundraising telesales calls 4 and SMS Fundraising. 33 Summary of the rules on sending fundraising s and text messages to individuals 7

6 Contents 5 Transferring Personal Data to Suppliers and Other Third Parties (including sending data outside Europe). 37 The key checks that organisations should carry out when sharing personal data of supporters with third parties 6 Data Collection Statements. 43 The use for which individuals data is sought ~ The use of addresses for marketing information ~ Supplying data to other organisations ~ Means of stopping marketing communications ~ What to record ~ Sensitive personal data 7 What Happens if you Breach the DPA or the 2003 Regulations?. 47 Overview ~ Fundraising Standards Board (FRSB) 8 Common Fundraising Questions. 49 How to unlock supporters from historical records ~ Is profiling/major donor fundraising compliant with the DPA? ~ What issues are raised by website cookies? 9 Links to Further Information. 55 9

7 PREFACE The authors of this guide are solicitors at Bates Wells & Braithwaite, one of the leading specialist charity law firms in the UK. This book draws on the authors experience of advising charity clients on the Data Protection Act 1998 since its implementation in In that time we have seen the attitude of charities towards data protection change markedly. Ten years ago data protection was an afterthought for most charities. Today it is, by necessity, often a key issue in the formation of policy and strategy. As fundraisers become more creative and resourceful in the ways that they engage with supporters and donors, it becomes an ever more complex challenge to balance the wishes of fundraisers with legal requirements to protect supporters personal information and contact them appropriately. Fundraisers know that as well as avoiding breaching data protection law, any effective fundraising campaign must not undermine the goodwill attached to a charity s brand. Fundraisers often complain that the law surrounding data collection notices, sharing supporter data, opt-ins and opt-outs is confusing and it is certainly the authors experience that this is an area of law that is widely misunderstood. The aim of this book is to de-mystify the subject, giving a simple introduction to the basics as well as practical advice on issues that commonly arise. We wish you successful (and compliant) fundraising! Acknowledgement Particular thanks are given to Mairéad O Reilly who has written much the greater share of this guide. 11

8 INTRODUCTION Having a sound understanding of data protection law is invaluable to those involved in fundraising for charities and other not-for-profit organisations. This guide offers advice on practical ways of complying with the legal requirements, but also takes into account the objective of many fundraisers to encourage potential supporters to provide information about themselves. The authors have concentrated on the modes of charity fundraising where data protection issues most commonly arise, namely: 1. Postal marketing or junk mail (as it is sometimes pejoratively known); 2. Telemarketing; and 3. and SMS marketing. The contents of this book are, to the authors knowledge, up to date at the time of publication. In coming years the data protection landscape is likely to change with the introduction of the European Commission s proposed Data Protection Regulation. Readers should be aware that this publication constitutes general guidance only and that advice should be taken on specific issues. 13

9 1 OVERVIEW OF LEGAL BACKGROUND This chapter introduces the two key pieces of English legislation that fundraisers should be aware of in this area: the Data Protection Act 1998 ( the DPA ) which sets out key data protection definitions and principles; and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ( the 2003 Regulations ) which impose additional restrictions on marketing by electronic means. What does the DPA do? At the heart of the DPA is the challenge of balancing an individual s right to privacy against an organisation s legitimate use of that individual s personal information. The DPA gives protection to the individual against misuse of his or her personal information. It also enshrines rights such as the right to: be given a copy of most information that relates to him/her (known as the right of subject access); require that inaccurate or misleading information is corrected; prevent processing for marketing purposes or which causes substantial damage or distress; and seek compensation if personal information is being or has been misused. The DPA imposes obligations on those who hold individuals 15

10 Data Protection for Fundraisers information such as charities and other not-for-profits (but not on individuals using it for private domestic purposes). The legislation covers only personal data which is discussed later in this chapter. Who is responsible for enforcing the DPA? The DPA and the 2003 Regulations are enforced by the Information Commissioner s Office ( the ICO ). The ICO is an independent regulatory authority, reporting directly to Parliament. What is personal data? Personal data is data that relates to a living individual who can be identified from that data or from the data and any other information which is in (or is likely to come into) the possession of the data controller. This includes a person s name, address and in some cases simply their address. The ICO has produced guidance following a Court of Appeal case in which the court interpreted personal data narrowly. It held that personal data does not include a passing reference to or a mere mention of an individual where that information is not biographical. As an example of this, if an individual is copied into an , even though their name and address may be visible to all readers that may not tell you anything about the individual. Where that is the case, the information is not biographical and so would not be regarded as personal data. It would therefore fall outside of the scope of data protection law and would not be subject to the rules and rights discussed in this book. In the Durant case the court also held that most data which is held physically (i.e. not on a computer), for instance handwritten notes about a prospective major donor, does not fall within the definition of personal Text of full version continues /... 16

11 About the Authors About the Authors Lawrence Simanowitz is a partner in the charities team at Bates Wells & Braithwaite LLP London. He is particularly noted for his expertise in IP and information law including freedom of information, data protection, privacy and confidentiality. He is on the board of the Fundraising Standards Board, and is the legal author of Data Protection for Voluntary Organisations. Mairéad O Reilly is an associate at Bates Wells & Braithwaite LLP London. She specialises in advising charities and not-for-profits on fundraising, e-commerce and data protection. Mairead has lectured widely on data protection in the context of fundraising, e-marketing, subject access requests, data security and data sharing. Bates Wells & Braithwaite London LLP (BWB) is one of the leading charity and social enterprise law firms in the UK. It has a large team of specialists advising not-for-profits, public authorities, regulatory bodies and commercial and social enterprises on all aspects of data protection and freedom of information law. ( Booklet and identity design by fivefourandahalf. 57

12 The Charity First Series For the full list of titles in the Charity First Series, including titles in preparation, see our publications list. Titles already published include: Fundraising for Small Charities Major Gift Fundraising Prospect Research Legacy Fundraising from Scratch Raising Funds from Grant Makers Structuring Not-for-Profit Operations in the UK Also published by Social Partnership Marketing Invisible Grantmakers - an annual listing of unpublished grantmaking trusts. See for further details. Full version ISBN: