The Information Commissioner's Office, or 'ICO', has published an updated version of its Direct Marketing Guidance, with new, more focused advice for charity fundraisers. This document concerns how direct marketing (which includes fundraising activities) can be conducted in compliance with the existing Data Protection Act and Privacy & Electronic Communications Regulations.
Partly in response to the recent Daily Mail exposé into charity fundraising, which led to the Etherington Report and ICO investigations into a number of charities, this new version tries to tackle 'high-profile difficulties' some charities encounter in applying the existing law. Charities and not-for-profit organisations can also arguably expect a more interventionist approach by the ICO in respect of a perceived failure by the sector to follow previously applicable guidance. While not changing the law, the new guidelines present charities with an opportunity to review their current practices in light of recent events.
The Guidance makes the following points, among others:
- The definition of '_freely given, specified and informed consent_' means that, when seeking consent for phone, text or email fundraising, organisations should make clear what supporters' details will be used for and obtain specific consent (i.e 'we may hold your details to keep in touch' is not likely to meet the level required).
- Organisations should use 'indirect' consent (e.g for data originally obtained by a third party organisation through market research) 'carefully' as it is best practice to use direct consent in most circumstances. As also illustrated by the recent Optical Express decision, the ICO appears to view 'consent' harvested through third parties with a good deal of scepticism.
- The Guidance clarifies a point about existing donors. Charities should not assume that an individual being an existing donor or supporter means that they have consented to be called, for the purposes of overriding Telephone Preference Service (TPS) registration. Charities can only send campaigning texts and emails, or call TPS registered numbers, with specific, informed consent, as the 'soft opt-in exception' for commercial marketing will not apply.
- Charities should also screen all fundraising call lists against the TPS like all other organisations.
- Organisations should note that the scope of what is regarded as 'a fundraising call' is very wide and basically includes any call where there is some element of promotional message – even if this is not the main point of the call. For example, referring to how donations have been put to work and talking about your organisation's projects can mean that a call which was perhaps assumed to be administrative would be regarded as fundraising.
What can charities do now?
Charities should consider their fundraising policies and practice in the wake of the Direct Marketing Guidance and the new, more interventionist approach to fundraising that we have seen from the ICO in the last year. There are certain steps your charity could take now to bring its practice in line:
- If your charity relies on its supporters' consent to use their data to contact them, review how that consent was obtained and when last contact was made with that supporter. Personal data should not be held indefinitely after a relationship has ceased, or where there has been no contact with a supporter for a long time.
- In particular consider how your members' contact details might have been received from or shared with other charities, and whether it is appropriate to use 'indirect consent' to justify contact with an individual for fundraising purposes. The ICO emphasises that indirect consent obtained more than 6 months ago will generally no longer be regarded as valid.
- The Guidance suggests that best practice will involve obtaining explicit consent from members to each means of communication and marketing. However charities are also encouraged to take a light touch and not 'unduly incentivise' members to give this consent. You should review procedures and consider whether this balance is being struck in your organisation.
The effect of the Digital Economy Bill
The Digital Economy Bill 2016 – 2017, announced in this year's Queen's Speech, will also be relevant to charities' direct marketing practice, as the proposed s77 would place the ICO under a statutory obligation to produce a direct marketing code in the future.
The ICO has always had a general duty under s51 of the DPA to issue codes and guidance to promote 'good practice' under the DPA and PECR and has published a few codes of practice – e.g the subject access code, the data anonymisation code and the current direct marketing guidance. However under s 52 of the DPA the ICO can also be obliged to issue a 'statutory code' which is laid before Parliament. The only statutory code so far explicitly mentioned under the DPA has been one on data sharing.
As it stands in the bill, this new direct marketing code of practice will probably not impose additional legal obligations on charities or other institutions. However experience with the Data Sharing Code suggests that tribunals and courts will be obliged to consider the 'statutory code' if led as evidence in legal proceedings. It could also become more difficult to challenge the views of the ICO outside of court proceedings, expressed and published in the statutory code.
The Digital Economy Bill had its first reading in the House of Commons on 5 July 2016, and a second reading date is yet to be fixed. However, while implementation is not imminent, charities should still be aware of the possibility of a statutory ICO code of practice on direct marketing in the future.