ICO Watchdog Needs a Muzzle

Keen to hit the headlines yet again, the Information Commissioner’s Office (ICO) has now enacted its long heralded fine of 11 major UK charities, after the British Heart Foundation and the RSPCA rolled over last December and paid their fines instead of fighting the obviously dubious ruling. The fines were for using personal data for a purpose which the data subjects had not agreed to i.e. researching their wealth so they could be targeted efficiently and effectively without wasting the charities money by treating everyone the same. Careful targeting of the rich being one of the most cost effective and appreciated fundraising techniques.

Of course, if you donate to a charity you expect the charity to ask you to give again and to check if you are Bill Gates billionaire or Bill Gates humble pensioner. This is almost exactly why you give your name and address rather than making an anonymous donation. To be technical the Act says, “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes”. The ICO itself says, “This requirement (the second data protection principle) aims to ensure that organisations are open about their reasons for obtaining personal data, and that what they do with the information is in line with the reasonable expectations of the individuals concerned.” Which is why you find the word ‘secrecy’ used about the charities actions as if they were carrying out some nefarious clandestine operation. So, do you think that justifies fines of £25,000 and £18,000? Or should the ICO have just told the charities to make it clear what they were doing.

A key principle of the act is to avoid “damage and distress” to data subjects. The ICO says, “An individual has a right to object to processing only if it causes unwarranted and substantial damage or distress. If it does, they have the right to require an organisation to stop (or not to begin) the processing in question.”

The ICO says that “The Act does not define what is meant by unwarranted and substantial damage or distress. However, in most cases:

  • substantial damage would be financial loss or physical harm; and
  • substantial distress would be a level of upset, or emotional or mental pain, that goes beyond annoyance or irritation, strong dislike, or a feeling that the processing is morally abhorrent.”

Which is where we get to the “Oh, for pity’s sake” moment when we realise that actually this is a waste of time and money that could be better spent on er, charity?

Among those fined this time round are the Royal British Legion, Oxfam, Cancer Research UK and the Guide Dogs for the Blind Association which should have given the ICO some cause for concern about whether they were on the right track or just spooked by the Daily Mail. I know whom I would sooner trust with my data.

Information Commissioner, Elizabeth Denham said: “Millions of people will have been affected by these charities’ contravention of the law. They will be upset to learn the way their personal information has been analysed and shared by charities they trusted with their details and their donations.” Really? It has been widely reported that the charities were investigated following media reports of “repeated and significant pressure on supporters to contribute”. Of course, investigating that wasn’t exactly in the ICO’s mandate and their actions smack of bandwagon jumping now it is open season on charities. Even the Charity Commission has weighed in perhaps looking at the possibility of fining trustees and replenishing their massively depleted income, slashed by Osbornes austere axe.

Some of the 11 guilty charities were fined for other breaches such as exchanging donor information with other charities and here the ICO says, “It is common for some charities to exchange donor information, through an external organisation, with other charities to get details on prospective donors.” On one hand, if the charities are allowing another charity to a mail their supporters (so the other charity physically has their details) I can share the ICO’s concern; but on the other hand, if they are sending out like-minded charity information to their own supporters, with a reciprocal arrangement, then I can have some sympathy with them. Charities soon get feedback on how frequently this is acceptable and the process is mutually beneficial. The donors broaden their knowledge of their area of interest, and it is the most effective way of charities recruiting new supporters. How naïve does the ICO think donors are? This is important because if they expect their information to be used in a certain way when they provide it then surely the charity is secure in acting in that way?

Fines were also levied for updating information and here we get to an interesting dilemma as data controllers are supposed to keep their records up to date. The ICO, however, says, “You have the right to choose what personal information you provide and you don’t have to update your details with a charity if you don’t want to. Charities could use the additional information they uncover, which you do not know they have, to contact you for more money.” Yes, they certainly could and there is nothing wrong in contacting people and asking them for money. It feels like the ICO is assuming that fundraising is a bad thing in itself.

Funnily enough, there are grounds for thinking the ICO has been taken over by Daleks. The Act says that when personal data is no longer required it should be deleted. We all know what delete means – you simply hit the delete button. The ICO, however, harks back to the time when data was held on paper and burnt to delete it, so they say it should be destroyed. The ICO says that the Act, “…does not define ‘delete’ or ‘deletion’ – but a plain English interpretation implies ‘destruction’. It then goes on for several glorious paragraphs defining what it means by destruction.

You have been warned!

John Baguley, Chair, Group IFC