Best Practice Guidelines for Compliance
with the Data Protection Act (1998)
Confidential
CPRE Guide for Regional, Branch and
District Staff Only
Revised October 2011
“Data is nothing but potential until it becomes information and worth little until it becomes
knowledge; and knowledge is worthless until it changes practice; and practice is most valuable
when learning takes place and becomes know-how….”
Introduction
The Data Protection Act (1998) is a very important piece of legislation, for it
lays down very clear guidelines as to how any organisation must handle
electronic and paper based information on people they deal with and want to
retain information on (staff, members, supporters, suppliers, volunteers etc.).
You should ensure that you read this brief introduction to the DPA (1998) so you
can begin to understand the importance of the law and the reasons why CPRE’s
field organisation would benefit from following it.
The information supplied in this brief document is not designed to cause
concerns that result in ‘knee-jerk’ reactions to complying with the law as
written. In truth, I believe that for once we have some legislation that can
actually benefit a charity. This is because the DPA (1998) actually lays down
certain principles that you must follow and by following these you will have a
much better understanding of your members' needs, likes, dislikes etc. Better
understanding of people who support you means that you are better able to
develop their support in the future.
In 2002 CPRE undertook an audit of CPRE data handling and data protection
compliance status. Whilst we only audited CPRE national office, it was felt
that there were a number of key issues that need to be understood by the
branch network.
The DPA- Business Decision
All organisations are required to follow the legislation as written. Clearly this
will mean some changes to data handling (data is classed as information on
living people held in electronic or paper formats). There is however, always a
need to apply a ‘business decision’ on the way you interpret and comply with
that interpretation. These guidelines do not set out to instruct you on the
business decision you must take in regard to the act. They merely outline the
most important sections and definitions and support these with some
explanation on the benefits of complying as fully as possible with the
legislation.
As with any law, there are penalties for non-compliance complaints being
upheld by the Information Commissioner (the person who is responsible for
data protection and freedom of information issues within the UK). Currently
the maximum penalty is a fine of up to £400,000.
The business decision and subsequent risk assessment is the responsibility of
the Data Protection Officer. In the case of CPRE Branch offices this is likely to
be the Branch President who, unless anyone else is specifically named on your
Page 2 of 19
data protection registration, would be seen as the person within your
organisation who is nominated as having overall responsibility for DPA issues.
You must do your level best to implement all the requirements as written, and
not live in hope that no complaints are made. In reality, the Act is a fine way
of driving forward more robust data handling procedures, which can only
benefit any organisation that adopts them.
A short introduction to the Data Protection Act (1998)
The Data Protection Act (1998) replaced the 1984 legislation and was designed
to strengthen the laws surrounding the gathering, holding and managing of
personal data (personal data is defined as any information on living people
wherever they are, be it home or work). Unlike the 1984 legislation, the new
act now covers paper based records, so you can understand why it is important
to charities such as CPRE.
The new act tightened up the rules concerning the gathering, holding and
managing of personal data in both electronic and paper based systems and gave
the subject (the person whose data you hold) increased rights on what you can
or cannot do with the information you hold on them.
The DPA (1998) was developed because the EC wanted to get all member states
into line in terms of data protection and, create a ‘data protected’ trading
block. This current trading block is called the European Economic Area (EEA)
and any data held cannot be transferred outside of this without specific
guarantees (known as ‘safe-harbour’ agreements) being in place. CPRE
currently does not transfer any data outside of these specified areas.
All of us have an impact on CPRE compliance status in regard to the DPA
(1998). We use data, handle it, create it, manage it, or in the case of planned
communications, drive new contacts to us. It is therefore, very important to
understand the ways in which we are now required to work with information on
our members and supporters (past and present).
More importantly, understanding is the key to good communication. If we
know when, how or why someone needs CPRE to communicate with them, and
we respond to their needs in the way they prefer, then we can really start to
cement our relationships. Why communicate with people who do not want to
hear from us? They don’t like it and the law now says you cannot do it.
Any individual who thinks we hold information on them has full access, under
the terms of the act, on all the information we hold on them so they can use
the law to get it. This is why we have to be very organised in the way we
Page 3 of 19
gather, handle and manage the data we use. This applies whether we hold
50,000 records on our database, or just 500.
An important point to remember; all of us, as individuals, have protection
under the DPA (1998). This means that some understanding of what your rights
are could be useful when you find companies, or organisations have your
personal details and you don’t know how they got them. It can be really handy
at times, particularly if they phone you in the middle of your tea!
Page 4 of 19
The Eight Data Principles
The DPA is centred on a set of eight data principles. These were designed to
give data managers a clear indication of what was expected from them in terms
of the way they managed their data. They are:
1
2
3
4
5
6
7
8
Data is fairly processed
Data is used for lawful purposes
Data should be relevant and not excessive to purpose
Data will be accurate and kept up to date
Data should not be held indefinitely
The rights of the subject will be respected
Data shall be free from unauthorised use and kept secure
Data will not be transferred outside of the European Economic Area
It is important that this document gives you, in a bit more detail, a fuller
explanation of each of these principles, so you can see how and when they
could affect your current data handling operations. Because CPRE national
office holds a central database of all members with all of their mailing
preferences logged, most branches and districts will not need to worry about
opt-outs as they receive their data direct from our database. If however a
branch holds or gathers details of contacts who are not on the national
database, then strict adherence to opt-outs must be kept on these contacts.
Principle One- Data is Fairly Processed
This means that you must have the consent of the subject to be on your
database or listing. We have already covered part of this issue in the section on
DPA declaration. Whilst it is not unlawful to gather information on prospective
contacts and hold this on a database or file, you must have consent before
continuing to hold the information. This rule is the cause of the most confusion
in DPA terms (opt-out versus opt-in).
You must record what consents you have got on all your databases
This means that every record should clearly flag the type of consent obtained.
A flag should exist against every record to show:
o
o
o
o
Where you have asked consent
Where consent has been given
Where consent has been refused
Where no response to consent question has been received
CPRE national office holds this information. On lists and spreadsheets
supplied, the contact will be marked with requested no contact if they have
asked not to receive mail. Other mailing opt-outs are also stored against
contacts' records, such as Countryside Voice, Raffle Tickets, Merchandise,
Page 5 of 19
Reciprocal mailings (if someone requests not to have their details passed on to
third parties), telephone calls, and number of appeals.
Principle Two- Data is used for lawful purposes
We have no doubt that all your data is used for lawful purposes. This rule
exists to stop disreputable traders from selling illegal products via direct mail
etc.
Principle Three - Data should be relevant and not excessive to purpose
If you gather data on supporters and have not issued a DPA declaration seeking
consent, then the subject could consider other approaches as excessive to
purpose. Additionally, you must be careful of what information you hold on
people.
You can only hold data that is relevant to the communication needs of both
CPRE and the recipient. This means that apart from full name, address/contact
information etc., it is quite legitimate to hold local donation history, volunteer
interests and so on. Where the line becomes faded is if you gather information
that is too subjective and personal. If it is not relevant, then you cannot hold
it.
Principle Four – Data will be accurate and kept up to date
Clearly this is an issue if your flagging is insufficient to attempt to meet the
terms of the act. Having a big database is not considered an excuse in terms of
the DPA. It is far better to have a smaller database that is well organised, than
have a large one that continually causes selection problems.
The national database is well organised and very efficiently managed. National
office has strict controls on external suppliers in terms of their data gathering
and update information they supply to the main database, and the information
you receive from national office through listings, movement reports and new
member reports is therefore fully DPA compliant If you receive information
direct from your contacts, such as a change of address, death or resignation,
please make the changes and ensure that this is passed on to Supporter
Services at national office as soon as possible. Because the national database
changes on a daily basis, you must always request labels or a new list if you are
going to approach your members as close to your mailing date as possible. You
will therefore only be approaching current members and will not be in danger
of contravening the DPA.
Page 6 of 19
Principle Five- Data should not be kept indefinitely
Some organisations view this principle as ‘If you don’t use it, you lose it’.
Charities have historically had a problem with the long-term storage of data.
This rule does not apply to subjects who you regularly have a two-way
relationship with. It is the issue of lapsed donors that it affects.
Our professional view as direct marketers is that you; “Should draw a line in
the sand”. By this we mean that you should take a view of data that is beyond
an agreed date (e.g. members who lapsed should be removed from your list or
held on a separate list, and members who have resigned or died should be
removed immediately when you are notified by national office).
This rule really helps an organisation to hold data that is relevant to their
needs today. As national office holds all archived data you will always be able
to retrieve information by asking Supporter Services, so there is no need to
keep irrelevant data at branch level.
Principle Six- The rights of the subject will be respected
The new act outlines a number of subject rights. These are as follows:
It is unfair to contact someone who has requested not to be contacted by
informing the Data Protection Officer of that desire. This means that if any
person, resident on your current database, has asked not to be mailed,
contacted etc., then you must adhere to their wishes. If someone is marked by
national office as having asked not to be contacted you must not phone or mail
them.
It is unfair to contact someone who has registered with the local
Mail/Telephone/Fax Preference service. (MPS stands for Mailing Preference
Service. TPS stands for Telephone Preference Service and FPS stands for Fax
Preference Service). These three free service operations are available to
individuals and business personnel to register their name, telephone, fax or
address details and so stop any unsolicited communications to them.
The MPS and TPS are observed by a voluntary code within the UK Marketing
sector. TPS is now backed by law. It is for this reason that they were included
within the Data Protection Act (1998) and we should be very careful to observe
these additional subject rights. What all of this means is that you cannot
necessarily write to someone before checking if they are listed on any of these
services. If they have given you consent however, then there is no problem
because you are doing what they want you to do. When someone joins CPRE
they are giving consent to be contacted unless stated otherwise, so this only
affects you if you are writing to or calling ‘cold’ contacts.
Page 7 of 19
It is unfair to contact someone whose name was unfairly obtained via a third
party list. If you obtain data from any third party (list brokers, other
organisations or individuals etc.), it must be accompanied by a clear
declaration that the records supplied have full consent to their issue to you
(CPRE). If you were to mail, telephone or canvas a contact name without their
consent (even though it was not your originated data) you are considered liable
under the DPA regulations.
You must record where you got third party records from - and with what
consents
This applies to the use of third-party lists. Alongside the standard source for
your new contacts, you must have full consent flagging (see above).
You must record who you sent records to and where you sent them. You
must show against each record the name of the person you sent that record to
(be that in electronic or hard copy format) and their location. The same rules
apply if you send the data to an external organisation. Keep a log of who has a
copy of your lists or data, and ensure that they have signed a DPA Agreement.
This is very important at branch and district level where data may be kept in
more than one place on paper or on personal computers or laptops, and at the
homes or offices of volunteers.
Principle Seven- Data shall be free from unauthorised use and kept secure
Data is your most valuable asset and should be secure. This means not only
creating transfer protocols for electronic data (eg. password protection), but
also taking special care to ensure that sensitive paper-based records and files
are securely locked away in cabinets, or other lockable devices.
This is also an important principle to comply with for your desktop systems.
You must ensure that all data holding and viewing desktop computers have a
secure password screensaver in place. This will ensure that any staff working
on sensitive of DPA regulated data can be assured that when away from their
desk, other non-authorised staff cannot access the information viewable on
their screens.
Principle Eight – Data will not be transferred outside of the EEA
This principle does not affect CPRE as far as we can see. It mainly exists to
control the flow of information to countries such as the USA where there are no
real DP regulations. Other countries have signed up to ‘safe harbour’
Page 8 of 19
agreements. This means that they have some form of regulation in place and
may be considered adequate protectors of personal data. Whilst this list of
countries contains Australia, Canada, Hong Kong and Japan, it also includes
Guernsey, Jersey and the Isle of Man (these areas are not covered under the UK
act).
This is an important rule for CPRE if you are ever going to set up offices
overseas and transmit data to them from the UK for any purpose, including
analysis. For example it would not be possible under the current DPA
regulations to transmit information to New York as there is no ‘safe harbour’
agreement in place with the US at present.
Page 9 of 19
Other Subject Rights
Apart from the rules stated in the previous section, the subject has other rights
that they can exercise. These are as follows:
o The subject has the right of access to data held
o The subject has the right to know the purpose for which it is held
o The subject has the right to know which third parties now have their
details
These three rights are most important and are one of the main reasons why you
must be able to link all your databases, or move to one common database
platform for the whole organisation. National office holds all data on the Visual
ALMS database, and your lists, spreadsheets and labels all come from this
source. It is important to update your records as soon as you receive updates
from national office.
What all of this means is: Any person who receives a communication from
CPRE, or who believes that their details are held on your systems has the right
to know all the information you hold on them, why you are holding it and
where you may have sent it. They could be a lapsed donor, someone who has
been told by a third party that you hold details on them or more simply,
someone who guesses you might have their details because they get mailings
from other charities.
The subject has the right to a hard copy of all relevant data on them
This means that if they write to the Data Protection Officer (or in truth, to
anywhere else within the organisation), asking for the information you hold,
you have to provide full details in hard copy format. You can charge up to £10
for supplying these details and you have 40 days in which to supply them. If
you do not supply the details within the 40 days, the subject has the right to
take out a Court Order to enforce their request. If a subject telephones asking
for the details, you have the right to ask them to put their request in writing
before you disclose the details you hold.
The subject has the right to prevent processing- where processing is likely
to cause substantial distress or damage
Suppose a widow, or widower writes to you asking that their deceased partner
receive no future mailings. There are successful cases where failure to comply,
or not manage the suppression of a deceased flag, has led to compensation
being paid to distressed parties who could prove that their wishes were not
Page 10 of 19
adhered to. If such a request is received, you have 21 days to comply (respond
and suppress). This is another good reason for tracking protocols on your
database, and why you must keep your records updated regularly from the
reports sent by supporter services at national office. You must also use the
mailing label facilities supplied by national office rather than use your own lists
to produce labels for your members, as the database is updated daily whereas
yours is likely to be updated following each monthly movement report.
The subject has the right to rectify, erase or destroy inaccurate data
Data is considered inaccurate if it is incorrect or misleading. If any subject
asks you to get their details correct, you must do so. This means being able to
identify every base on which their details are held and ensure that the correct
details are listed.
The subject has the right to sue for damage/distress caused
What constitutes damage or distress is up to the individual to determine and
prove. As shown in the example above, an individual could claim distress if
their deceased partner continued to receive mailings. We have examples of
distress claims that have been successful and would be happy to discuss these
with you.
The subject has the right to request the Information Commissioner to
investigate breaches
This is the ‘worst case’ scenario. If an individual feels that their requests are
not being met, then they can ask for a formal investigation into your data
processes. If this was to happen, then you could find that your database
operations were suspended until the investigation team were happy. This
could be very disruptive to supporter and member mailing programmes.
Additionally, if breaches are seen to have been committed, then you could be
subject to a fine, compensation to the injured party or censure.
Page 11 of 19
DPA declarations
Principle One states that data must be fairly processed. This means that you
must have the consent of the data subject to hold their details. All your
communications must therefore, carry a clear DPA declaration, plus an
opportunity for the recipient to indicate what their consent is.
Most
commonly, this is a simple tick box where recipients can indicate if they do not
want to receive any further communications from CPRE. This is called an ‘optout’ declaration, and is printed on all membership forms produced from 2001
onwards. You must include this on all leaflets you produce locally.
If the recipient ticks the ‘opt-out’ box and returns the form it is printed on
(usually the mailing letter/leaflet etc.), then we cannot mail them again. We
must enter their consent status onto the database to ensure they are not
selected for any more communications.
If the recipient does not tick the box and sends back the form, or does not
respond at all, we can continue to mail them (for in the case of no response, it
is considered that the recipient has not told us we can’t send communications
to them).
If we are contacting members, supporters or prospects by telephone and we
gather information, we should also make a verbal DPA declaration (any
subsequent written communication will contain an ‘opt-out’ declaration for the
recipient to consider).
It is very important to understand the ‘opt-out’ rule and the reasons why all
our communications must carry a DPA declaration.
Remember- When we are dealing with information on minors (under 16’s) we
apply an ‘opt-in’ ruling. This means that we must have the permission of the
parent/guardian to hold information on minors.
The ‘Opt-Out ‘ versus ‘Opt-In’ debate
One of the most hotly contested arguments that surround the new legislation is
the interpretation of Data Principle One – Data should be fairly processed.
The Direct Marketing Association in the UK has tried to establish a line in terms
of compliance with this rule through ‘Opt-out’. Many organisations however,
have opted for legal, as opposed to marketing, advice on this issue and found,
as a result, that their degree of flexibility has been greatly reduced.
Does consent mean that you must have a positive indication from the subject
that you can hold their data? If this was the case, then we should all follow an
Page 12 of 19
‘Opt-in’ policy and only hold details where positive consent has been given.
This could mean that with those subjects who do not say either yes or no we
could not view their silence as consent. This would not be the most positive
way to develop our supporter base, as we know that not everyone would
complete an ‘Opt-in’ form, particularly if they were not responding by making
a donation.
I take this important issue very seriously and made a number of representations
to the Information Commissioner (IC) in the attempt to get a positive ruling.
This was not forthcoming (for reasons we could not fully appreciate), so we
created a rationale for continuing with ‘Opt-out’. This was cleared by our own
legal advisors, as well as by the Deputy Information Commissioner who has
responsibility for legal issues surrounding the DPA (1998). Our view is as
follows:
The DPA (1998) does state that you must have consent to hold personal details
on the subject. The act does not however outline the definition of the word
consent (as it relates to the act). In our view, the issuing of a clear and
unequivocal statement, along with a clear ‘Opt-out’ statement for the subject
to complete, should be sufficient to abide by the regulations.
If all
communications carried a standard, clear, DPA statement, then it would
achieve compliance for the following reasons:
All subjects would have an opportunity to ‘Opt-out’ from being communicated
with.
Any subject who donated, or entered into positive communication with an
organisation (eg. a Gift Aid declaration or setting up a Direct Debit), whilst not
‘Opting-out’ could be considered to have given implied consent for the holding
of their details.
The express wish of any subject who did ‘Opt-out’ could be followed and a
clear record kept of their request.
Any subject who did not respond at all could not easily challenge the holding of
their details, as they had not taken a clear opportunity to ask for
communications to cease.
This will only work however, if a clear statement is given at every opportunity.
In our view, any statement should quote the Data Protection Act (1998), as well
as making a passing reference to the Human Rights Act (article 8 – the right to
privacy).
Whilst all this sounds overly complicated, it can be written very simply and
clearly and should, if used correctly, supply the organisation with a defendable
position.
Page 13 of 19
Until a positive ruling on this issue is given, we believe that it is most advisable
to continue with ‘Opt-out’, but ensure that a clear DPA (1998) statement is
always issued. In this way you have the opportunity to develop that data
where no committed relationships have yet been formed.
All charities need to have the maximum opportunity to develop the data it has.
The consent issue in the DPA (1998) has brought the managing of data to the
fore, but more importantly, has given all organisations the ability to review its
communications and build new and meaningful long-term relationships with
prospects, suspects and of course, committed supporters.
Once you have decided the declaration route you want to take, you should plan
to implement it across the whole organisation. You must also use the same DPA
declaration when canvassing callers on the telephone (donor development
etc.). This should be part of any call handler script.
CPRE’s preferred text is as follows:
CPRE holds and manages data in strict accordance with the Data Protection Act
(1998).
Occasionally other organisations with beliefs sympathetic to our own as to
write to our supporters. If you would prefer NOT to hear from them, please
tick this box □
We would like to keep you informed of our future activities, but if you would
prefer NOT to receive future communications please tick this box □
Page 14 of 19
Electronic mail marketing
Please note that with email communications the industry standard is to use
opt-in only, so the most important thing to remember is that you can only
carry out unsolicited electronic marketing if the person you're targeting has
given you their permission.
However, there is an exception to this rule. Known as the 'soft opt-in' it applies
if the following conditions are met;
• where you've obtained a person's details in the course of a sale or
negotiations for a sale of a product or service;
• where the messages are only marketing similiar products or services;
• and where the person is given a simple opportunity to refuse marketing
when their details are collected, and if they don't opt out at this point,
are given a simple way to do so in future messages.
When you send an electronic marketing message, you must tell the recipient
who you are and provide a valid contact address.
The rules on emails don't apply to emails sent to organisations, though you
must still identify yourself and provide an address.
In summary, we recommend that your marketing campaigns are always
permission-based and you explain clearly what a person's details will be used
for. Provide a simple way for them to opt out of marketing messages and have
a system in place for dealing with complaints.
Page 15 of 19
Branches
CPRE’s branches are separate registered charities. The issue of
membership data supplied to the field has been discussed and our advice is
to view the sharing of essential membership data with the field organisation
as ‘non-sharing’. This is because the member supplying CPRE with their
details is joining both nationally and locally and would therefore assume
that CPRE national office and the branch are one organisation.
Information on Minors
As stated previously, if you are writing to, or gathering information from minors
(16 and under), then you must have the consent of the parent/guardian in
order to hold the information. This information is often picked up during a
sponsored event, although you do have family memberships and there is the
chance that data may be offered. We advise, that you do not hold any
information on minors where you do not have the written consent of the
parent/guardian.
This means that on any communication that is likely to attract the details of a
minor (a fundraising event, CPRE campaign etc.) must have the following
wording (or something similar):
If you are aged 16 or under, then we must have the permission of your
parent/guardian to hold your details on our systems. Ask them if this is okay
and get them to sign the bottom of this form and send it back to us. In this
way, we will be able to keep you informed about CPRE and the other ways you
may be able to help us.
Signed………………………………Parent/Guardian
Personnel
Data held on staff members is now subject to the same regulations as all other
data. Individuals have access rights to data held. The way in which job
application data is held and the CPRE policy for handling application data from
non-successful applicants is sound and within DPA regulation interpretation.
Security of Paper Records
Hard copy information must be held securely. In the case of banking details,
held by CPRE or any other agent, these must be kept locked away, yet easily
accessible. The same principles apply to any CPRE department who hold paper
Page 16 of 19
records on their supporters, contacts etc.
contact information and so on.
These can include bank details,
Whilst any organisation likes to be able to vouch for the trustworthiness of its
employees, there is always the issue of visitors, or outside contractors who
may, from time to time, have free access to the offices. If you are going to
hold sensitive information on supporters, even if it is locked away, you must
develop clear access rights on who is going to handle it.
You must have a privacy/confidentiality agreement with all staff, permanent or
temporary, who handle sensitive information.
We know that you hold
information that is sensitive (celebrity donors for example), so you need to
ensure that all staff that can observe, amend or handle that information has
some form of confidentiality agreement in place.
The same principles apply to external agencies. You should have written
confidentiality agreements in place with any suppliers you choose to use. This
means that if you send your membership list to a mailing house to laser
envelopes for your newsletter, you must have a signed confidentiality
agreement from them.
Events
All events materials must have a comprehensive DPA declaration. This should
include an opportunity to gather consent from the parent/guardian of minors
(16yrs old or younger).
Member Information
The data held within this area has major financial intelligence about members,
supporters and donors. If you are capturing data at branch or district level or
starting a donor program, you should use a strong set of data capture
protocols, and have secure areas in which to hold important and sensitive
banking information.
If we consider what sorts of information we could hold on members or
supporters then we may end up with a list that looks something like this:
o
o
o
o
o
o
o
Donation Totals
Direct Debit Forms
Gift Aid Forms
Standing Order Forms
Bank Statements
Publication Purchases
High Profile Donors/Supporters
Page 17 of 19
o High Value Donors
You must create a secure area (e.g. lockable cabinets and password
protected databases) for the holding of important and essential financial
information on supporters. This is particularly important if you are holding
bank information along with personal information. If you are, then to hold
this insecurely is in direct contravention of the DPA (1998) and must be
addressed.
Page 18 of 19
Conclusion
In reality you do have some issues to consider.
The most important thing to
achieve is the ability to view and understand all supporter or contact records in
one place, easily and efficiently. I hope that these few points will summarise
effectively the contents of this document:
1. You must have robust data handling operations for member details. The
holding, insecurely, of sensitive data is one that has got to be taken very
seriously.
2. You should adopt a clear DPA (1998) declaration policy on all
communications.
3. You must ensure that you have consent from parent/guardian before
holding any data on your system for minors (persons 16yrs of age and
under)
4. Any staff that handle or manage, or view data should sign a
confidentiality agreement.
5. We suggest that you should keep only one database that is regularly
updated to avoid mistakes in mailing deceased or resigned members for
example, and that you should request fully updated lists or labels from
national office as close to the communication date as possible.
6. We suggest that you should ensure you get a privacy statement uploaded
onto any email communications you send (CPRE national office have one
and you could simply follow the same wording).
7. We would suggest that you have robust consent gathering procedures.
8. We would recommend the creation of a set of standard data handling
protocols. These would help in creating a robust data-handling platform
that all the staff could adhere to. It would also act to re-enforce the
CPRE Branch approach to the DPA and all data intelligence gathering.
If you would like any more information, please contact the Data Protection
Officer at CPRE (currently Adrian Mitchell) or the Supporter Services team
on 020 7981 2870.
Page 19 of 19