The Information Commissioner’s Response to the Fundraising
Preference Service consultation paper
About the ICO
The ICO’s mission is to uphold information rights in the public interest,
promoting openness by public bodies and data privacy for individuals.
The ICO is the UK’s independent public authority set up to uphold
information rights. We do this by promoting good practice, ruling on
complaints providing information to individuals and organisations and
taking appropriate action where the law is broken.
The ICO enforces and oversees the Freedom of Information Act, the
Environmental Information Regulations, the Data Protection Act and the
Privacy and Electronic Communication Regulations.
Introduction
The ICO welcomes the opportunity to respond to the discussion paper
issued by the Fundraising Regulator on the creation of a Fundraising
Preference Service. We are keen to ensure that any service complies with
the Data Protection Act 1998 (DPA) and the Privacy and Electronic
Communications Regulations 2003 (PECR) in particular.
This response to the discussion document should be read alongside the
ICO Direct Marketing Guide https://ico.org.uk/media/fororganisations/documents/1555/direct-marketing-guidance.pdf along with
other guidance published by the ICO.
The Information Commissioner has previously expressed concerns about
the FPS and the potential for confusion with the statutory Telephone
Preference Service (TPS) and other non-statutory services such as the
Fax Preference Service and Mailing Preference Service (MPS). The Public
Administration and Constitutional Affairs Committee was also not
persuaded of the case for a new fundraising telephone preference
Service, concluding it would duplicate the function of the existing TPS,
and add limitations to the activity of charities that do not exist for any
other sector. It recommended that if a new preference service is to be
30.03.2016 Version 1.0
introduced, the new fundraising regulator should urgently seek to discuss
with the Information Commissioner how the new telephone preference
service can work alongside TPS, without creating conflict and
confusion.
The Information Commissioner agrees that it is important that any new
fundraising preference service does not create further uncertainty in the
charity fundraising sector. The Information Commissioner’s Office stands
ready to help ensure that any proposals clearly align with the existing
statutory requirements of the DPA and PECR and charities are clear on
how to comply and the consequences of not doing so. As a statutory
regulator of PECR the Information Commissioner would not wish to see
confusion or contradiction between the statutory TPS and the provisions
of the DPA on the one hand and the non-statutory Fundraising Preference
Service (FPS) on the other.
Section one: Scope
The ICO Direct Marketing Guide makes clear that direct marketing covers
not only the sale of products and services but also the promotion of aims
and ideals. The FPS document separates fundraising communications
from campaigning, sponsorship, participation and newsletter
communications but all of these would be direct marketing as regulated
by the DPA and PECR. In addition the test for whether a communication
is direct marketing under the DPA and PECR is not whether the
predominant purpose of the communication is not direct marketing but
rather it is whether there is any marketing at all contained therein. Any
communication containing any direct marketing would fall within the remit
of the DPA and PECR even if it would not fall within the scope of the FPS.
This would include trading communications, invitations to take part in
lotteries, messages of thanks and any administrative communication that
also included promotion of the aims and ideals of the charity.
The ICO would have concerns if the definition of the scope of the FPS
seemed to allow for a different interpretation of direct marketing than
that laid out in guidance from the ICO.
Section 11 of the DPA says that an individual is entitled at any time to
require an organisation to cease direct marketing using their personal
data. The Fundraising Regulator will need to consider how it will deal with
applications to join the FPS that may also have the characteristics of a
section 11 request to cease marketing that may be aimed at an individual
charity.
30.03.2016 Version 1.0
While PECR applies only to electronic means of communication (including
telephony) section 11 of the DPA also applies to postal communications
addressed to an individual.
Section two: Channels
PECR applies to SMS in addition to telephone and email and has very
specific provisions around the use of automated calls (robocalls). It would
be helpful if the provisions of the FPS aligned with the provisions of PECR
in this respect to avoid confusion.
In Regulation 2 of PECR the term ‘electronic mail’ is given the following
definition:
““electronic mail” means any text, voice, sound or image message
sent over a public electronic communications network which can be
stored in the network or in the recipient’s terminal equipment until
it is collected by the recipient and includes messages sent using a
short message service;”
This definition would encompass messages on channels such as Snapchat,
Whatsapp and Facebook Messenger and the Fundraising Regulator may
wish to consider whether to adopt the same or a different definition of
electronic mail.
Consent to direct marketing must be freely given, specific and informed
and therefore it is necessary to provide fair processing information about
what will be done with the data. This will have consequences for the
specific example raised in the discussion paper of whether fundraisers
could supplement their existing data with data gained from Twitter,
Facebook or other data sources available to the fundraiser. If data is to
be obtained from elsewhere with the intention of using that extra data to
alter the contact with the individual, the data subject must be provided
with fair processing information related to that extra data processing. If
for example the data subject does not provide their telephone number for
fundraising purposes, it is unlikely to be within their reasonable
expectations that the fundraising entity will obtain this from elsewhere,
for example through a trading arm of a charity.
The TPS applies to individual phone numbers as ‘the subscriber’ registers
and cannot be easily separated out for individuals. So if the subscriber
has registered for TPS it will be difficult to show that because another
member of the household has indicated through their FPS registration
that they are happy to receive calls that this will override the subscriber’s
decision to register with the TPS. This will not be the case for postal
communications or email.
30.03.2016 Version 1.0
Section three: User experience and choice
We would consider that if the FPS provides a further means to opt out of
communications, it would reinforce existing statutory rights under PECR
and the DPA that are regulated by the ICO.
Clarifying that a pre-existing consent notification to an organisation is
valid by naming that charity in a list of organisations permitted to market
an individual may also provide comfort that existing consent is valid.
Using the FPS as a means to opt-in to communications from specific
charities that do not have existing valid consent from an individual may
cause confusion and the ICO would welcome discussions with the
Fundraising Regulator to further clarify this point.
We would not consider that an individual naming charities that they are
happy to hear from would, in itself, be sufficient to provide consent to
that charity to market to them without the charity itself having received
consent from that individual.
For consent to be valid for marketing, listing the charity on the FPS would
also require that charity to have provided fair processing information to
the individual and to have received consent to market through specific
channels.
For this reason we would not welcome a system that passed the details of
individuals listing a charity to those charities as a bulk transfer. It would
be more appropriate if these individuals were simply not marked as
requiring suppression when a charity screened a list against the FPS
database. Charities would therefore not be able to see a difference
between someone not registered on the FPS at all and someone who was
registered but was prepared to allow a pre-existing consent to stand.
The alternative proposal, of providing lists of potential donors to charities
would run the risk of this being interpreted as consent to market that
would not actually exist. We consider clarity to be important in the
context of consent.
If lists were to be provided to charities for direct marketing purposes by
the Fundraising Regulator through the FPS, these lists would be for direct
marketing purposes and the Fundraising Regulator would be acting as a
list broker. The Fundraising Regulator should be aware that any
encouragement to specific individuals to sign up would be direct
marketing by the Fundraising Regulator.
We welcome the signposting function towards the TPS and MPS. The FPS
cannot be used as an opt out from statutory provisions of PECR or the
30.03.2016 Version 1.0
DPA and does not provide a different regulatory regime for the direct
marketing activities of charities. The ICO will continue to enforce the law
and charities should be aware of our direct marketing guidance when
fundraising.
Section four: Duration
An annual reminder could be seen as direct marketing by the Fundraising
Regulator and it should therefore be made clear to registrants at the time
of signing up how their data will be processed by the FPS. This should
include any time limits on registration and the channels through which
reminders will be sent.
Principle 4 of the DPA requires that data be kept up to date as far as is
necessary and we would welcome mechanisms that assisted in ensuring
that the register was accurate and up to date.
Section five: Application
In the event of an exemption from the FPS being made for smaller
charities we would welcome the Fundraising Regulator making clear that
there is no such exemption from the TPS or the requirement to have
consent for electronic communications.
Section six: The FPS as a tool for vulnerable people
We would welcome further discussions with the Fundraising Regulator on
how a vulnerable persons’ register could comply with the DPA.
The data controller for the FPS will require conditions for processing the
data of vulnerable people at a minimum from schedule 2 of the Data
Protection Act but, if sensitive personal data such as health data is
processed, also from schedule 3 of the Act. In almost all cases it will not
be possible to process (which includes holding) the data about the
vulnerable person on the basis of consent from anyone other than the
vulnerable person. An exception to this is more likely if the person adding
someone to the register as a vulnerable person holds a lasting power of
attorney for the vulnerable person.
If a third party is providing personal data to the FPS there will still
generally be a requirement for the data controller to provide fair
processing information to the vulnerable person even if consent is not the
condition for processing the data.
30.03.2016 Version 1.0
Principle 7 of the DPA requires that appropriate technical and
organisational measures be taken to assure the security of data
processed. The appropriate levels of safeguards for data relating to a
register of vulnerable people will be particularly high.
March 2016
30.03.2016 Version 1.0