More than 60 large fundraising charities swapped more than 30 million records with each other, some for more than 15 years, using a process now judged unlawful by the Information Commissioner’s Office.
The Reciprocate scheme, administered by a company called Response One, allowed charities to share or swap donor details with one another. Charities did not know the identity of other members.
The scheme has been running since 1998. Press releases sent out by the scheme over several years give varying numbers of members, with some saying it was used by as many as 100 charities. The most recent information, dating back to 2013, saying that it had 60 members.
RSPCA was a member of the scheme for 17 years and shared up to 794,000 records a year. In total the scheme held more than 30 million records, according to the most recent information. The British Heart Foundation also used the scheme.
The ICO said in its recent judgements that the RSPCA and BHF did not provide “adequate information” about how subjects’ data would be used.
Other national fundraising charities involved
Many other national fundraising charities have also been involved in the scheme. Civil Society News understands that not all of them are under investigation by the ICO, although 15 charities have been named as having potentially breached data protection laws, either by the ICO or the Fundraising Standards Board.
Data provided by the Royal Mail in 2011 showed that in a six month period 120 million mailings were sent by charities to donors whose data was provided by other charities.
Data protection experts told Civil Society News that they did not think the scheme had ever been capable of being lawful under the Data Protection Act.
One said that data had to be shared only in a way that donors could have reasonably expected it to be used. He said that since charities did not know who they would be sharing their data with, the use of the data could never be “fair”.
Another said he believed the scheme could theoretically have been lawful if charities had checked with all people whose data they received, to see if they were happy to be marketed to.
“If you’d had a tick box that said ‘we’ll share your data with an unknown number of unknown organisations who’d use it for an unknown purpose’ it might have been lawful,” he said. “That is, if those organisations, once they’d got your data, had contacted you to check that you were happy for them to use it.
“But that’s the point. No one would ever agree to those terms.”