Yesterday’s Fundraising and Regulatory Compliance Conference was certainly not a dull an affair. Hugh Radojev writes that it threw into sharp relief how far apart the ICO and fundraisers are on issues around data protection.
The gilded, neo-Gothic arches and soaring, vaulted ceilings of Manchester Town Hall’s Great Hall lent yesterday’s Fundraising and Regulatory Compliance Conference a sense of epic grandeur that few other venues could have given the relatively dense and dry subject matter.
On paper at least, a day-long conference on the intricate details of data protection held by the ICO, the Fundraising Regulator and the Charity Commission, didn’t look like it was going to be a rollicking good way of spending a Tuesday.
However, spurred on perhaps by the gorgeous surroundings, or by an increasingly obvious sense of confusion and frustration, the 300-odd gathered fundraisers in attendance ensured that the conference would be full of robust and, at times, fractious debate.
The conference was well structured in the sense that every session allowed for sizeable question and answer portions and, despite the best efforts of Sir Martyn Lewis who chaired the opening plenary, the conference’s attendees were given plenty of scope to get their burning questions answered right from the horse’s mouth, so to speak.
It was certainly an eye-opening day for all concerned. To my mind however, it threw up three major issues that need to be resolved.
ICO and fundraisers are miles apart
The biggest issue that yesterday’s conference has thrown up is just how far apart fundraisers and the ICO are on just about every issue where they intersect.
I heard from numerous fundraisers yesterday that the thing they want most from the ICO is “clarity”. In reality though, what they really mean is they want to be told, in no uncertain terms, what they can and cannot do when it comes to processing people’s data.
Or, if one was to be even more cynical, what they can and cannot get away with.
Yet, Elizabeth Denham the Information Commissioner, was very open from the start that her office wouldn’t tell fundraisers how “they can get around” the Data Protection Act. Nor, indeed, would the ICO tell fundraisers “how to design a tick box that lets you off the data protection hook”.
The Data Protection Act is very much a “principles” based law and, ultimately, as a number of staff from the ICO and the Fundraising Regulator made clear throughout the day, it’s up to the data processors themselves (in this case, fundraisers) to make their own decisions about what they should and shouldn’t be doing.
All day it was a vicious circle: Fundraisers were confused and frustrated because they didn’t know what they should and shouldn’t be doing. They asked the ICO for black and white answers. The ICO said they had to make their own decisions. So the fundraisers got even more confused and frustrated.
Rinse and repeat, ad infinitum, all day.
ICO caught off guard by wealth screening
Another issue that emerged is just how much the media scandals of 2015 caught the ICO off-guard, particularly when it came to the issue of wealth screening. Denham herself confessed that the ICO had no idea this was a practice charities used, and that the ICO had been subsequently shocked at the scale and scope of such operations when they began their investigations.
The issue around wealth screening looks set to become an increasingly difficult and uncomfortable one. Major donor fundraisers in particular say that their industry can’t survive without doing it the way they’ve always done it – but the way they’ve always done it runs counter to lawful data processing under the act. It always has in fact, but the ICO is only wading into the issue now, because they now know that it’s being done.
Throughout the day, the ICO retreated to the letter of the Data Protection Act on the issue. It’s not unlawful to conduct wealth screening, but charities have to inform people before they even begin.
The excuse used by fundraisers is that “it’s not practical or pragmatic” to inform prospective donors of wealth screening “at such an early stage of a relationship”.
That is as it may be, but it speaks to a deeper, vastly uncomfortable truth. The fact is, the vast majority of prospective donors are not going to be comfortable in the knowledge this is how charities operate. Particularly not if this is going on after they’ve made, say, a one-off £5 direct debit donation.
To my mind this puts to bed any notion that the ICO had given the fundraising community tacit approval, or even an exemption, in certain areas of lawful data processing in 2010. It's not that the ICO secretly – or otherwise – approved of wealth screening, it's that the ICO never knew it was happening in the first place.
I'm sure fundraisers would debate that with me though.
Airing grievances hurts, not helps, fundraisers' cause
While it was good that fundraisers were keen to engage in such robust debate with the ICO and other regulators, the sessions weren’t always entirely useful.
Most Q&A segments often descended into vitriolic broad-brush statements of injustice from attendees, or were hijacked by other, incredibly specific questions around data processing.
Robust debate is one thing, but this public airing of grievances from so many fundraisers – often met by rounds of applause from delegates – didn’t really paint the sector in a positive light.
This may be one journalist’s humble opinion, but it seems that public grandstanding isn’t going to get the sector around its lawful duties with data.
Nor is it going to particularly ingratiate it with the ICO, who aren’t going away any time soon. While Denham said the ICO wants to "draw a line under and move on" from the investigations related to the media scandals of 2015, looming GDPR legislation, and charities compliance with that, means the ICO will continue to play a part in the sector for years to come.
With yet more guidance on consent due to be published in the coming weeks, and a clear message from the ICO that it doesn't want to have "take the regulatory stick out of the cupboard” at every opportunity, there were plenty of positives to be taken away from yesterday.
However, if you’re a fundraiser waiting for an easy to follow, ICO approved checklist of what you can and cannot do with a person’s data, then I wouldn’t hold your breath.