David Ainsworth: Why have charities breached data protection law so badly?

12 Dec 2016 Voices

Last week, the Information Commissioner’s Office handed down an extremely damaging judgement against charities, and more household name organisations are likely to face criticism. David Ainsworth asks how it happened.

Last week, the Information Commissioner’s Office dropped a bombshell. For well over a decade, charities have been unlawfully sharing data with one another and wealth screening agencies. Charities had abused trust and exploited donors.

It was a huge shock. Fines of £25,000 and £18,000 respectively for the RSPCA and the British Heart Foundation do not fully reflect the magnitude of the ICO ruling against them. This is a massive breach of the Data Protection Act, described in colourful terms by the commissioner, Elizabeth Denham.

Nor is this the end of the story. There are likely to be many similar reports. We know that at least 15 charities have faced scrutiny just as a result of newspaper articles. We know that many more used services which the ICO has just declared unlawful.

After two years in which the sector’s reputation has been severely tarnished, another round of damaging headlines is almost certain.

It has to be asked how this happened. How did fundraisers and charities get the law so wrong? How much damage has it done?  And what happens next?

How did we get here?

It appears that the charity sector has never really understood the requirements of the Data Protection Act, even though it dates back to 1998. Perhaps the main solace to the sector is that the full implications of it have not been widely understood by other bodies either.

As with many pieces of legislation, understanding about the breadth of its scope and the implications involved has percolated out only gradually, with time. The ICO’s role here is growing massively. In recent years our obsession with data has grown considerably, as more and more of our personal information has fallen into the hands of marketing organisations.

It’s easy to forget how different the world was when the DPA was made law. A good number of people had only recently heard of the internet. Anyone wanting to share a list of names would likely have done so via hardcopy. Or fax.

In the middle of the decade, charity list brokers were openly advertising the ability to buy strangers’ names by the thousand. Over the next few years, the process seems to have exploded. It never seems to have crossed anyone’s mind that it might be against the rules. No one had really expressed the idea that your personal information had a value and should not lightly be given away.

But by 2010, the Institute of Fundraising was thinking seriously about its rules on the use of donor data. A conversation with an ICO official led them to believe – wrongly, I think – that the ICO planned a soft touch regime specifically for charities, and the sector could get away with not paying too much attention. At a point when their guidance should have been tightened, it was loosened.

To be fair to the IoF, they checked their guidance with the ICO, and it was not rejected, which it probably should have been. It left fundraisers feeling they had freedom to take a liberal approach – a belief that doesn’t seem to have been questioned for four or five years. ICO issued some robust guidance a couple of years later, but no one paid attention to that. Fundraisers were listening to the IoF standards committee, not the ICO.

It was at this point that fundraisers’ use of lists seems to really have exploded. Data collected by the FRSB shows a sixfold rise in complaints from donors between 2009 and 2015. The Fundraising Standards Board was collecting tens of thousands of complaints, which is a massive figure.

All of this suggests the ICO should have spotted the problem and stepped in far earlier. But a data protection consultant who used to work at the ICO tells me that the organisation has historically taken a pretty soft-touch approach to enforcement. Basically it assumed that if no one was complaining, nothing was going wrong.

In fact, the FRSB was harvesting complaints like billy-o. But they weren’t going any further. They weren’t reaching the ICO. Inadvertently the FRSB had become a sin eater for the sector.

The ICO is obviously culpable in this instance. It should have read the FRSB reports and figured out what was going on. But that doesn’t seem to have been the organisational culture. They never went looking for wrongdoing, even if it was really easy to find. Unless the FRSB brought its complaints to the ICO’s door, they meant nothing.

Fundraisers at big charities, meanwhile, were buoyed by this permissive culture, and started trading data faster and faster. The fundraising sector has traditionally been quite isolated, and a bunker mentality seems to have seeped in, driven by ever more improbable demands from trustees, and a clubbable atmosphere in which the profession sets its own rules.

Agencies, regulated by no one, were employed by multiple charities to target the same people, and no one did much to monitor them. The sector was in an arms race, in which those who asked most got most, and the result was that if you were a giver, and a bit lax with your data, you got spammed.

The FRSB itself was keen to take action. It could see that complaints were rising, and it wanted to tighten the Code of Fundraising Practice. That was in the hands of the IoF though, and it was set by fundraisers. They felt the number of complaints was pretty reasonable, and weren’t minded to kill the goose which laid the golden egg. The sector brushed under the carpet a number of reports warning them that their conduct was unacceptable, from various government departments and independent consultants. Their reaction was to shoot the messenger and get back to work. The gravy train was speeding.

Then, one day, Olive Cooke died, and the train came off the tracks.

Regulation by the Daily Mail

FRSB findings later discovered that more than 100 charities were sending direct mail to Olive Cooke and she got anything up to 3,000 mailings a year. Charities may not have killed her, but it is unlikely they made her last years better. At least 24 charities traded her data themselves. Many more procured it from commercial suppliers. None considered whether she had consented to them sharing that information. The sector had been acting unlawfully for a very long time.

The newspapers, smelling a soft underbelly, piled into the story, and wrote exposé after exposé. Suddenly the ICO looked very bad indeed. How had it failed to spot this?

Since then it appears that the ICO has adopted a fairly proactive communications strategy to shift the blame onto the sector. The language of recent reports certainly reads that way.

So perhaps the ICO has been grandstanding, and certainly the Daily Mail has not knowingly underestimated the scope of the situation. But that doesn’t change the root problem. And it’s not regulation or the newspapers.

It is all very well to blame the Daily Mail here, but the truth is that poor practice was easy to find. Charities, as an industry, simply had no knowledge of the proper handling of data and in many cases – perhaps most – no one even knew that what they were doing had been forbidden by law for almost two decades.

When we found out – and for sure, I didn’t really understand it either, before this scandal broke – the sector itself did not react well. The bunker mentality of fundraisers came to the fore, and many charities tried to portray themselves as victims. There was also a lot of talk about the need to protect beneficiaries.

But it ignores the reality of the situation. What charities were doing was against the rules, and the sector got caught, and the result has been new legislation, a new regulator, and at least 15 ICO investigations – possibly many more.

So yes, the sector has been subject to a bit of a legal lynching. But it was one the sector had brought on itself.

The problem is that it’s led to stories not just about fundraising but about all sorts of elements of the sector. Some of the other pieces have also exposed wrongdoing, but most have been fairly thin stuff, playing on prejudices. The charity sector as a whole is now fair game.

What happens now?

The ICO is now onto charities, and that means a massive change in attitude. Charities face a much stricter regime. The telephone and mail preference services are being strictly enforced. The selling of donor data is effectively forbidden. Most charities are likely to be very circumscribed in their use of lists. A lot of data brokers are going to have a thin time of it.

The charity sector itself needs to adopt very different processes and attitudes – ones which are much more focused on long-term relationship building. It also needs to hire a lot of data protection officers, and give them some real powers. This is no bad thing.

There is an alternative, of course: to fight back. Refuse to follow new rules. Organise a PR campaign. Lobby for changes and exemptions. Issue robust counter-statements.

Some of this might be useful, to be honest. The sector’s communication in the face of criticism has been woeful. Perhaps this is because chief executives and trustees have felt unable to adequately defend their positions. But more likely it is because the sector is like the dodo. Charities have never previously needed a defence mechanism, and have never evolved one. Hopefully the sector will be quicker on the uptake than the world’s most famous pigeon.

In any case, while a better communications strategy would not go amiss, it’s not the main answer really. What charities really need is to change fundraising strategy.

This process is already taking place, and fast. But one problem is an old guard – a group of individuals who have used the “pile ’em high” method of fundraising their whole lives. Change will really come when these individuals come to the end of their careers, and cease to throw sand in the wheels. The sooner some are ushered off, the better.

For all the pain the sector’s been through, though, the good news is that negative headlines probably haven’t done much long-term reputational damage. The public are famously obtuse about this sort of thing, and will go back to their historic attitude to charities with only minimal opportunity. Things that seem incredibly important now will probably be utterly forgotten in a year or two. Who remembers the Cup Trust now, for example?

If charities just behave themselves assiduously and follow the law – not much to ask, surely, from those who exist to do good – then gradually, the sector’s reputation will recover.

 

More on