This week we are honored to welcome guest contributor, Ian MacQuillin, founder and director of Rogare, the fundraising think tank at Plymouth University’s Hartsook Centre for Sustainable Philanthropy. As I mentioned a few weeks ago, a serious change threatens to alter the landscape for fundraising and prospect research in the UK. I’m not succumbing to hyperbole when I say that very soon wealth screenings and possibly even prospect research could be greatly curtailed or eliminated altogether. Unless awareness is raised and the momentum shift is altered, the impact on the charity landscape will be devastating. I am grateful that Ian agreed to share not only what’s happening in the UK, but also how these changes could impact us in North America. I hope you will join me in sharing this article socially to help educate our peers. ~Helen
It’s possible that during the course of 2017, using Google to research a potential donor will be declared illegal by Britain’s data protection regulator.
A representative of the Information Commissioner’s Office (ICO) has already intimated at a conference for university fundraisers that doing so is a breach of the UK’s Data Protection Act 1998. He told the rather startled fundraisers that if they read anything on the Internet about a prospective donor though using a search engine, then they should immediately forget about it.
In fact the ICO had been telling various groups of fundraisers throughout 2016 that it was taking a keen interest in their activities, telling them that it intended to take action around the process of wealth screening (though without telling them what that action might be or why they would be taking it).
And sure enough, in December, the ICO announced that it was fining two charities – British Heart Foundation and Royal Society for the Prevention of Cruelty to Animals (RSPCA) – for a combination of sharing data without the subjects’ consents, augmenting the data they held with information gathered from other sources (‘telematching’), and wealth screening.
The first two were fairly cut and dried breaches of the act. And on the face of it, so is the third: charities had been processing subjects’ data in order to identify the appropriate size of donation they ought to ask for without explaining to them that they would use their data for this purpose – a breach of the law.
That on the face of it is a prima facie, strict liability offence. You got caught doing something you’re not allowed to do. End of discussion. However, ICO took the justification for their action against wealth screening further.
The Data Protection Act contains eight data protection principles. The second of these says data should not be processed in a way that is incompatible with the stated purposes for which it was collected.
According to the ICO, this second principle exists so that:
“Organisations are open about their reasons for obtaining personal data, and that what they do with the information is in line with the reasonable expectations of the individuals concerned.” (My emphasis.)
Without a shred of evidence to back up their assertions – delivered in extremely pejorative and unregulatorish language, such as ‘abusing’ people’s generosity – ICO has said that the way charities have been wealth screening goes beyond the ‘reasonable expectations’ of donors who provided their data. (Yet it might well be that people who give to charity do so with the quite reasonable expectation that the charity will use their data to determine what’s an appropriate amount to ask them to donate in the future.)
There doesn’t seem to be any need to resort to the reasonable expectations provision, because the second data protection principle explicitly states that an organisation cannot use data for a purpose it wasn’t explicitly collected for, irrespective of what data subjects’ expectations might be.
So why did ICO add this extra layer of justification?
Why did ICO act? Maybe it’s not as simple as ‘to uphold the law’
Inevitably, charities responded to the ICO’s enforcement action – because if wealth screening is effectively banned in the United Kingdom, the voluntary sector, and more importantly, the beneficiaries of charities’ work, are likely to suffer a serious diminution of the services they currently receive.
- ICO is wrong in law
- ICO has overstepped its regulatory remit
- ICO is inconsistent in treating charities differently to commercial organisations
- ICO has a choice in how it regulates charities and has made a morally wrong choice (this is my argument in a blog I wrote on Critical Fundraising).
The response of the data protection community has been, basically, that charities were in breach of the law so stop complaining and get your house in order.
Whether or not ICO has interpreted the law correctly and whether or not charities were in breach of the Data Protection Act is perhaps the least interesting question here. This is the aspect that supporters of ICO’s action have focused on – the legal facts of the matter.
For me however, the far more interesting question about this affair concerns values rather than facts. The pejorative language used by ICO – “exploiting supporters”, “abused their trust”, exerting “repeated and significant pressure on donors to contribute” – suggests values might well be at play here.
Values again rose to the surface in the comment to another of my blog articles left by one particularly strident critic of the charity sector’s arguments, when he said: “By blaming the Information Commissioner for tackling fundraising culture, the author is making future enforcement much more likely.” (My emphasis.)
In all the debate that followed the ICO’s enforcement action, there were two issues that were conflated, issues that the charity side of the debate has tried to separate but which the data protection side seemed content to see remain conflated.
1) How ought fundraising be done (values)?
2) Having decided how fundraising ought to be done, is it done lawfully and in adherence to codes of practice (facts)?
ICO’s role is to ensure that nonprofits’ use of data protection is compliant with the law (which is a matter of fact). It has no remit, authority, or right to enforce any kind of value about how it thinks fundraising ought to be carried out. That is the ultimate responsibility of the trustees/board of each charity, or a body that is specifically charged with this task – such as the new Fundraising Regulator in the UK.
The suspicion lingers that the motivation behind ICO’s move against wealth screening is because they think this is not the way that charities ought to do fundraising, and so have moved to change the ‘values’ of fundraising culture by regulating beyond the ‘facts’ – in this case, that wealth screening goes beyond peoples’ ‘reasonable expectations’, an exertion that ICO cannot support with factual evidence.
Whether it is right or wrong that charities ‘exploit’ their donors (however you choose to interpret ‘exploit’ in this context) is a very interesting ethical question. But providing they ‘exploit’ their donors in a way that is compliant with the data protection legislation, it is of absolutely no concern to the data protection regulator, acting as a data protection regulator.
What relevance does any of this have for fundraisers in the USA?
The data protections regimes in the US and UK are totally different and seemingly there’s little parallel to be drawn. Sure, any US charities operating in the UK will now need to be much more aware of current and future legislations, for example the EU’s General Data Protection Regulations (GDPR), which come into force in 2018 and so will be part of British law before Brexit. It’s going to be much tougher to do major gift and high net wealth (HNW) fundraising in the UK.
But for organisations based outside of the UK, my understanding is that their data processing must comply with the law of the country in which they are based.
But again – facts, schmacts.
If people outside the UK want to learn from this affair, the question they need to ask is not whether British charities broke data protection laws (facts); it’s how and why the data protection regulator came to the view that fundraisers ought not be permitted to use public domain information to do research about people (which is about values) – and what’s next, ban fundraisers from reading the news?
That’s because ICO’s move appears to be part of a growing trend across the English-speaking world over the last few years to introduce values about how fundraising ought to be done into the regulation of how fundraising actually is done, which is reflected in the media, or is actually driven by the media.
An example of this occurred in the USA last year when the California legislature tried to introduce Assembly Bill 2855 – which would have required all nonprofits to post a direct link on the donations pages to a page on the State’s Attorney General’s website – a law enforcement agency! – that outlined donors’ protections from fraudulent fundraising. It’s inconceivable the state government would have demanded similar provisions on commercial websites. Incidentally, Assembly Bill 2855 failed.
When values are embedded in existing codes of practice and regulation, then that’s not a problem – and, provided they are arrived at through a robust consultation process and not the result of the personal prejudice or intuition of the person or people drawing up those codes, values-driven codes of practice are very desirable.
The problem comes when regulators interpret regulation in such a way as to allow them to impose values that are not already contained in the rules – in other words, they are exceeding their regulatory remit, often by treating charities differently to how they would treat commercial organisations (which is something that fundraisers themselves often uncritically trumpet as a mantra when they say they ought to be ‘held to higher standards than commercial marketers’ – be careful what you wish for).
While the facts of the enforcement against charities’ wealth screening in the UK may not be transferable between countries, cultures and regulatory regimes, the values that underpin that action most certainly are.
Ian MacQuillin is the founder and director of Rogare, the fundraising think tank at Plymouth University’s Hartsook Centre for Sustainable Philanthropy, where he is currently leading on a project to develop a new theory of fundraising ethics. He is a lecturer in fundraising and marketing, and is researching the ideological drivers of stakeholder objections to fundraising for his doctoral study. He also edits the Critical Fundraising blog. Twitter: @IanMacQuillin
For further information on the ICO’s enforcement action, Rogare’s Critical Fundraising blog has collected all ICO’s statements and adjudications and blogs supporting and criticising ICO here.