Original script may differ from delivered version
Elizabeth Denham's speech at the Fundraising and Regulatory Compliance Conference on 21 February. Jointly organised by the ICO, Charity Commission and Fundraising Regulator, the conference sets out the regulatory requirements and expectations for fundraising bodies and their boards under current and forthcoming data protection legislation.
Thank you Sir Martyn.
And thank you for kindly agreeing to chair this conference.
I want to begin by telling you about my first day at the ICO. After I’d had been issued with my security pass and been fully briefed on health and safety, I toured the office.
And as I climbed the stairs to the first floor, I saw this:
The most dangerous phrase in the language is “We’ve always done it this way.” A famous quote attributed to Rear Admiral Grace Hopper that my staff and I see every day.
“We’ve always done it this way.” It’s a phrase that I’ve heard a lot over the last few months when I’ve been speaking to some charities and it’s one that many of you will recognise. Perhaps you’ve even used it yourself.
And it’s a particularly perilous phrase if what you’ve “always done this way” is not follow the law.
That’s what we’re talking about today. Following the law and doing things differently to ensure that.
What you do is crucial to the fabric of British society. Your efforts help fight injustice, protect the vulnerable and enrich the lives of millions of people across this country and, in some cases around the world.
You may not be aware of my own experience in the fundraising sector. For many years back in Canada, I was on the board of Pacific Opera Victoria, one of the country’s leading opera companies. I’ve also sat on the board of the YWCA. And I’ve been a doorstep fundraiser too.
So I am well placed to acknowledge and applaud the contribution you all make.
But part of your job is to make sure the way you raise funds is in line with the law and ensures long-term trust and respect of your supporters and donors.
This conference has been organised as part of my ongoing commitment to help you navigate your way through those data protection rules.
You’ll also be hearing from the Charity Commission and the Fundraising Regulator – we are all here to help organisations like yours get it right. Can I thank Gerald Oppenheim for standing in for Stephen Dunmore today? We all wish Stephen a speedy recovery.
And I’m encouraged to see so many of you here and many more watching our live stream – it speaks to my theory that charities and fundraisers want to get it right.
So what is “it”?
“It” is the law. Specifically the Data Protection Act, passed by Parliament in 1998.
As the Information Commissioner, I’m charged with enforcing this law, upholding the information rights Parliament has given individuals in the UK.
It’s my job to help you work within the law and it’s my job to take action when you don’t.
And whether you’re a charity, a university, a global telecoms company or a local solicitors’ office – the law applies.
This feels like a tough time to be a fundraiser. I’ve spoken to my fellow regulators, to government and to individual charities themselves – I understand this is a time of confusion and flux and, in some cases, frustration.
But what I’m here to tell you is that the Data Protection Act does not stop you from doing your jobs.
It simply obliges you to do it in such a way that respects the fundamental privacy rights of each and every one of your donors, your supporters, and your volunteers.
I won’t tell you how to get around the Act. I won’t tell you how to design a form with a tick box that lets you off the Data Protection hook.
But neither is the ICO the Department of No. I will tell you that getting it right can be done, that it should be done and how it can be done.
In fact, you’ll be hearing later from the Children’s Society and ReThink – charities that are examples of good practice and proof that success can be achieved within the boundaries of the law.
And I know they are not alone in their commitment.
I know that while the fundraising practices we have been dealing with recently were widespread in the sector, they were not universal.
I know that many charities are following the law or have committed to change. Many of you have read the guidance documents published on our website or come to hear us explain the law at numerous conferences and events. More than 2,000 of you have listened to our webinar on fundraising and consent. You are telling us you want to get it right. That’s why you’re here today.
Our work isn’t just about education and compliance. We also have to take action where we find serious breaches of the law.
Over the 18 months or so my office has undertaken a series of investigations into the fundraising practices of numerous charitable organisations.
Our investigations uncovered serious contraventions of the Data Protection Act – contraventions that undermined the fundamental right to privacy of millions of donors.
Two of those charities – the RSPCA and the British Heart Foundation – received monetary penalties in December. I will be making a final decision on sanctions for another 11 charities over the coming weeks.
But enforcement is not our only tool.
Two ‘best practice’ undertakings were signed by the British Red Cross and Age International, which committed them to compliance over and above the minimum requirements of the law.
We conducted an information risk review with a call centre associated with the allegations. We’ve held compliance and monitoring meetings with some charities and sent advice letters to others where no further action was proposed by my office.
And, of course, we agreed a Memorandum of Understanding with the Charity Commission and the Fundraising Regulator.
I want to be clear – our investigations are now complete. We are not looking at any other charities as part of our investigation into fundraising practices that were sparked by media reports in 2015.
I want to draw a line under these investigations and move forward.
By now, charities and other fundraising organisations should be under no illusion that the activities we investigated – data sharing, data and tele-matching, and wealth screening – breached data protection rules.
You’ll have read the ICO conference paper explaining why these practices contravene the Data Protection Act. Ian Inman and Natasha Longson from the ICO are experts in this area and they will give more detail and answer questions during the ICO workshops this afternoon.
This is an opportunity for you to drill down into the detailed explanation within the paper and question my team on any aspect of the law you want clarity on.
But I’d like to address some of the broader issues now.
The Data Protection Act is a principles based law. It doesn’t address the legality of particular activities. You won’t find a clause that says wealth screening is against the law, for example. But you will find principles that say data must be processed fairly and lawfully.
Some of the activities that we investigated charities for will never be accepted as being fair. It’s hard to imagine, for example, a circumstance where searching out phone numbers or addresses that have not been shared could be fair.
Wealth screening, as least how we have seen it being done, is not fair either.
Let me be clear. It’s not that the activity is against the law but failing to properly and clearly tell your donors that you’re going to do it, is.
How can people object to their data being processed if they don’t know it is? How can people submit a Subject Access Request for the information a wealth screening company holds about them if they don’t know their information was sent to a wealth screening company?
How can people complain to the ICO if they don’t realise there’s something to complain about?
Ignorance is not bliss.
Even then, there may be circumstances where telling people isn’t enough. In other words, if the processing is unfair, telling people you’re going to do it won’t instantly make it fair.
Fairness applies whether the information is given to you directly by an individual or obtained from other, publically available sources.
Publicly available information is not fair game. I also know lots of organisations – not just fundraisers – use publicly available information, but just because you’ve always done it that way doesn’t make it right.
Once you’ve collected it, once it’s in your hands, you are obliged to treat it fairly and in line with the Data Protection Act. That means being transparent and telling people what you’re going to use it for, who you will be sharing it with. Where we find this has not happened, we will investigate and we could take action.
Fairness also means that personal information should only be used in a way that people would reasonably expect.
It’s an elemental principle that underpins the Data Protection Act.
People are highly unlikely to expect they will be profiled as a result of making a donation to a charity. And they probably wouldn’t expect you to go and look up their phone number when they’d specifically chosen not to give it. Perhaps some of you may think this is what donors would expect. But that is for the donor to decide.
I will say it again: People have a fundamental right to privacy. Your donors have the right to make choices about how their data is used. And if you don’t tell them, you strip them of their right to object.
We all have the right to say no. But only if we are given the opportunity to speak up in the first place.
Interfering with people’s information is damaging. It takes control away from the individual.
And I think it’s clear that a lot people feel they’ve lost control of their own data.
People feel that keeping control of their most important information used to be simple - before Google, before Facebook, before smartphones. And that over the years the sense of power they had over their own data has slipped away.
It is within your gift to alleviate that feeling of helplessness people have over what happens to their data.
Ask yourself: What are people expecting us to do with their personal data?
The answer to that question ought to be in a good, clear privacy notice made available at the outset, but it’s also about having people’s trust that you won’t change your mind, do something different or do something new. It’s about building relationships and maintaining them.
So let’s talk about trust.
I’ve addressed this before in a business context, but it applies to charitable organisations too. Because trust is a cornerstone of success. Be they customers or donors, the relationship is the same – you want their loyalty and trust, you want them coming back for more – giving more.
And we know that trust also builds reputation. Both can be easily lost when people discover you haven’t been completely transparent about how you’re using their information.
This conference is aimed at trustees and high level decision-makers. That’s because I believe change comes from the top. Data Protection is a matter for the board room. Farming out aspects of it to the IT department or fundraising arm will not work. You are accountable. You have the power to set the standards for your organisation.
Give people back control of their data and you will be rewarded with their trust and all the benefits that go along with being trusted.
Trusted organisations will thrive, particularly as we move towards a new data protection regime, the General Data Protection Regulation, which comes into force in May next year.
GDPR is coming. And although today, we’re talking about getting data protection right, right now, addressing issues like accountability and shifting your culture to one of commitment to ethical and transparent practices is also the best way to prepare for the future.
The GDPR is new legislation for the UK and the EU and, although you’ll recognise a lot in the GDPR from the current law this is a game changer for everyone.
The GDPR builds on the previous legislation but provides more protections for individuals, and more privacy obligations for organisations. It brings a more 21st century approach to the processing of personal data.
The GDPR is at root a modernisation of the law. The world has changed a lot since 1995, not only technology, but business models, people’s attitudes to their data, their demand that their information is properly looked after. The law needed to change too.
I said earlier that I thought people were losing control over their data. The GDPR will play a key role in giving back that control. Citizens have stronger rights to be informed about how organisations use their personal data.
Perhaps most relevant in this room, consent will need to be freely given, informed and unambiguous, and organisations will need to be able to prove they have it if they rely on it for processing data. It must be as easy to withdraw consent as it is to give it. A pre-ticked box will not be valid consent.
At the beginning of my presentation, I explained how I wanted to move on from our investigations into fundraising practices.
I hope that by the end of this conference, you all feel better equipped to rise up to the challenge of the regulations in front of you.
I want you to feel informed and empowered and understand that while the ICO is not shy of invoking its regulatory powers, our main aim is encourage compliance.
To that end, we’ve updated the charity sector pages on our website that will direct you to other more general but useful areas – our GDPR pages, for example and how to request a free Good Practice audit that will check you’re on the right track as well as highlight areas of improvement.
We’ll also be producing some post-conference products that we hope will help you further.
I’ve talked a lot about change this morning. About playing by the rules even if that makes getting what you want a little bit more complicated.
Can I come back to Grace Hopper? I introduced you to her at the start of my presentation.
She was an exceptional mathematician, a computer science legend and a Rear Admiral in the American Navy. No wonder she was nicknamed Amazing Grace.
But let me tell you a story about Grace Hopper that I hope resonates with you.
At the start the Second World War, Hopper was told that at 34 she was too old and too short to join the regular navy. So she joined the Naval Reserves. Following her outstanding war-time contribution, she applied again to join the regular navy. Again, her request was denied on the grounds of age.
By the time she finally retired from the Naval Reserve in 1986, she was a Rear Admiral and, at 79, the oldest serving officer in post. She also achieved the highest non-combat decoration awarded by the Department of Defense.
My point is this - Hopper found a way to excel within the boundaries of the rules. When she was excluded from the regular Navy, she didn’t spend her energy trying to change the enlistment rules.
And that’s my closing message to you. You can cling to the belief that we’ve got the law wrong or that it doesn’t apply to your sector or that the regulatory burden is too great.
Or you can commit to positive change. Change that, in my view, is not only achievable but will reap its own rewards.