Charities hit with fines for sharing donors’ data without consent

Two high-profile UK charities have been fined by the Information Commissioner’s Office (ICO) for misuse of personal information.

The Royal Society for the Prevention of Cruelty to Animals (RSPCA) and the British Heart Foundation (BHF) were fined £25,000 ($31,500) and £18,000 ($22,681) respectively for data protection breaches relating to “wealth screening”, data and tele-matching and trading personal details with other charities.

The ICO says that the fines are the outcome of one of a number of investigations into the fundraising practices of charities sparked by media reports of repeated and significant pressure on supporters to contribute:

Donors were not informed of these practices, and so were unable to consent or object.

Information Commissioner Elizabeth Denham shared her thoughts in the ICO’s Twitter feed:

What are these practices?

In its press release, the ICO describes “wealth screening” as employing wealth management companies to …

…analyse the financial status of supporters to estimate how much more money they could be persuaded to give.

The wealth management companies compare information held by the charity – typically including supporters’ names and addresses, dates of birth and the value and date of the last donation – with sources that are openly available to build a bigger picture about the donor that might include income, property values, lifestyle and friendships. Charities also use this to identify donors most likely to leave money in their wills.

Data and tele-matching, on the other hand, is when charities hire companies to fill in information donors chose not to provide using existing data or phone numbers to fill in the gaps.

Charities could then use the additional information, which the donor did not know they had, to contact them for donations.

What the RSPCA did

The ICO press release reveals that, during the investigation, the RSPCA admitted that it had repeatedly wealth screened all seven million of its supporters without their consent. The charity also told the ICO…

…the practice was common, it [the RSPCA] had been doing it since 2010 and it had no plans to stop.

In addition to wealth screening, the investigation also revealed the number of RSPCA donors affected by data and tele-matching since the charity began the practice in 2009. That number, it believes, is likely to exceed one million.

If that were not enough, between 1998 and 2015 the RSPCA disclosed hundreds of thousands of records each year as part of a scheme called Reciprocate that allows charities to share data. The press release reveals that:

…details of RSPCA supporters were shared via the Reciprocate scheme even though they had ticked the box to opt-out.

What the BHF did

The BHF’s behavior wasn’t much different. The charity told the ICO that it had been wealth-screening donors since at least 2009, providing companies with the records of several million people without their consent between April 2010 and August 2014. During the investigation the BHF did, however, tell the ICO that it had no plans to continue screening.

The charity has also been hiring data and tele-matching companies to fill in gaps since 2005. It has provided them with the phone numbers of several hundred thousand people between April 2010 and April 2015, and data belonging to tens of thousands of people in 2013.

And, like the RSPCA, it belonged to the Reciprocate scheme, disclosing more than a million personal records through the scheme between January 2012 and July 2015.

Are the fines enough?

Just because the modern world provides a multitude of new sources of personal information, it doesn’t mean organisations – whether public, private or charitable – have the right to piece that information together and share it without the owner’s consent. It’s clearly a totally unacceptable practice.

Should the fines be higher? The Information Commissioner has said that she has reduced the level of the fines…

taking into account the risk of adding to any distress caused to donors by the charities’ actions.

Reading between the lines, she’s worried about donors’ contributions being used to pay the fines.

Nevertheless, it’s to be hoped that these fines and the tone of the judgment from the ICO send a clear message that will help to stamp out unscrupulous behavior in the sector. After all, the Information Commissioner notes that:

the activities we’ve fined the RSPCA and the British Heart Foundation for today are also being carried out by some other charities.

Let’s hope that they’re not widespread and that her concerns around contributions to good causes having to pay for charities’ bad conduct don’t come to fruition.