Two high-profile UK charities have been fined by the Information Commissioner’s Office (ICO) for misuse of personal information.
The Royal Society for the Prevention of Cruelty to Animals (RSPCA) and the British Heart Foundation (BHF) were fined £25,000 ($31,500) and £18,000 ($22,681) respectively for data protection breaches relating to “wealth screening”, data and tele-matching and trading personal details with other charities.
The ICO says that the fines are the outcome of one of a number of investigations into the fundraising practices of charities sparked by media reports of repeated and significant pressure on supporters to contribute:
Donors were not informed of these practices, and so were unable to consent or object.
Information Commissioner Elizabeth Denham shared her thoughts in the ICO’s Twitter feed:
What are these practices?
In its press release, the ICO describes “wealth screening” as employing wealth management companies to …
…analyse the financial status of supporters to estimate how much more money they could be persuaded to give.
The wealth management companies compare information held by the charity – typically including supporters’ names and addresses, dates of birth and the value and date of the last donation – with sources that are openly available to build a bigger picture about the donor that might include income, property values, lifestyle and friendships. Charities also use this to identify donors most likely to leave money in their wills.
Data and tele-matching, on the other hand, is when charities hire companies to fill in information donors chose not to provide using existing data or phone numbers to fill in the gaps.
Charities could then use the additional information, which the donor did not know they had, to contact them for donations.
What the RSPCA did
The ICO press release reveals that, during the investigation, the RSPCA admitted that it had repeatedly wealth screened all seven million of its supporters without their consent. The charity also told the ICO…
…the practice was common, it [the RSPCA] had been doing it since 2010 and it had no plans to stop.
In addition to wealth screening, the investigation also revealed the number of RSPCA donors affected by data and tele-matching since the charity began the practice in 2009. That number, it believes, is likely to exceed one million.
If that were not enough, between 1998 and 2015 the RSPCA disclosed hundreds of thousands of records each year as part of a scheme called Reciprocate that allows charities to share data. The press release reveals that:
…details of RSPCA supporters were shared via the Reciprocate scheme even though they had ticked the box to opt-out.
What the BHF did
The BHF’s behavior wasn’t much different. The charity told the ICO that it had been wealth-screening donors since at least 2009, providing companies with the records of several million people without their consent between April 2010 and August 2014. During the investigation the BHF did, however, tell the ICO that it had no plans to continue screening.
The charity has also been hiring data and tele-matching companies to fill in gaps since 2005. It has provided them with the phone numbers of several hundred thousand people between April 2010 and April 2015, and data belonging to tens of thousands of people in 2013.
And, like the RSPCA, it belonged to the Reciprocate scheme, disclosing more than a million personal records through the scheme between January 2012 and July 2015.
Are the fines enough?
Just because the modern world provides a multitude of new sources of personal information, it doesn’t mean organisations – whether public, private or charitable – have the right to piece that information together and share it without the owner’s consent. It’s clearly a totally unacceptable practice.
Should the fines be higher? The Information Commissioner has said that she has reduced the level of the fines…
taking into account the risk of adding to any distress caused to donors by the charities’ actions.
Reading between the lines, she’s worried about donors’ contributions being used to pay the fines.
Nevertheless, it’s to be hoped that these fines and the tone of the judgment from the ICO send a clear message that will help to stamp out unscrupulous behavior in the sector. After all, the Information Commissioner notes that:
the activities we’ve fined the RSPCA and the British Heart Foundation for today are also being carried out by some other charities.
Let’s hope that they’re not widespread and that her concerns around contributions to good causes having to pay for charities’ bad conduct don’t come to fruition.
6 comments on “Charities hit with fines for sharing donors’ data without consent”
Are the fines enough? The fines are basically coming out of the donors’ pockets, so sure, they’re plenty big. I would think the punishment of losing some donor trust and likely an accompanying reduction in giving will be punishment enough, and even then, the real bearers of that will be the recipients of the charities themselves.
I’d love to see a regulatory framework in which this sort of fine is auditably taken out of the profit of the hit-you-up-for-donation companies that do the fundraising work.
I’d love to see it coming directly from the individual(s) responsible for the poor decision.
From a link on the bottom of your page.
So why the discrepancy in fines?
I wonder why?
ICO fines pregnancy advice charity BPAS £200,000 following data breach
10 Mar 2014
I assume that different parts of the regulatory framework kicked in, perhaps with different schedules of penalties? BPAS leaked medical data about patients that it in fact didn’t even realise it was storing; RPCA et al. made use of data that they would have been allowed to use for marketing if only they hadn’t gone as far as they did. As for which sort of offence ought to be considered worse…I haven’t made my mind up yet.
Not at all surprising. Pre-internet, making a donation to one charity would pretty much ensure the mailbox would soon be filled with solicitations from many others and the telephone would start ringing at all hours. Such intrusions led me to quit donating completely except in cash, giving no personal information, and to having the answering machine answer all calls unless I happened to recognize the calling number.