Guest post: Jon Baines is the Chair of the National Association of Data Protection and Freedom Of Information Officers
When the Information Commissioner’s Office (ICO) recently fined 13 charities, including the RSPCA, the British Heart Foundation, the British Legion and the Battersea Dogs and Cats Home, a total of £181,000 for breaches of the Data Protection Act 1998 (DPA), outrage erupted in several forms and from several places.
A lot of the outrage was directed at the ICO themselves, but I’m inclined to think that it was actually a bit of a masterstroke by them – laying down a data protection marker, while reducing the likelihood of a legal challenge. Whether this masterstroke was witting or unwitting is a matter for debate.
The breaches in question were primarily of the DPA principle that processing of personal data be “fair” (broadly, that it should be transparent and not outside people’s range of reasonable expectations).
Some of the outrage caused, then, was from those who thought the fines were much too low (the highest individual one was £25,000, against a maximum limit of £500,000); some, especially from those in the fundraising community, was from those who thought the fines were wrongly imposed altogether; and some was from those (I’m thinking in particular of some regular charitable donors I’ve spoken to) astounded that charities had been screening and profiling them, without their knowledge, to assess their wealth and donor-potential.
It’s important to note that the ICO actually considered the breaches by the various charities to be highly serious ones, of a kind likely to cause substantial distress, and in every case the fine could actually have been many times higher. However, the Commissioner herself (Elizabeth Denham, relatively newly in position) decided to exercise her discretion to reduce the fines, because of “the risk of adding to any distress caused to donors by the charities’ actions” .
Ms Denham clearly has such discretion, and it has been exercised before (for instance in 2011 when her predecessor reduced a potential fine of £200,000 to £1000 because the recipient was a private individual with limited means) but I do not recall an incident where the potential of distress to those effectively funding the data controller reduced the fine: for instance, when local authorities, or NHS bodies, have received large fines, there has not been a suggestion that they should be reduced because of potential further distress to taxpayers, or patients.
So what else lies behind this reduction in the fines?
Fines for breach of the “fairness” principle are relatively novel – normally a fine will result because of failings in security. The DPA says that the processing of personal data should be “fair and lawful”, and although it contains further provisions which provide a gloss on this, ultimately “fairness” is difficult to assess on an objective basis. And if processing is said to have been “unfair”, how does one go on to quantify the likelihood of “substantial distress” occurring as a result? Not easily, is the answer.
I think the ICO made a good effort in these cases, and I think the practices uncovered deserved to result in fines.
Let us not overlook that the charities engaged in behaviour such as
- Using third parties to investigate and assess donors’ and potential donors’ incomes, property values and lifestyle, without informing them
- Using third parties to find missing information about donors (which they might have chosen not to share with the charities) without informing them
- Sharing donors’ data with other charities without explaining which ones, and for what purposes.
And we are talking about millions of affected donors. I think the ICO will now be feeling that they have made an important and prominent statement on the importance of being fair and transparent about how people’s personal data is handled (by charities, but also by other data controllers).
But any recipient of a fine has an automatic right of appeal to an independent tribunal, and on occasions in the past, this tribunal has overturned an ICO fine. Any such appeals are potentially costly and time-consuming, for both sides, and – it stands to reason – the more novel the issue, the more costly and time-consuming an appeal is likely to be.
This is where the ICO masterstroke comes in: the reduction in the amount of the fines (to what are, in reality, relatively small sums) makes the option of an appeal for a charity distinctly unattractive. Put yourself in the position of a trustee – would you be likely to approve potentially expensive litigation, when you could “settle” a case cheaply and quickly by paying the fine? (Even where you might think a point of principle for your future fundraising is at stake).
As I say, maybe the ICO didn’t intend to play this tactical move, but intended or not, it will certainly have lessened the chance of appeals being lodged. This is not to say one or more appeals won’t transpire, but so far, the affected charities, and associated fundraisers have had to resort to the airing their dissatisfaction through their PR departments.