The Charity Data Protection Bungle
My colleague Katherine has spent most of the first day of September conducting a detailed root cause analysis of the story reported first in the Daily Mail, and then in the Guardian, and on the BBC, and in the Telegraph, and the Express…. (you get the picture).
This is not a simple knot to untangle and the whole issue raises a number of disquieting questions. Katherine’s analysis has looked at both UK guidance from the ICO (because this case, and others like it have occurred in the United Kingdom) as well as the guidance and statements of the Irish Data Protection Commissioner (because we, and a lot of our charity sector clients, are based in Ireland). She has also considered the implications of some of the currently proposed changes under the draft EU Data Protection Regulation that is currently being debated in Trilogue.
Was it legal?
The ICO has commenced an investigation, and we would not want to prejudge their findings. However, it would appear that at least six of the eight Data Protection Principles may have been breached in this case.
1) Fairly obtained
The alleged root of this incident was 21 years ago in 1994 when the gentleman in question filled out a survey and forgot to tick a box. As the survey in question predates Directive 95/46/EC and the UK Data Protection Act 1998, it serves to highlight the problem of “data decay”, particularly when the rules relating to the obtaining and processing of data may have changed. In the absence of robust data governance controls and data quality checks on the age and lineage of data, organisations risk acquiring data unfairly and for purposes which may not be compatible with the purpose for which the data was originally obtained.
However, the gentleman in this case did voluntarily provide data to a lifestyle marketing company. The question to be resolved is whether there was sufficient transparency in the communication of purposes that he would have understood 21 years ago what would happen with his data. Tied to that is the question of whether the intervening change in legislation may have affected the fairness of the processing in the eyes of the Regulators.
As we move down the chain of data purchasers and processors, it becomes harder to to defend the fairness of obtaining of the data, particularly after 21 years.
2) For a Specified and Lawful Purpose
We don’t know what the stated purpose for which the data that was captured on that survey form in 1994 was. We do know that there was an option to opt out of data being shared with third parties. However, in 1994 (and indeed today) organisations that harvest data in this manner are not necessarily specific about the types of entity or organisation that data will be shared with, and “sharing” is all too often used euphemistically for “selling”. However, once the Charities obtained the data from the original source, they would have purchased or rented the data for the purposes of conducting fundraising activities. That was their specific purpose. Any selling on or sharing of lists was a secondary purpose, the lawfulness of which we will examine momentarily.
The question of consent needs to be considered here: In the context of the Charities’ fundraising purpose an “opt-in” consent is not required for direct mailings or for calls to landlines, assuming that the Charities in question correctly apply suppressions from the Telephone Preference Service and the Mail Preference Service. So, assuming that the Charities applied appropriate Data Governance checks and balances and excluded landline numbers or addresses that had opted out, no issue arises regarding the lawful processing condition of consent. In the context of this case, we can assume that the phone number being called by charities was a landline (in 1994 mobile phone users were in the minority… but not for long!). Of course, this does not excuse the repeated calling of a number by any charity once the gentleman in this case had opted out. That further evidences a failure of basic Data Governance controls to mark records as opted-out, and to prevent the recycling of old lists.
However, the secondary purpose of selling on or further sharing data that they had obtained for fundraising purposes poses a difficulty for Charities. It may run contrary to the purpose limitation principle in the Data Protection legislation. This is a point on which the UK’s ICO and the Irish DPC seem to differ in their published statements.
The ICO’s Code of Practice on Data Sharing gives the example of how data sharing of this kind can be justified under the “Legitimate Interest of the Data Controller” lawful processing condition in the Data Protection Act 1998 ( a similar condition exists in the Irish Data Protection Acts 1988 and 2003). The example they give on page 16 of the Code is of a catalogue company specialising in extreme sports that wants to sell customer names and addresses to a travel agent offering adventure holidays. The ICO’s view is that, as the data is not sensitive personal data and, as the use of information in this scenario is “unlikely to prejudice the rights and freedoms or legitimate interests of customers” then the sharing is OK, assuming the data has been fairly obtained in the first place.
It is likely that, when the ICO investigates, Charities will fall back on this lawful processing condition to justify their onward sale and sharing of data. Assuming they can clear the “fair obtaining” hurdle, this means they may have acted within the law.
In Ireland, however, the postion is distinctly different, not least because the Irish DPC has previously taken a tougher line with Charities and their use of personal data for fundraising or marketing purposes and has issued guidance to Charities addressing fair obtaining and purpose limitation, and data minimisation, amongst other issues. A key requirement under the Irish guidance is that charities must give people an option to indicate whether or not they want their data used for a new purpose. This differs somewhat from the UK position. The sharing is still permitted, but the preference is for there to be a clear notification to the Data Subject about the new purpose and the option to opt-out.
3) Not used for a purpose that is incompatible with the original purpose or purposes
Again, this will pose a difficulty for Charities. The sharing of data with other charities might be considered compatible, just as the sharing of information by a catalogue company to a travel agent with a similar market and compatible products appears to be a compatible purpose to in the ICO’s Code of Practice on Data Sharing. However, the onward selling of data to list brokers, commercial marketing organisations, and data aggregators as outlined in the Daily Mail story raises the question of how compatible commercial applications of data are to the original charitable purpose. Would the ICO’s guidance regarding Data Sharing still hold up if the catalogue company was selling its customer lists to a life insurance company to help them target policies at extreme sports enthusiasts?
This highlights a significant issue with the “Legitimate Interests” basis for processing personal data. While it can be used quite justifiably in many circumstances, in the absence of robust data governance controls and appropriate checks and balances, it is all too easy for the legitimacy of a purpose to be stretched to breaking point. This need to ensure that processing is compatible with the original purposes for which the data was obtained might well rebut any “legitimate interests” defence put forward.
Furthermore, it is important to bear in mind that the EU Council of Ministers draft of the Data Protection Regulation proposes expanding the potential scope for the “legitimate interests” processing condition on the basis that it is “good for business” to allow new and novel processing purposes solely on the basis of the “legitimate interests” of an organisation. In short: The Council of Minister’s draft proposes to make lawful the very type of thing that the Daily Mail, and others, consider so awful.
4) Kept Accurate and Up to Date
The mind boggles at how Charities will be able to stand over the accuracy and “up-to-date-ness” of the data they were processing, particularly when individual charities ran this gentleman hundreds of times, even after being asked to stop. Accuracy and “up-to-date-ness” are data quality characteristics that are affected and effected through effective Data Governance. The apparent recycling of old lead lists with no thought as to the age of the data (or the age of the Data Subject) suggests that such governance was sorely lacking.
5) Adequate, Relevant, Not Excessive
Assessing the adequacy and relevance of data depends, to a greater or lesser extent, on the data lineage and the level of “data decay”. Adequacy means that the data is capable of achieving the outcomes of the purposes to which it is being put. To put it bluntly: if, after hundreds of calls, a Charity isn’t getting any conversion on their fundraising, they should surely have suspected that the lead was not fit for purpose. The constant repitition of calls, even when asked to stop, suggests that Charities lacked any internal business rules or Data Governance controls on the “maximum number of attempts” that would be considered adequate before permanently excluding a contact record from fundraising campaigns.
7) Retain for no longer than is necessary for the purpose for which it was originally obtained
Charities retained the data of this gentleman after he had requested no further contact. For up to 21 years. While there may be reasons to retain some data for donors for up to seven years (for tax and audit purposes), retention of a non-donor on a donor prospect file after they have opted out and after repeated contact attempts have not resulted in a donation belies a total failure of Data Governance on the part of the Charities.
This sad and sorry case raises a host of potential data protection issues.
One of the key root causes of the financial loss suffered by this gentleman (reportedly £35,000) is the widespread sharing of and selling-on of his data. Sadly, this may turn out to be the most legally defensible aspect of the whole matter as Charities and other organisations will likely argue that they were acting in the” Legitimate Interests” of their organisations and getting either money or access to additional data in exchange for passing on lead lists in their possession. In the absence of appropriate and effective Data Governance controls that assess the lineage of data and assess the compatibility of new purposes with the original purposes for which data will be processed, this kind of issue will continue to arise. This is further compounded by the EU Council of Ministers proposal in their draft of the EU Data Protection Regulation to further widen an already cavernous and vague basis for processing data for new and undisclosed purposes.
And before Daily Mail and Telegraph readers start complaining about the EU causing this kind of mess, the Council of Ministers are the Justice Ministers of each EU member state, and in the Directive 95/46/EC Article 7(f) constrains the legitmate interests basis with a balancing test against fundmental rights and freedoms, which means Article 8 of the Charter of Fundamental Rights (Personal Data Privacy), which requires data be processed fairly for specified purposes. In short: if organisations actually complied with EU Data Protection rules instead of trying to ignore them or work around them, things like this might not happen as often.
Which brings us to the question of whether the data was obtained fairly for a specified purpose. In 1994 it might well have been. However, the law has changed: 1995 saw a Directive (95/46/EC), 2009 saw the Charter of Fundamental Rights incorporated into EU Treaties. Good Data Governance practices would suggest that a review of compatibility of processing with the new laws would have been a prudent action to take. It might have raised questions about the lawfulness of selling on data on the basis of purpose limitation, not withstanding the legitmate interest justification. But good Data Governance requires a clear and binding set of Data Principles. Unfortunately it appears principles were sacrificed in this case to make money off the data of an old man.
It would appear that, despite their reputation as a “light touch Regulator”, the Irish DPC has been more forthright in their imposition of purpose limitation restrictions on organisations. However, we can only assume that those restrictions are being respected in practice. The Irish Charity sector needs to look at the UK and learn lessons. QUICKLY!!