December 13, 2016, Civil Society UK

Responding to this Daily Mail story about an 87-year-old widower with dementia being inundated by charity appeals and losing more than £35,000 to “the scams,” the UK’s Information Commissioner’s Office (ICO) just fined the Royal Society for the Prevention of Cruelty to Animals (RSPCA) and the British Heart Foundation (the BHF judgment is here) for breaching data protection rules. RSPCA was fined £25,000 and the British Heart Foundation £18,000. They could have each been fined £250,000 for violating the Data Protection Act. Both the RSPCA and BHF are considering whether to challenge the ICO decision.

ICO is continuing its investigation into more than 60 UK nonprofits that have shared more than 30 million donor records without donor consent and in some cases against donor op-out instructions. The for-profit Response One has administered this “Reciprocate scheme” since 1998. Response One is owned by the St. Ives Group, with offices in the U.S.

The Charity Commission and the Fundraising Regulator subsequently advised UK charities to avoid using these fundraising practices without documented donor consent, including wealth screening, data matching, and tele-matching, to name more of the infractions in addition to donor list sharing or selling. Donor consent is a commendable goal in theory, but which donors would happily opt in to having their personal data shared or sold with any number of other charities, or to having their personal data such as wealth and contact information gleaned by sophisticated vendor companies? Can any UK charity pass the ICO rules? If not, what is the future of these decades-old fundraising practices in the UK?

Of course, sharing and buying/selling donor files is legal in the U.S. Here is just one vendor with nearly 76 million donors from which you can build your custom mailing list. Did even one of those donors ever have an opportunity to knowingly submit their name and other personal information to be shared or sold? Companies such as WealthEngine and donor management software companies such as Blackbaud offer data screening services to help U.S. charities qualify prospects for appropriate gift levels, identify donors for extra cultivation, and discover small level donors with the financial capacity to make larger gifts. That is all for the good. But the issue for at least the RSCPA was that this UK charity consistently had their house file of some 7 million donors screened for wealth and data-matching without their donors’ explicit consent. What US charity would be able to pass these ICO rules?

Sensitivity to these issues on display in the UK has long been high in the U.S. Here is Charity Navigator’s Donor Privacy Policy. Here is their extended Privacy Policy. Does your organization even have a Donor Privacy Policy and is it prominently displayed on your website and in print in your direct mail? What new charity scandal like the one involving the widower above could trigger a U.S. state legislature to take a page from the ICO actions?

This story doesn’t just alert us to the laws in the UK; it also cautions us to take note of any changes in state regulations governing charitable organizations, which can happen more frequently and less conspicuously than those at the federal level.

Further, it also highlights the importance in the UK of protecting donor privacy and self-determination. Even though donor research without donor consent is lawful here, what would your response be if a major donor asked to see the file your organization is keeping on her, or asked if she was being subjected to wealth screening services without her knowledge and consent? When you meet with a major donor, do you reveal all you know about the donor’s private holdings, about which you learned through public information sources? If you share or sell your donor list, do you make this perfectly clear to your donors and the implications of such sharing? Not the use of gentle, vague euphemisms, but real words with a clear option to opt out.

This is how the ICO Commissioner, Elizabeth Denham, described her contempt for the practice of wealth screenings and, it would appear by extension, the job description for most donor research professionals and major gift officers in the U.S.:

The millions of people who give their time and money to benefit good causes will be saddened to learn that their generosity wasn’t enough. And they will be upset to discover that charities abused their trust to target them for even more money.

Most U.S. states have comprehensive statutory frameworks that regulate charitable solicitations and other organizational conduct to safeguard the public against fraud and dissimulation. Are you thoroughly familiar with these rules in all the states in which you solicit and/or operate? U.S. nonprofits are obliged to establish and exercise control over all fundraising activities, whether conducted by themselves or by others. Is any commercial fundraiser your organization utilizes properly registered with the state(s) in which they are fundraising on your behalf? Are you sure your vendors are not misrepresenting your organization by word, conduct, or even by failing to acknowledge a material fact such as an option to opt out? The U.S. may not yet be as stringent in some areas as the UK, but the media here is as vigilant as they are there and headlines screaming about perceived lapses in charitable integrity are how laws get changed.

The ICO is an independent regulatory office, which reports directly to Parliament. It deals with the Data Protection Act, Privacy and Electronic Communications Regulations, and the Freedom of Information Act 2000. The ICO Commissioner is an independent official appointed by the Crown. The UK Courts and the Information Tribunal supervise the ICO. ICO’s mission is to “uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.”

To place into context the punitive actions ICO recently took against the RSPCA and the BHF, and to understand why the ICO’s investigations have only begun and should have something to say to the U.S. nonprofit sector, consider the opening lines of the ICO Commissioner’s address given on December 9th to mark the 250th anniversary of freedom of information (FOI) in the UK.

When the first Freedom of the Press Act was enacted the USA was yet to be born and Canada wasn’t even a twinkle in the eye of a tub of maple syrup. The United Kingdom was only 59 years old; the King was George III, and William Pitt the Elder served as Prime Minister. FOI is getting on a bit but as it changes, evolves and adapts each birthday sees fresh reasons to celebrate the legal basis for openness and transparency.

My aim in the next five years as UK Information Commissioner is to enhance data confidence in the UK. The transparency brought about by FOI is an important part of that mission.

—James Schaffer