In 2016 we have seen the ‘birth’ of several new things. GDPR, The Snoopers Charter, an EU without the UK, United States of America with the most controversial leader for a generation and something called ‘post-truth’.
The Oxford English Dictionary defines post-truth as an adjective defined as ‘relating to or denoting circumstances in which objective facts are less influential in shaping public opinion than appeals to emotion and personal belief’. It appears this won the OED’s word of the year for 2016 because of the effect it had over the EU referendum in the UK and indeed the presidential election in the US. But are we seeing something similar occurring in the field of privacy regulation?
On the 6th December, the Information Commissioners Office, under its new leader Elizabeth Denham, announced that it was fining 2 charities (British Heart Foundation & RSPCA) for widespread disregard for people’s privacy. Their list of offences included;
- Wealth screening without consent including data sharing (with wealth companies) without consent.
- Data sharing with tele-matching companies (an undetermined number of records shared) without consent
- Data sharing amongst themselves without consent
This came about as a result of a programme of work the ICO has been undertaking into the Charity Sector. The results of which include the above but also a special area and resources on the ICO website outlining the illegal practices that charities may have been undertaking and what citizens can do to protect themselves.
This isn’t the first entity in the Charity sector to show a distinct lack of DPA / Privacy compliance, according to the ICO website since December 2015 the following actions have been taken;
- Dec 2015 – UCAS fails to provide a suitable level of assurance has appropriately addressed the actions agreed in its undertaking signed April 2015 regarding their collection and management of notices and consents, data sharing and marketing.
- Jan 2016 – Alzheimer’s Society demonstrated serious failings in the way volunteers were handling sensitive personal data in various areas from security to access and email communication.
- Feb 2016 – British Red Cross signed an undertaking to commit to best practice on the management of their marketing consents after failings were found.
- Mar 2016 – Anxiety UK had a follow-up visit after various areas of low assurance were found.
- Mar 2016 – Age International signed an undertaking to comply with privacy and marketing regulations after it was found that they were not complying with marketing & privacy regulations.
As someone pointed out to me lately, this is by no means damning evidence that all charities are bucking the rules (deliberately or otherwise) but the whole issue does seem to be sparking emotion against ‘experts’ (amongst others).
Daniel Fluskey, head of policy and research at the Institute of Fundraising, tweets that the ICO’s comments on the RSPCA and the British Heart Foundation are ‘(mis)leading’. He (and others) have gone on to say that the ICO should be supporting the Charities in their efforts to do good, and not be holding them against such rules that stop them ‘doing good’. Most of the articles that I have seen from those defending the RSPCA & BHF (reference to those shared by Jon, Tim & Rowenna amongst many others) all have a little bit of a ‘child got caught in the cookie jar’ tinge to them.
Stand up and be counted! Either 1 of 2 things occurred. You either new about the rules and chose to walk a different path (reasons unknown but can be assumed fairly confidently at this point) or you didn’t have the resources to know/implement better and you did the best you could. Given the child-like blaming of ‘mummy’ in that she didn’t explicitly tell you not to raid the cookie one would be fair in assuming it was the former and not the latter.
Everyone from data subjects, privacy campaigners to the ICO all has sympathies for those that try but due to limited resources struggle to achieve full compliance. But that does involve actually going out there to at least see what you should be aware of. Not just blaming your parents for not telling you up front.
The Law is there for a reason. As we have seen with the Brexit debate, because emotion says one thing, therefore the law should immediately say it as well (and so should those that impose the law). Like the Judges in the Supreme Court the ICO cannot be emotional about such matters and pick and choose where the law is applied and where it is not. The current (and indeed future) laws on Data Protection & Privacy do not grant Charities the moral high ground to buck out of observing the law. To my knowledge, there are indeed very few laws that give exemptions to the charity sector.
As someone that has worked for different charities, both as a compliance person and as a general volunteer just doing what we can, there are indeed some that try and get this right with the little resources they have. But there are the others that live in the era of post-truth and believe that human decency is on their side. Without putting the emotion to one side and having a real discussion about how to get this right for everyone, is the Charity sector doomed to live a post-truth head-in-sand world?
Next blog post shall be back to the lovely world of GDPR!