Skip to main content

Note: MUST* and MUST NOT* (with asterisk) denotes legal requirement

MUST and MUST NOT (without asterisk) denotes requirement of the Code of Fundraising Practice

5.0 Legal References in this Section:

5.1 General

5.1.1     Data protection is an important issue for all fundraisers. Fundraising organisations MUST* comply with all legal requirements relating to data protection. These include:

a) the current Data Protection Act 2018 (and the Data Protection Act 2018 that will replace this when it becomes enacted in law – this section of the Code will be updated when this happens);

b) the Privacy and Electronic Communications (EC Directive) Regulations (PECR) 2003, including the requirements of the Telephone Preference Service(and any revisions to e-privacy legislation that result from the European Commission’s review of PECR in 2017 – this section of the Code will be updated when this happens).

Further guidance on the circumstances under which PECR will apply, including for telephone calls is available from the ICO.

c) the General Data Protection Regulation (GDPR).

5.1.2     In addition, organisations MUST keep up to date with guidance from the Information Commissioner’s Office. This includes the ICO’s Direct Marketing Guidance and its GDPR consent guidance, which are designed to promote good practice and help organisations understand their obligations.

The following sections outline data protection considerations of particular relevance to Fundraising.

5.2      Processing Personal Data and Database Practices

Personal information / Personal data means information/data which relate to a living individual who can be identified directly or indirectly by reference to:

a) an identifier such as a name, an identification number, location data or an online identifier, or

b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.


ICO guidance states that: “The definition of processing is very wide and it is difficult to think of anything an organisation might do with data that will not be processing.” “Processing”, in relation to personal data, means an operation or set of operations which is performed on personal data, or on sets of personal data, such as—

a) collection, recording, organisation, structuring or storage (this includes buying data from a third party, storing or checking personal information on a database)

b) adaptation or alteration  (this includes activities such as updating personal details)

c) retrieval, consultation or use (this includes activities such as wealth screening or using personal data to contact individuals for any reason†)

d) disclosure by transmission, dissemination or otherwise making available (this includes activities such as sharing or publishing data†)

e) alignment or combination (this includes activities such as data matching and tele-appending†)

f) restriction, erasure or destruction (this includes activities such as suppressing or deleting a donor’s details on a database†)

Please note that the examples in italics are provided by the Fundraising Regulator for illustrative purposes.

5.2.1    Organisations that process personal information MUST* adhere to any notification or registration as required by the Information Commissioner’s Office.

Further information on notification and registration can be found at the ICO’s website.

5.2.2    When processing personal data (including publicly available personal data)  for any purpose, organisations MUST*:

a)    have legitimate grounds for collecting, using and retaining the personal data.

Further information on the grounds (or ‘conditions’) for processing can be found in Schedule 9 of the Data Protection Act 2018 

b)    give individuals concise, transparent, intelligible and easily accessible information about how they will process their personal data, including who the organisation is; what they are going to do with the individual’s personal information; and (where relevant) who it will be shared with.

Further information on communicating privacy information to individuals can be found in the ICO’s guidance on the right to be informed.

c)    only handle personal data in ways that the data subject would reasonably expect; and

d)    not do anything unlawful with personal data.

5.2.3    Organisations MUST* comply with any duties of confidentiality they have.

Storage and maintenance of data

5.2.4    Organisations MUST* maintain good data hygiene practices (removing incorrect/incomplete information from your data) to ensure donor information is accurate, reflects donors’ communication preferences and is retained only for as long as necessary.

5.2.5    Organisations MUST be able to show that all reasonable steps have been taken to ensure that:

a)     databases are accurate and where necessary, up-to-date.

b)     direct marketing to individuals is suppressed where the individual has asked not to receive it.

c)     the organisation ceases to contact deceased individuals where the organisation has been notified or where this information has been identified through use of a deceased suppression service

5.2.6    Personal data MUST* only be kept as long as necessary to fulfil the purpose for which it was processed (see rule 5.2.2 for further information on what information MUST be provided to the individual regarding processing).

5.2.7    Organisations MUST have appropriate systems or procedures in place (such as a suppression list) to ensure that they do not send direct marketing to individuals who have asked not to receive it, whether through individual communication channels or across all channels (see also Section 5.7 – “Requests to Cease Direct Marketing”).

5.3       Sharing and selling personal data

Data sharing

5.3.1    Organisations MUST NOT* share personal data with any other organisation unless they can evidence that they meet the processing requirements in Rule 5.2.2 above and can justify their data sharing through these requirements.

5.3.2    Where personal data is shared between organisations:

  • within a federated structure (i.e where one controls the other or where both are under common control), or
  • under a data processing arrangement (i.e where one organisation acts on behalf of another organisation under written contract, such as professional fundraisers, data cleansers, or printing houses)

a)    the organisational structure / arrangement and the processing purpose MUST*be clear enough in the privacy information provided to the individual that the organisation can evidence that processing would fall within the individual’s reasonable expectation.

b)    Alternatively, where the organisation receiving the data is relying on the individual’s consent as the basis to hold and use that data, the organisation receiving the data MUST*be named in the consent request, and the specific consent of the individual for their information to be shared MUST*be gained by the sender.

5.3.3    Beyond the specific exceptions set out in rule 5.3.2, Organisations MUST NOT* share the personal data of an individual with any other organisation for that organisation’s marketing purposes without the freely given, specific, informed and unambiguous consent of that individual to the sharing of the personal data with that other organisation.

Data buying and selling

5.3.4    Even if the individual has consented to their personal data being shared, Organisations MUST NOT sell that data to any other organisation unless it can evidence it has the freely given, specific, informed and unambiguous consent of that individual for their personal data to be sold.

See section 5.1-5.2 above (Processing Personal Data) for other considerations regarding sharing data.

5.4       Case Studies

5.4.1     If an organisation intends to use a real life example of an individual in a case study, the organisation MUST* only process that individual’s personal data in accordance with the law (see sections 5.1-5.2 above regarding processing personal data lawfully) and MUST NOT* disclose information received in circumstances where a legal duty to keep the information confidential arises, unless there is an overriding legal imperative to do so (for example, a police investigation).

5.5       Direct Marketing

“Direct Marketing” is defined in law as “The communication (by whatever means)…of any advertising or marketing material…which is directed to particular individuals…”

  • The Information Commissioner’s Office states that fundraising activity, as well as the promotional and campaigning activity of charities, is covered by the definition of direct marketing (ICO Direct Marketing Guidance, 2016).
  • In practice, all relevant electronic messages (for example calls, faxes, texts and emails), as well as most addressed mail are directed to someone, so they fall within this definition.
  • The marketing MUST be directed to particular individuals. Some marketing is not directed to specific individuals (for example, unaddressed mail) and is therefore not covered by this definition.

Further information on what activities are covered by direct marketing can be found in the ICO’s Direct Marketing Guidance (2016).

Alongside data protection regulations that apply to direct marketing, the Privacy and Electronic Communications Regulations (PECR) will apply when sending marketing by electronic means, such as emails, text messages and recorded telephone calls. In these cases, consent will always be needed as a condition for processing when marketing to individuals, unless the organisation can satisfy:

  • the ‘soft opt-in’ condition enabling sellers to market similar products/services after an initial purchase (this exception will only be possible in the case of a  commercial transaction); or
  • the exception for marketing to corporate subscribers.

More information on these PECR exceptions can be found at in the ICO’s guidance on electronic mail marketing.

5.5.1     Organisations MUST* have a lawful basis for sending direct marketing communications to individuals.

The rules regarding “Consent” and “Legitimate Interest”, the two most common bases for sending direct marketing communications, are outlined below.

More information on the lawfulness for processing conditions can be found on the ICO website.

Consent as a basis for Direct Marketing communications

5.5.2        Where an organisation uses, or intends to use the consent condition as a legal basis for direct marketing communications, the consent obtained MUST* be a “freely given, specific, informed and unambiguous indication of the individual’s wishes”. The Consent MUST*:

a)    Be given through a clear affirmative action from the individual to signify consent (for example, using active opt-in methods, such as unticked opt-in boxes or requiring a verbal “yes” response to a question).

b)    where the organisation intends to process the individual’s data for multiple purposes, give granular options to consent separately to different types of processing.

c)    be separate from other terms and conditions and not be a precondition of signing up to a service (unless necessary for that service).

d)    name the organisation and any third parties which will be relying on the consent.

e)    inform individuals about their right to remove consent at any time.

f)     Be recorded in a format which enables the organisation to evidence who consented, when they consented, how they consented, and what they were told.

5.5.3     Electronic consent requests MUST* be clear, concise and not unnecessarily disrupt the use of the service for which they are provided (such a requirement might be achieved, for example, by breaking a longer privacy notice into shorter pieces of privacy information to pop up only at the point where personal data is inputted by the individual).

See the ICO’s GDPR Consent Guidance for further details on obtaining, recording and managing consent.

5.5.4     If consent has been obtained for direct marketing communications, organisations:

a)     MUST* offer the individual in subsequent communications an easy ways to withdraw consent (such as an “unsubscribe” button).

b)     MUST, at regular intervals as reasonably determined by the organisation, remind the individual of their contact preferences and offer them an easy way to change these preferences if they wish to (such as an “update your communication preferences” button).

c)     MUST* ensure the individual’s record is updated as necessary to reflect changes to their consent or contact preferences.

5.5.5   All permission statements (wording to gain consent for marketing purposes) displayed in fundraising materials MUST be at least the same font size as the larger of

a) any text asking for the recipient’s personal details,

or b) any text specifying the donation amount. If there is no text asking for personal details or specifying donation amount, any permission statements MUST be in the minimum font size of 10.

More information on establishing consent can be found in the ICO’s Guidance on GDPR and consent.

Legitimate Interest as a basis for Direct Marketing communications

5.5.6     Where an organisation relies on the Legitimate Interest condition to process data for the purpose of direct marketing by live phone call or by post, the organisation MUST* be able to evidence:

a)    that it has identified a legitimate interest (ICO guidance notes that this may be an organisation’s own interest or the interest of third parties and may include commercial interests, individual interests and broader societal benefits)

b)    that the processing is necessary to achieve that interest (ICO guidance notes that if the same result can reasonably be achieved in another, less intrusive way, legitimate interests will not apply)

c)    that it has balanced its interest in processing the personal data against the interests, rights and freedoms of the individual to ensure that the organisation’s interests are not overridden by those of the individual (ICO guidance notes that if the individual would not reasonably expect the processing or it would cause unjustified harm, their interests are likely to override those of the organisation)

d)    the record of decision making, and make this available on request.

5.5.7     Where an organisation relies on the Legitimate Interest condition to process data for the purpose of direct marketing by phone or post, the organisation:

a)    MUST*explain what the individual’s personal information will be used for.

b)    MUST*explain the legitimate interests pursued by the organisation.

c)    MUSToffer, in this communication and subsequently in any direct marketing communication sent, a clear and simple means for the individual to indicate that they do not wish to receive direct marketing in future.

Further information on communicating privacy information to individuals can be found in the ICO’s guidance on the right to be informed.

See the ICO’s further guidance on using legitimate interest.

5.6       Requests from individuals to access their personal data

5.6.1     Where an organisation processes an individual’s personal data by automated means (ie through the use of computers and computer software), they MUST*, at the request of the individual, provide the individual with the personal data and information on how it is used if it in accordance with the individual’s right of access, subject to any exemptions.

See the ICO’s further information for organisations on what data and how it must be provided under the Right of Access

5.6.2     Where an organisation holds or uses an individual’s personal data to fulfil a contract or because they have their consent as a lawful basis for processing, the organisation MUST* ensure that the personal data can be easily moved, copied or transmitted from one IT environment to another where the individual requests it (whether to the individual’s own systems, the systems of trusted third parties or those of new data controllers).

See the ICO’s further information for organisations on requirements on the Right to Data Portability

5.7       Requests from individuals to cease or not begin Direct Marketing

5.7.1    Organisations MUST* either cease within a reasonable period (meaning as soon as is practicable, but in any event not exceeding 28 days) or not begin to process an individual’s personal data for the purpose of direct marketing where they receive notice from, or on behalf of an individual to do so. This may include

a)    notice from (or on behalf of) an individual submitted through the Fundraising Preference Service or notice from the Fundraising Preference Service that such a request has been made

b)    Any other indication of wishes from an individual (or made on their behalf) that that they do not wish to be contacted for direct marketing purposes, such as via preferences and unsubscribe mechanisms.