In November 2021, the Fundraising Regulator responded to a public consultation hosted by the Department for Digital, Culture, Media & Sport which focused on reforms to the UK’s data protection regime.
Our response is in the form of a letter addressed to the DCMS domestic data protection team. You can find information about the consultation on the UK Government website.
Our work with the Information Commissioner’s Office
We work in partnership with other regulators and representative bodies in the charitable and fundraising sectors to build public confidence and ensure consistent fundraising standards across the UK. Our commitment to working with the Information Commissioner’s Office (ICO) is set out in our joint Memorandum of Understanding.
We have worked closely with the ICO since our establishment in 2016 to ensure that data in fundraising is not misused and to provide clear guidance to the sector. This close working continued in the run up to the implementation of the General Data Protection Regulation (GDPR) and the Data Protection Act in 2018.
Close working between ourselves and the ICO, as well as the Chartered Institute of Fundraising and the Data & Marketing Association, is valuable to the fundraising sector as it ensures that organisations receive consistent advice on matters related to data handling and protection. It is important that this close working continues.
For fundraisers, much of the focus of the data protection regime relates to the processing of personal data for direct marketing. Direct marketing is a key part of how many charities communicate with their supporters and raise funds for example sending a fundraising appeal to someone in the post, emailing them, or sending them a text message. Data, when collected and stored in line with the law, helps fundraisers to campaign more effectively and to increase the impact of fundraising activity.
We regularly advise members of the fundraising community about direct marketing and data protection practices, and we have several resources to help the sector to meet the legal requirements. These were developed in collaboration with the ICO, and include:
- The Code of Fundraising Practice: standards about processing personal data can be found in section 3 of the code. However, many sections on specific fundraising practices such as telephone fundraising, direct mail and online advertising include considerations around data protection and direct marketing.
- The Fundraising Preference Service (FPS): this service enables members of the public to control the direct marketing they receive from charities by phone, direct mail, email and SMS.
- Guidance: we have a GDPR library to provide signposting to relevant guidance and resources. We also have a series of bitesize guidance pieces on the requirements of GDPR within the context of different fundraising practices, which are co-badged with the ICO.
We welcome the opportunity provided by this consultation to consider the legal framework around data protection within the UK. Whilst the focus of the consultation is on business and economic development, the proposals also have implications for fundraising organisations and for the standards set out in the code.
The code includes standards about the processing of personal data. It includes standards related to direct marketing (3.5), which incorporates standards related to consent for direct marketing communications and legitimate interest as a basis for direct marketing communications. These standards, combined with requirements set out in GDPR provide an appropriate framework for handling data. We will work with the ICO on any potential changes to these standards arising from the proposals as set out in the consultation.
We note the proposals to implement a more flexible and risk-based accountability framework which is based on privacy management programmes (paragraph 145). Accountability and good governance are essential to ensure that data is handled legally, fairly and responsibly.
We note the proposals to extend the soft opt-in to electronic communications from organisations other than businesses where they have previously formed a relationship with the person, perhaps as a result of membership or subscription (paragraphs 207-211). The code (3.5.4 and 3.5.9) makes clear that people must be given the chance to opt-out both when contact details are first collected by charities for fundraising purposes and in any other marketing communication they are sent. This means that if the soft-opt in is extended to fundraising organisations, there are already regulatory standards in place which require clear opt-out options for the public.
Our Fundraising Preference Service provides an opt out mechanism for people who no longer want to hear from charities. The protections it offers to people who are vulnerable will be valuable if the changes to the soft opt-in lead to an increase in charity marketing.
We note the proposal to require a complainant to attempt to resolve their complaint directly with the relevant data controller before lodging a complaint with the ICO (paragraphs 381-384). Regulators must be able to target their resource to address the areas where they can have the greatest impact. The Fundraising Regulator investigates complaints about charitable fundraising where these can't be resolved by organisations themselves.
The consultation document also includes proposals to require data controllers to have a simple and transparent complaints-handling process in place to deal with data subject complaints (paragraph 386). The Charities (Protection and Social Investment) Act 2016 requires charities to provide statements on specific areas of their fundraising in their annual report, which is submitted to the Charity Commission for England and Wales. These statements cover key aspects of charities’ fundraising activity including the approach taken, regulation, complaint numbers and how they ensure vulnerable people are protected. These statements enable charities to be transparent about their processes, which demonstrate that fundraising is being done in a safe way which protects the public. It is important that any proposals requiring the development of complaints processes, or any reporting requirements put in place around those processes, align with existing requirements which are already in place for the charitable sector.