Water Aid: September 2020

Name and type of organisation: WaterAid (registered charity no. 288701)

Fundraising method: Addressed mail and television advertising

Code themes examined: Supporter data, vulnerable people and complaint handling

Code breach? No

The complaint

The complainant’s spouse contacted WaterAid (the charity) in December 2017 to ask it to stop contacting their relative, who was showing signs of memory loss. The charity did so. However, the complainant was concerned that the individual was able to set up a monthly Direct Debit donation to the charity in November 2019. 

What happened?

In December 2017 the charity told the complainant’s spouse that it had removed the individual’s details from its mailing list and would not contact them again. In November 2019 the individual contacted the charity to set up a regular donation after seeing its television advertisement. The telephone call was handled by the charity’s agency. 

Shortly afterwards, the complainant found a letter from the charity which confirmed that a monthly Direct Debit donation had been set up. The complainant contacted the charity to complain. The complainant provided a copy of their Power of Attorney for the individual’s finances and said that the individual now had dementia. 

The charity apologised and cancelled the Direct Debit. It said that the individual’s supporter record showed that they should not be contacted and it had added a note that if any further donations were made, this should be investigated. It also updated the individual’s record to reflect that the complainant had Power of Attorney. 

At that time, the charity ran a fortnightly report to check if any supporters with this note had made donations so it could contact them to see if it was appropriate. This means that anyone identified as potentially vulnerable would immediately have their donation put on hold pending investigation, and no money is claimed. The charity said that the individual’s Direct Debit instruction would have appeared on the next report before any donations were taken. The charity now runs this report weekly. The charity said that, as a result of our investigation, it will be looking at implementing an automated solution that allows it to investigate these scenarios more quickly.

Although the complainant was identified as potentially vulnerable, the charity’s policy under General Data Protection Regulation (GDPR) is to only speak to the supporter about their regular gift. However, it recommends supporters speak to their family before setting up any donation. The charity said that if it is unable to contact the supporter, it automatically cancels the Direct Debit. The charity said that where it does know of a Power of Attorney, it contacts them. The charity said that in this case, even without the complaint, it would not have claimed the Direct Debit and no money would have left the individual’s bank account. 

The charity said that due to GDPR the charity will only ever process the minimum possible personal data in order to achieve the purpose for which it is processing it. Therefore, it did not ask for any further information from the complainant’s spouse in 2017 because it already had the minimum information it required to cease contacting the individual. The charity said that due to vulnerability being categorised as sensitive data under GDPR it is unable to share its ‘not appropriate to contact’ flag indicating potential vulnerability with its agency. 

Our decision

The charity applied a ‘not appropriate to contact’ flag to the individual’s supporter record in December 2017 which stopped further direct marketing being sent. Therefore, we found that the charity had not breached the Code of Fundraising Practice (the code) regarding requests to stop direct marketing.    

Having listened to a recording of the telephone call in which the individual set up a Direct Debit, we consider that they did not show any obvious signs of vulnerability. In addition, the member of staff at the agency who took the call did not have knowledge of the individual’s vulnerability. The agency therefore acted appropriately. 

The charity explained why it did not pass information about the flag on the individual’s file to its agency, and why it judged it was unable to contact anyone other than the individual. We can see that the charity has a process that would have prompted it to investigate the donation and, as a result of our investigation, now completes its checks in such cases weekly. Despite the issuing of the Direct Debit letter, we note that no money would have left the individual’s bank account. We therefore found that the charity had not breached the code regarding not accepting donations from people in vulnerable circumstances. 

It would have been more comprehensive for the charity to have explained in 2017 that, while it could commit to not sending any further direct marketing to the individual, it was possible that a scenario might arise in which it would be required to contact them. However, it was not unreasonable of the charity not to have anticipated that the individual would proactively contact it to make a donation. We received assurances that, although its Direct Debit letter may have suggested otherwise, no money would have left the individual’s bank account. We also received an explanation of why the charity did not ask for evidence of any Power of Attorney in 2017. We therefore found that the charity had not breached the complaint handling section of the code. 




There are no actions for the charity.