Data Protection: Friend or foe? 15 th October 2015

Please note:  If you want to make the links in this presentation work, you need to Show it as a slideshow (press F5)  If you can see this slide, you are not in Show mode and the links won’t work

This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation. It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

Protecting people What Data Protection is about: 1  Prevent harm to the individuals whose data we hold, or other people  Keep information in the right hands  Hold good quality data Protecting data  Donors, Supporters, Customers Clients, Service users Colleagues, Professional contacts

What Data Protection is about: 2  Reassure people that we use their information responsibly, so that they trust us  Be transparent – open and honest, don’t hide things or go behind people’s back  Offer people a reasonable choice over how you use their data, and what for Give us more money! Support our campaign! We sold your details to someone else

 Recognise individual rights, such as: What Data Protection is about: 3   Right to opt out of direct marketing  Right of Subject Access  (And others)

 Transparency  Choice  Accuracy & data quality  Security But first:  The Data Protection Principles  The new EU Regulation The main topics for this session:

The Data Protection Principles Data ‘processing’ must be ‘fair’ and legal You must limit your use of data to the purpose(s) you obtained it for Data must be adequate, relevant & not excessive Data must be accurate & up to date Data must not be held longer than necessary Data Subjects’ rights must be respected You must have appropriate security Special rules apply to transfers abroad

The new EU Regulation Looks likely to contain:  More detailed transparency requirements  Consent (if required) = ‘unambiguous’ / ‘explicit’  … but “The processing of personal data for direct marketing purposes can be regarded as carried out for a legitimate interest.” – according to one draft version  “Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing free of charge and in a manner that can be easily and effectively invoked.”  Some restrictions on ‘profiling’

1.Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless- (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. 2.Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. ‘Fair’ processing (Principle 1) & Limited purposes (Principle 2)

‘Fair’ processing (Principle 1): Transparency  Being fair means that people should have no unpleasant surprises when you use data about them.  You must always think whether you need to tell them anything about, in particular:  who is collecting their information  what broad purposes you hold their data for  who you might pass the data on to  how to contact you if they want to stop you from using their data or check what you are doing

Transparency statements  Own up to marketing  Layered approach  Key points on data capture form/in script  More detail in privacy statement, etc.  Consistency across the organisation is essential  Different channels (print, online, etc)  Different activities (fundraising, events, sales)  Don’t be too precise and restrict your future options  Don’t neglect texts & social media

Conditions for fair processing (Schedule 2)  With consent of the Data Subject (“specific, informed and freely given”)  For a contract involving the Data Subject  To meet a legal obligation  To protect the Subject’s ‘vital interests’  Government & judicial functions  In your ‘legitimate interests’ provided the Data Subject’s interests are respected The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

‘Fair’ processing (Principle 1): Consent  You must meet at least one of the Sched.2 Conditions  Think carefully before going ahead without consent  Consent can be:  Opt out (we’ll do it unless you say ‘no’) – as long as they do something  Opt in (we’ll only do it if you say ‘yes’)  Consent need not be in writing (unless you need evidence)  Don’t use pre-ticked opt-in boxes

Direct Marketing (including fundraising)  If you intend to use people’s information for direct marketing you must tell them (because of Principle 2)direct marketing  Individuals have a right to prevent direct marketing  Anyone may ‘require’ you in writing to stop: if an individual says ‘stop pestering me’ you must comply  But marketing to an organisation isn’t covered (except Corporate TPS)  They can’t insist on you breaking off non-marketing contact (or deleting records you need to keep)

Direct marketing definition The Data Protection Act is not very helpful. It defines Direct Marketing as:  ‘[Unsolicited] communication by whatever means [of advertising or marketing material] directed to the Data Subject’  This probably means any unsolicited contact that asks people to do something for your benefit (even if they get something in return)  Providing membership benefits (e.g. a newsletter) is probably not marketing

Privacy & Electronic Communications Regulations  Mailing preference: voluntary, not PECR  Telephone preference: mandatory, PECR  You must not call anyone whose number is on the Telephone Preference Service unless they have given prior consent  confused, PECR  Applies to private /SMS facilities, not business  Marketing similar products/services to existing customers permitted  Otherwise, must have prior consent (but a newsletter might not be marketing)

What do people complain about? Fundraising Standards Board’s Complaints Reports How many fundraising contacts to generate one complaint: Telephone fundraising Addressed mail4,3392,8372,985 SMS85,6194,91910,000 7,6437,96910,989

The revised IoF Code Changes from September 2015:  Every addressed fundraising communication must carry a clear message explaining how donors can easily ‘opt- out’ of receiving future communications  Minimum font sizes for opt-in and opt-out statements on all printed communication  Ban on selling any individual’s data to a third party  Sharing an individual’s data with third parties for fundraising communications only with express consent  Stricter rules on telephone fundraising techniques

Opt in or opt out?  It was usually thought OK to offer an opt out from:  mailings  sharing the data with other organisations for them to mail  Has always been simplest, and probably best, to ask for opt in to:  phone marketing (otherwise must check against TPS)  or text message marketing  Be clear about the options, record their preferences carefully, and ensure that they are acted on  Make sure traded or swapped lists are cleaned first

21 Data quality (Principles 3 & 4) 3.Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4.Personal data shall be accurate and, where necessary, kept up to date.

Member, donor, supporter and customer records  Ask the right questions and/or explain why you are asking  Give people plenty of opportunity to tell you when things change and to check that their records are up to date  Design your forms & systems to encourage accurate data entry  Synchronise systems regularly (where you can’t avoid having someone’s records on two different systems)

Profiling potential major donors  Don’t record anything unless you can justify it as relevant and not excessive  Quote the source of the information  Be wary of using information not in the public domain  Where possible check your facts  Clarify when it is an opinion or speculation  Be wary of including information about other people  Make the decision as soon as possible, and then either own up to the individual or delete the material

24 Confidentiality Data Protection and Confidentiality overlap a lot, but they are not the same Data Protection Who has access to what information for what purposes

25 Security (Principle 7) 7.Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The Information Commissioner can impose a penalty of up to £??????? for gross breaches of security. £500,000

Security: key controls  Appropriate access privileges so that people only see the information they need to  Training staff not to gossip, fall for scams or poke around where they shouldn’t  Protecting data in transit – post, , fax, etc.  Are spreadsheets a secure way to send data?  Encryption and passwords when data leaves the office  Payment cards: PCI Data Security Standards

Security example  2009: Everychild street fundraiser lost a folder containing donor details  Information Commissioner investigated, but took no further action after Everychild took steps to amend procedures  Fundraiser involved was subsequently sacked

Penalties for marketing  Kwik Fix Plumbers Ltd  Fined £90,000 for continually making nuisance calls targeting vulnerable victims. In several cases, the calls resulted in elderly people being tricked into paying for boiler insurance they didn’t need.  Parklife Manchester Ltd  Fined £70,000 after sending unsolicited marketing text messages about Manchester’s annual festival. The text went to 70,000 people who had bought tickets to last year’s event, and appeared on the recipients’ mobile phone to have been sent by “Mum”.

29 Data Protection: the absolute basics We are trying to:  Prevent harm by  Keeping data only in the right hands (and being clear what ‘the right hands’ are)  Holding good quality data (accurate, up to date and adequate)  Reassure people so that they trust us  Making sure people know enough about what we are doing  Giving people a choice where possible

Many thanks  Contact me if there is anything else:  See my website for webinars, publications, etc.