The Royal Society for the Prevention of Cruelty to Animals (RSPCA) and British Heart Foundation (BHF) secretly screened millions of their donors so they could target them for more money, a comprehensive ICO investigation has found.
The ICO said so-called “wealth screening” was one of three different ways both charities breached the Data Protection Act by failing to handle donors’ personal data consistent with the legislation.
The charities also traced and targeted new or lapsed donors by piecing together personal information obtained from other sources. And they traded personal details with other charities creating a massive pool of donor data for sale.
Donors were not informed of these practices, and so were unable to consent or object.
Information Commissioner Elizabeth Denham said:
“The millions of people who give their time and money to benefit good causes will be saddened to learn that their generosity wasn’t enough. And they will be upset to discover that charities abused their trust to target them for even more money.”
The investigation was one of a number into the fundraising practices of charities. The investigations were sparked by reports in the media about repeated and significant pressure on supporters to contribute.
Ms Denham said:
“Our investigations suggest that the activities we’ve fined the RSPCA and the British Heart Foundation for today are also being carried out by some other charities.
“This widespread disregard for people’s privacy will be a concern to donors, but so will the thought that the contributions people have made to good causes could now be used to pay a regulator’s fine for their charity’s misuse of personal information.”
Ms Denham has exercised her discretion in significantly reducing the level of today’s fines, taking into account the risk of adding to any distress caused to donors by the charities’ actions, particularly in the context of potential further penalties in the sector as a result of ongoing investigations. She has fined the RSPCA £25,000 and BHF £18,000.
“My exercise of discretion should not take away from how serious these breaches were, nor from how disappointed donors will be with the two charities we’ve fined today. The law exists to protect people’s rights and it applies irrespective of how altruistic the organisation’s motives might otherwise be.”
In similar situations, fines could have been ten times as much.
Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the ICO.
Below is a summary of the three ways the RSPCA and BHF breached the Data Protection Act.
The charities employed wealth management companies to analyse the financial status of supporters to estimate how much more money they could be persuaded to give.
Information typically included supporters’ names and addresses, dates of birth and the value and date of the last donation.
The wealth management companies used other information from publically-available sources to investigate income, property values, lifestyle and even friendship circles. They were also able to identify donors most likely to leave money in their wills.
What the RSPCA did
The charity told the ICO that it repeatedly wealth screened all seven million of its supporters. It did not have their consent to do so.
During the investigation, the RSPCA said the practice was common, it had been doing it since 2010 and it had no plans to stop.
The RSPCA later informed the ICO, in August 2016, that it had suspended wealth screening activities.
What BHF did
The charity told the ICO it had been screening donors since “at least” 2009. Between April 2010 and August 2014 it provided records to wealth management companies containing the personal data of several million people. It did not have their consent to do this.
During the investigation, BHF told the ICO it had no plans to continue screening.
Data and tele-matching
When donors chose not to provide information, the charities hired companies to find it out. The companies used existing data or phone numbers to fill in the gaps. For example, they used an old phone number to trace a new one or use an email address to track down a postal address.
Charities could then use the additional information, which the donor did not know they had, to contact them for donations.
What the RSPCA did
The charity had been data and tele-matching since “at least” 2009. It could not produce records of how many people’s personal data had been shared with data and tele-matching companies, but it is likely to exceed one million. The ICO investigation was informed the RSPCA had not stopped this practice.
The RSPCA later informed the ICO, in August 2016, that it had ceased data-matching activities to obtain data that the data subject had not already provided.
What BHF did
The charity has been tele-matching since 2005. Between April 2010 and April 2015 it provided records containing details of several hundred thousand people to a tele-matching company. In 2013 it provided tens of thousands of records for data matching purposes.
The RSPCA and BHF were part of a scheme called Reciprocate where they could share or swap personal data with other charities to get details of prospective donors.
Typically the data included names, addresses, last donation date and amount, Gift Aid status and whether they were a regular donor.
Both charities gave donors the chance to opt out of allowing their data to be shared with “similar organisations” but the ICO found this description to be vague. The ICO found the charities did not provide people with enough information to make a decision to opt out.
What the RSPCA did
The RSPCA admitted it did not know which charities were part of the scheme, so it could not say if personal data was only shared with charities involved in animal welfare as it had promised.
Between 1998 and 2015, it disclosed hundreds of thousands of records each year.
The ICO also found that details of RSPCA supporters were shared via the Reciprocate scheme even though they had ticked the box to opt-out.
What BHF did
The charity maintained it had the consent required to share donors’ details. But the ICO ruled it did not, as the nature of the scheme meant the charities it shared personal data with were not necessarily similar or partner organisations.
Between January 2012 and July 2015, it disclosed over one million personal records through the scheme.
The ICO is committed to ensuring compliance within the sector. It will organise an educational event in partnership with the Charity Commission and the Fundraising Regulator. The ICO will also lay an in-depth report before Parliament in 2017.
The penalty notices will be published on the ICO website on Friday 9 December.
Notes to Editors
- The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000.
- Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- accurate and up to date;
- not kept for longer than is necessary;
- processed in line with your rights;
- secure; and
- not transferred to other countries without adequate protection.
- The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications. There are specific rules on:
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- keeping communications services secure; and
- customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
We aim to help organisations comply with PECR and promote good practice by offering advice and guidance. We will take enforcement action against organisations that persistently ignore their obligations.
- Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.