Whether you are a trustee of a charity or a member of the senior management team, your interests will include ensuring that your charity complies with legislation to protect data that is held, as well as being fully up to date with the latest developments in data protection. Lodders’ Charity Law expert Mark Lewis guides you through current and incoming data protection regulations to equip you with knowledge that is beneficial to your charity.
What is the Data Protection Act?
The Data Protection Act 1998 (DPA) aims to balance the organisational need to collect and use personal data with the rights of individuals’ to respect the privacy of their personal details. There are eight common sense principles which underpin the DPA, which are as follows:
- Have legitimate grounds for using data
- Be clear from the outset of your intentions for the data
- Only collect data you really need – i.e. practice data minimisation
- Make clear the source of the data
- Do not keep data processed for any purpose for longer than is necessary for that purpose
- Process personal data in accordance with the rights of data subjects under this Act
- Take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and against accidental loss of, destruction of, or damage to personal data.
- Ensure that personal data is only transferred outside European Economic Area if there is adequate protection in place
Privacy and Electronic Communications (EC Directive) Regulations 2003
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) sets out some extra rules for electronic communications. The PECR is to be used in addition to the DPA, and regulation 4 states that you must still comply with the DPA. The PECR will apply if you:
- market by phone, email, text or fax;
- compile a telephone directory (or a similar public directory).
What are the key points of the PECR?
- Telephone Marketing: Organisations must not make marketing calls to any number listed on the Telephone Preference Service (TPS) or Corporate TPS (CTPS) unless that person has specifically consented to your calls.
- Electronic Marketing: Organisations must not send marketing emails or texts to individuals without specific consent.
- Consent: Keep clear records of consent, and keep a ‘do not contact’ list of anyone who objects or opts out.
- Cookies and similar technologies: Organisations must tell people if they set cookies, as well as clearly explaining what the cookies do and why. The user’s consent must also be obtained.
Spring 2017 update to the PECR: As a result of penalties being issued for nuisance calls remaining unpaid, there will soon be a new personal liability introduced for directors to pay the fines incurred for nuisance calls. This is to be introduced in Spring 2017, after which the ICO will be able to issue fines of up to £500,000 to each company director for nuisance calls.
Fundraising Regulator and Fundraising Preference Service
The Fundraising Regulator replaced the Fundraising Standards Board on 7th July 2016. Their role is to:
- Set and promote the standards for fundraising
- Investigate cases where fundraising practices have led to significant public concern
- Adjudicate complaints from the public about fundraising practice
- Operate a fundraising preference service
- Where poor fundraising practice is judged to have taken place, recommend best practice guidance and take proportionate remedial action.
The Fundraising Preference Service will allow those to reset their preferences. The person registering will be told that their registration will be notified to fundraisers and that they might be approached once by those they have donated to in the past to clarify their relationship in the light of the registration. The FPS will be used in the following way:
|Member of the public trying to prevent
||Signpost to the Telephone Preference Service
||Signpost to the Mail Preference Service
|Communication from a named Charity
||Website will provide a ‘small red button’ to allow the user to specify the charity or charities they do not want to hear from. This would be a targeted response to meet the user’s wishes.
|All communications where the purpose is fundraising
||Website will provide a ‘large red button’ to be a full reset.
General Data Protection Regulation (GDPR) and how this will affect charities
The GDPR comes into force on 25 May 2018 and, unless we have withdrawn from the EU beforehand, we will have to live under these rules. However, any business that trades in the EU will have to comply with GDPR in spite of Brexit, meaning that these regulations will still be highly relevant.
There are four key areas that will affect the way that charities operate: Scope, Rights, Obligations and Enforcement.
The scope has widened to the following three areas:
- Pseudonymisation: A form of security which is like encryption. It is the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person. It will help limit an organisation’s risk profile and exposure in the event of a personal data breach.
- Controllers and Processors: Direct compliance obligations for processors – they may be liable to the same scale of fines as controllers and therefore data processing agreements with third parties will need to be robust.
- Children’s data: Consent has to be verifiable, so in order to process their data the organisation must obtain a parent or guardian’s consent when collecting information about children. It is likely that children will be defined as anyone under the age of 13 in the UK and it is important that when collecting children’s data the privacy notice must be written in language that children will understand.
Note that data protection will still not apply to anonymous data, meaning data that is rendered anonymous in such a way that the data subject is not or is no longer identifiable.
Rights of Individuals
- Right to be forgotten: Individuals will have the right to request that organisations delete their personal data in certain circumstances, for example when it is no longer necessary to have them. However, this may pose difficulties with regards to actually achieving accurate deletion, therefore it may be better to discuss with supporters that suppression is better to guarantee no future contact.
- Right not to be subject to automated profiling. This is a significant change which gives individuals the right to object to profiling on grounds relating to their particular situation. It will focus on profiling that affects data subject significantly, including online tracking and behavioural advertising. Therefore it is important to look at what profiling your organisation does do and how to implement appropriate consent mechanisms in order to continue to carry out profiling.
- Subject access requests: There is now only one month to comply rather than the current 40 days. Organisations may refuse to comply when the request is manifestly unfounded or excessive. In general, organisations cannot charge for these unless the request is excessive. Additional information must be provided in relation to data retention periods and the right to have inaccurate data corrected. If your organisation deals with a large number of SARs then it may be worth developing an online system to allow people easy access.
- The right to data portability: This is a new right and is an enhanced SAR which means organisation have to provide the data electronically and in a commonly used format.
- The right to have inaccuracies corrected
- To prevent direct marketing
Data Protection Principles
- Consent: A more active form of consent is required, therefore consent cannot be inferred from silence, pre-ticked boxes or inactivity. Particularly for sensitive data, explicit consent is still required. The consent must be given freely, be specific, informed and unambiguous and the organisation must be able to evidence it. There is also going to be greater scrutiny about the duration of consent
- Transparency and Privacy Notices: Increased transparency is now required, therefore information needs to be concise, transparent, intelligible and in an easily accessible form. However, a lot more detail is now also required about:
- the purpose and legal basis for the organisation has for processing data
- the retention and criteria used to rationalise this
- How to complain
- The source of data and name, or at least types, of organisations that the data may be passed on to
- The level of protection for information transfers
Therefore it may be difficult to have the detail required and still meet the requirements for being concise and easily accessible.
Accountability and Privacy Impact Assessments (PIAs)
- Privacy by Design and Privacy by default: Privacy by design and Privacy by default have always been an implicit requirement of the data protection principles but now it is an express requirement
- Full documented compliance programme: ensure that there are appropriate policies in place with robust security, strong internal record keeping with clear documented processing activities. Take a risk-based approach and make PIA (pre-condition for high-risk processing)
- Implementation of Privacy Impact assessments: these will always be required in high-risk situations, for example where a new technology is being deployed or where a profiling operation is likely to significantly affect individuals. If the PIA indicates high-risk data processing then you will be required to consult the ICO to seek its opinion as to whether the processing operation complies with GDPR. Organisations should start to assess the situation where it will be necessary to conduct PIAs and decide who will do it and how the process will be run.
Data Protection Officer
The data protection officer will take responsibility for data protection compliance and should have the knowledge, support and authority to carry out this effectively. They will need to conduct regular and systematic monitoring of individuals on a large scale. The officer should be sufficiently independent to be able to perform duties properly and report to the highest level of management within the organisation.
A data protection officer is mandatory for public bodies, when certain types of data are used on a wide scale, for example, criminal and mental health, and when they are required by member state law to do so. Therefore, it is not mandatory in most cases however it is still advisable to appoint someone in such a role in order to maintain good practice.
This has been strengthened and now the ICO needs to be notified of data breaches within 72 hours and, in some cases, the data subjects involved will also need to be notified.
An incident response plan will need to be developed. It will be necessary to designate roles, identify key decision makers and the relevant people that will need to be involved when a breach happens.
The ICO has now increased power and can, therefore, issue much greater fines. The maximum fine will be €20 million or 4% of annual worldwide turnover, whichever is greater. It is perhaps important to remember that data protection is largely all about reputation, therefore fines are perhaps more manageable than reputation pain.
Furthermore, coordination between national supervising authorities is likely to lead to stronger enforcement overall.
Components for strong data protection framework
||How to achieve
|(1) Know the legal position
||• Ensure decision makers
– know and apply core principles for data use
– are aware of changes resulting from GDPR
|(2) Know your organisation
||• Understand and review your organisation’s approach to data
• Create a data processor register – track where data came from and where data goes to who, why and how
• Take a risk-based approach
• Identify key contacts
|(3) Core suite of policies, guidance, registers and templates
||• Carry out gap analysis on data you have already – work out what is missing and what needs updating
• Focus on:
1. External View: Privacy Notice
2. Internal View: Data Protection Policy
– Data protection by design, PIAs designate a data protection officer
4. Registers (including subject access requests and identifying ages to meet children requirements)
5. Incident Response Plan
– have right procedures in place to detect, report and investigate a personal data breach
|(4) Establish a training plan
||• Organisational wide basic training
• Specialist training for high-risk areas
• Refresh annually
|(5) Raise awareness
||• Get employees to care about it
• Clear reporting lines and a ‘no blame’ culture
|(6) Test it
||• This is critical, you will need to know if it works in practice as planned
Materials available to raise awareness of data protection within your organisation
The ICO has created a Toolkit specifically for charities regarding communicating the importance of data privacy to employees. TH!NK PRIVACY was created as a simple, easy to understand articulation of the challenge faced by employees of all organisations. It captures the required personal responsibility and frame of mind and it expresses the need for employees to ‘press the mental pause button’ before action.
The ICO highlights that data privacy is relevant to and the responsibility of everyone in your organisation. Therefore, if employees are aware of the issues they are more likely to change their behaviour accordingly. In order to assist with this, there are posters on: ‘Responsibility’, ‘Reputation’, ‘Respect’ and ‘In your hands’. There are also postcards on: ‘Something Missing’ and ‘You didn’t’, as well as bin stickers for confidential waste. Further information on these resources can be found here.
As a trustee, it can be difficult navigating the maze of guidelines and legislation, which is why our team of friendly and professional experts are on hand, offering substantial, in-depth expertise gained through working with charitable and not for profit organisations of all shapes and sizes that value the personal and responsive service we provide. For further advice on data protection for charities or any other aspects of charity law, please contact Mark Lewis on 01789 206135 or by email.