3.Processing personal data (information)
Protecting personal data makes sure people can trust you to use their data legally, fairly and responsibly. This section sets out the standards we expect when you process personal data, including standards related to direct marketing.
The rights people have over their data
The General Data Protection Regulation (GDPR) gives people the following rights in law regarding their personal data.
Special category data
Certain types of data need stronger protection. This includes, for example, information relating to their:
- race;
- ethnic background;
- political opinions;
- religion;
- trade-union membership;
- genetics;
- biometrics (computerised details used to identify a person through their unique characteristics, for example through fingerprint scanning and facial recognition);
- health;
- sex life; or
- sexual orientation (sexuality).
Guidance on conditions for processing special category data is available from the ICO.
3.1.General requirements for personal data
In this section, ‘you’ means a charitable institution or third-party fundraiser who processes personal data.
You must meet all legal requirements relating to data protection, including:
- the Data Protection Act 2018;
- the General Data Protection Regulation (GDPR); and
- the Privacy and Electronic Communications (EC Directive) Regulations (PECR) 2003, including the requirements of the Telephone Preference Service (TPS), and any revisions to e-privacy legislation that result from the European Commission’s review of PECR that began in 2017.
You must keep up to date with guidance from the ICO. This includes the ICO’s direct marketing guidance, its GDPR consent guidance and legitimate interests guidance.
If you process personal data, you must pay the data protection fee to the ICO, unless you are exempt.
When processing personal data (including information that is available to the public) for any purpose, you must:
- have a lawful basis (a valid legal reason) for collecting, using and keeping the personal data (for more information on the grounds (or ‘conditions’) for processing personal data, see articles 6 and 9 of the GDPR);
- give people concise, open, understandable and easily accessible information about how you will process their personal data, including who your organisation is, what you are going to do with their personal data and who (if anyone) you will share it with;
- only process personal data in ways that the person whose data it is would reasonably expect; and
- not do anything unlawful with personal data.
You must meet any duties you have to keep data confidential. You must not share data if you have a legal duty to keep the data confidential, unless there is an overriding legal reason to do so. For example, if a court ordered you to release the data.
- Information Commissioner’s Office: Guide to Privacy and Electronic Communications Regulations
- Information Commissioner’s Office: Right to be informed – for guidance on privacy information and notices
- Information Commissioner’s Office: Data Protection fee – for information on how to register with the ICO
3.2.Storing and maintaining personal data
In this section, ‘you’ means a charitable institution or third-party fundraiser.
You must make sure that all materials, in particular filled-in donor forms, are stored securely and in line with your obligations under data protection law.
You must make sure that data you keep about donors is accurate and reflects their communication preferences, and only keep it for as long as is necessary for:
- the purpose or purposes you are processing it for;
- purposes compatible with these stated processing purposes; or
- a purpose that is allowed by law and is in the public interest.
You must be able to show that you have taken all reasonable steps to make sure that:
- databases are accurate and, where necessary, up to date;
- you don’t send direct marketing to people who have told you they don’t want to receive it; and
- you stop sending communications addressed to people you know have died.
You must have appropriate systems or procedures in place (such as a list of people not to contact) to make sure that you do not send direct marketing to people who have asked not to receive it.
You must either stop sending direct marketing to a person within a reasonable period (as soon as possible, but in any case within 28 days) or not begin to process a person’s personal data for the purpose of sending them direct marketing if you receive notice from, or on behalf of, that person telling you that they don’t want to receive direct marketing. For example:
- a notice from (or sent on behalf of) a person through the Fundraising Preference Service telling you that a request to stop contact has been made; or
- any other clear indication from a person (or made on their behalf) that they do not want you to contact them for direct marketing purposes. This indication may include giving you their contact preferences or unsubscribing from mailing lists.
- Information Commissioner’s Office: Right to object – for guidance on people’s right to object to you processing their personal data
- Information Commissioner’s Office: Principle (b): Purpose limitation – for guidance on keeping to the limits on the purposes you are allowed to process personal data for
3.3.Sharing and selling personal data
In this section, ‘you’ means a charitable institution or third-party fundraiser.
You must not share personal data with any other organisation unless you have a lawful basis to share it and can prove that you meet the processing requirements in section 3.1 above.
If personal data is shared between organisations:
- within a federated structure (in other words, where one organisation controls the other or where both are controlled by the same parent organisation); or
- under a data-processing arrangement (where one organisation acts on behalf of another organisation under a written contract, such as professional fundraisers, data-management companies or printing houses);
the organisational structure or arrangement and the reason for processing the data must be clear in the privacy information you give to the person in order to meet their right to be informed. Or, if the organisation receiving the data needs the person’s consent (permission) to hold and use their data, the organisation or category of organisation receiving the information must be named in the request for consent, and the organisation sending the request for consent must receive the person’s specific consent for their data to be shared.
You must not share a person’s personal data with any other organisation for that organisation’s marketing purposes unless you are allowed to do so by law, either because you have the person’s consent to do so or through the exceptions in 3.3.2.
You must not sell a person’s personal data to any other organisation, unless you can show that you have that person’s freely given, specific, informed and unambiguous consent to sell their data.
3.4.Case studies
In this section, ‘you’ means a charitable institution or third-party fundraiser.
If you plan to use a real-life example of a person in a case study, you must only process that person’s personal data in line with the law.
For more standards on processing data in line with the law, see section 3 Processing personal data (information).
If you want to use a case study which identifies a person who has died, you must make all reasonable efforts to get permission from that person's estate.
3.5.Direct marketing
In this section, ‘you’ means a charitable institution or third-party fundraiser.
Direct marketing is defined in law as ‘The communication (by whatever means)…of any advertising or marketing material…which is directed to particular individuals…’
The ICO states that fundraising activity, as well as charities’ promotional and campaigning work, is covered by the definition of direct marketing.
In practice, fundraising messages which are sent electronically (for example, phone calls, faxes, texts and emails) or by addressed mail are likely to be directed to a specific person, and so are covered by this definition.
The marketing must be directed to particular people. Some marketing is not directed to specific people (for example, unaddressed mail) and so is not covered by this definition.
Alongside data protection legislation that applies when processing personal data for direct marketing purposes, the Privacy and Electronic Communications Regulations (PECR) will apply when sending marketing electronically, such as by email or text message and in recorded phone calls. In these cases, you will always need the person’s consent to send them direct marketing, unless:
- you meet the ‘soft opt-in’ condition which allows businesses who have received a person’s contact details when selling a product or service to them (or during negotiations relating to a possible sale) to market similar products and services to that person; or
- you are marketing to businesses or organisations (including where you contact an individual using a corporate email address such as firstname.surname@companyname.com).
You must have a lawful basis for processing personal data in order to send direct marketing communications to people.
The standards on ‘consent’ and ‘legitimate interest’, the two most common lawful bases for processing personal data in order to send direct marketing communications, are set out below.
- Information Commissioner’s Office: Direct Marketing Guidance
- Information Commissioner’s Office: Electronic mail marketing – for guidance on when the PECR do not apply
- Information Commissioner’s Office: Lawfulness for processing – for guidance on processing personal data in line with the law
Consent for direct marketing communications
If you use, or plan to use, consent as a lawful basis for processing personal data in order to send direct marketing communications, the consent must:
- be a freely given, specific, informed and unambiguous indication of the person’s wishes;
- be given through a clear positive action from the person concerned to show they have given consent (for example, using active methods, such as ticking an unticked opt-in box or answering ‘yes’ to a question);
- give options for different levels of consent for different types of processing if you plan to process the person’s data for more than one purpose;
- be separate from your other terms and conditions and not be something the person has to give when signing up to a service (unless you need the consent to be able to provide that service);
- name your organisation and any others who will be relying on the consent;
- tell people about their right to withdraw their consent and make it as easy for them to withdraw consent as it is to give it; and
- be recorded in a way that allows your organisation to show who gave consent, when they gave consent, how they gave consent, and what they were told in connection with giving consent.
Electronic requests for consent must be clear and concise and must not unnecessarily disrupt the use of the service the consent is for. For example, you can achieve this by breaking a longer privacy notice into shorter pieces of privacy information which pop up only at the point where a person is asked for their personal data.
If you have a person’s consent to send them direct marketing communications, you:
- must offer them an easy way to withdraw their consent (such as an ‘unsubscribe’ button in any communications you send);
- must, as often as your organisation reasonably decides, remind the person of their contact preferences and offer them an easy way to change these if they want to (such as an ‘update your communication preferences’ button); and
- must update the person’s record as necessary to reflect changes to their consent or contact preferences.
You must make sure that all consent statements (wording to gain consent for marketing purposes) displayed in your fundraising materials are at least the same font size as:
- any text which asks for personal data; or
- any text which states the donation amount;
whichever is bigger.
Legitimate interest as a basis for direct marketing communications
If you are using legitimate interest as the basis for processing data for the purpose of direct marketing by live phone call or by post, you must be able to show that you:
- have identified a legitimate interest (under ICO guidance, this may be your organisation’s own interest or the interest of third parties and may include commercial interests, individual interests and broader benefits to society);
- need to process the data to achieve that interest (under ICO guidance, if the same result can reasonably be achieved in another, less intrusive way, legitimate interests will not apply); and
- have balanced your interest in processing the personal data against the interests, rights and freedoms of the person to make sure that your interests are not overridden by theirs (under ICO guidance, if the person would not reasonably expect you to process their data or it would cause them unjustified harm, their interests are likely to override yours).
If you are relying on the legitimate interest condition as the lawful basis to process data, you must have a record of your decision-making to help show that you meet the conditions set out above.
If you are relying on the legitimate interest condition as the lawful basis to process data for the purpose of direct marketing by phone or post, your privacy notice:
- must explain what you will use the personal data for;
- must explain your legitimate interests; and
- must offer, in the privacy notice and in any other direct marketing communication you send, a clear and simple way for the person to tell you that they do not want to receive direct marketing in future.
- Information Commissioner’s Office: Right to be informed – for guidance on privacy notices
- Information Commissioner’s Office: Legitimate interests – for guidance on using this as a lawful basis to process data
- Information Commissioner’s Office: Consent – for guidance on using this as a lawful basis to process data
3.6.Requests from people to access their personal data
In this section, ‘you’ means a charitable institution or third-party fundraiser.
If you process a person’s personal data, you must, if that person asks you to, give them a copy of the personal data you hold about them and details of how you use it in line with the person’s right of access (exemptions may apply to this).
If you hold or use a person’s personal data to fulfil a contract or because you have their consent to process it, you must make sure that the personal data can be easily moved, copied or transmitted from one computer system to another if the person asks you to do this (whether this is to their own systems, or to the systems of another organisation or new data controllers).
- Information Commissioner’s Office: Right to data portability – for guidance on a person’s right to transfer data for their own purposes
- Information Commissioner’s Office: Right of access – for guidance on a person’s right to access their personal data held by an organisation