- Legitimate Interest
Proposal: The government proposes to create a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test in order to give them more confidence to process personal data without unnecessary recourse to consent.
Examples provided include:
Using audience measurement cookies or similar technologies to improve web pages that are frequently visited by service users
Using personal data for internal research and development purposes, or business innovation purposes aimed at improving services for customers
Managing or maintaining a database to ensure that records of individuals are accurate and up to date, and to avoid unnecessary duplication
Q1.4.1. To what extent do you agree with the proposal to create a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test?
our response, please send feedback to firstname.lastname@example.org by 17 November.
We also encourage members to submit their own response to the consultation. The consultation and details can be found at Data: a new direction - GOV.UK (www.gov.uk). The consultation closes on 19th November.
In some cases, we have grouped a number of questions by themes to aid reading and feedback, so the questions may not look exactly the same as the consultation document. There are also some areas where we have outlined a general view and initial thoughts, but not yet set out a complete draft response.
○ Strongly agree
Please explain your answer, and provide supporting evidence where possible.
We agree that there is an over-reliance on consent among organisations, and that while no ground for processing is ‘better’ than another, that there is a perception of risk in organisations using legitimate interest fully. This has meant that charity supporters would not have heard from organisations when they may have expected to, and their communications are able to be less informed and tailored to them.
We welcome the opportunity for this to be addressed and for greater confidence to be felt by organisations in using legitimate interest appropriately.
However, we would like to ensure that whatever list is created does not inadvertently create an impression that activities not on that list are not appropriate for legitimate interest. An unwelcome consequence to be avoided would be presenting a list in a way which shuts down the fair and appropriate use of legitimate interest in other areas and care would need to be given to how this list is presented, and accompanying guidance, to ensure this does not happen.
The creation of a list would provide reassurance to charities and give consistency for people in their relationship and communications with charities. We would like to ensure that the list works consistently with other changes that are made and appropriate to different channels – for example, soft opt-in.
We would like to note that our strong agreement for a list is predicated on the activities that are included on it (as set out below).
Q1.4.2. To what extent do you agree with the suggested list of activities where the legitimate interests balancing test would not be required?
○ Somewhat disagree
Please explain your answer, indicating whether and why you would remove any activities listed above or add further activities to this list.
We do not disagree with the inclusion of the proposed activities in the list, but do believe that without a specific inclusion of fundraising/direct marketing the creation of a list would be detrimental to charity fundraising and the experience of people who support charities.
‘Direct Marketing’ (which encompasses fundraising) is explicitly referenced to be seen as a legitimate interest under Recital 47 of GDPR. We believe that current regulatory guidance and the approach organisations have taken to legitimate interest has meant that the intention of this recital has not been fully realised in practice.
‘Direct marketing’ should be included in the list of activities where the legitimate balancing test would not be required. This should include the full range of direct marketing activities (from organisations undertaking research to inform their approach to an individual, through to making appropriate contact with them for a direct marketing purpose).
The ability for legitimate interest to be carried out for direct marketing more easily would go a long way to providing the enabling and innovative approach that is at the heart of the consultation and the policy aims of the UK Government in terms of how charities are able to connect with supporters and ensure that those communications develop positive relationships which will lead to a growth of income for the charity sector and an enhanced experience for individuals.
The result of this would be that charities would be more reassured about being able to undertake direct marketing activity to provide insight and inform their approach (or decide not to approach) a supporter and for that communication to be best aligned to that individual’s interest and preferences, providing an enhanced experience and furthering relations between supporters and charities they give to.
In addition to direct marketing being comprehensively included in the list, we also specifically agree with the proposed inclusion of:
- Using audience measurement cookies or similar technologies to improve web pages that are frequently visited by service users
- Using personal data for internal research and development purposes, or business innovation purposes aimed at improving services for customers
- Managing or maintaining a database to ensure that records of individuals are accurate and up to date, and to avoid unnecessary duplication
Q1.4.3. What, if any, additional safeguards do you think would need to be put in place?
The safeguards inherent within GDPR and the other proposals in this consultation (such as organisations creating a Privacy Management Programme) would ensure that organisations continue to work within a robust and responsible framework in their use of personal data.
Moreover, it should be noted that charities are regulated more tightly than nearly any other sector in terms of their direct marketing activity, having to comply with Charity Law to ensure steps are taken so that individuals are not put under ‘unreasonable pressure’ to donate, or subject to ‘unreasonable intrusions on their privacy’, and ‘unreasonably persistent approaches’. In addition, the Code of Fundraising Practice sets standards for charity fundraising that go above and beyond the law in relation to fundraising practice, while the Fundraising Preference Service, funded by charities, means that the charity sector is the only sector in the UK which has a specific ‘opt out’ mechanism enforced through regulation to stop fundraising approaches through multiple channels.
All of these mean that fundraising (and more broadly, direct marketing activity charities undertake) is governed by sufficient safeguards to ensure that a more appropriate and less restrictive use of legitimate interest will still protect the privacy rights and expectations of individuals.
- AI and Machine Learning in data driven marketing
Proposal: Processing personal data for the purposes of ensuring bias monitoring, detection and correction in relation to AI systems constitutes a legitimate interest in the terms of Article 6(1)(f) for which the balancing test is not required.
We support the less restrictive approach to AI and ability to be innovative with data. We also agree with the ability to combine info from different datasets to enable enrichment of data and a better experience for charity supporters. We are pleased to note the consultation recognised that some level of detail being known about individuals is not inherently harmful or intrusive (for example, knowing an individual lives in a particular postcode and may fit a certain income bracket). The consultation notes a ‘spectrum of risk’ to navigate in that information being linked to another data processing activity, and further information and guidance on navigating that spectrum of risk would be welcome, as well as recognition of the benefits and opportunities that it brings.
- Data Minimisation and Anonymisation
Proposal: Clarifying the circumstances in which data will be regarded as anonymous: (1) Placing Recital 26 of the UK GDPR onto the face of legislation, (2) Creating a statutory test based on the wording of the Explanatory Report accompanying the Council of Europe’s modernised Convention 108. The government is considering legislation to confirm that the question of whether data is anonymous is relative to the means available to the data controller to re-identify it.
Anonymous data should be available to inform direct marketing and fundraising activities and should help when engaging with large datasets. We support proposals to provide clarity over when data is classified as anonymous.
- Data Intermediaries:
Proposal: Using data intermediaries for various purposes. A third-party organisation may also act independently by ensuring that individual data subjects’ rights are observed and protected whilst managing different parties’ competing interests.
Q1.7.1. Do you think the government should have a role enabling the activity of responsible data intermediaries?
○ Don’t know
Use of intermediaries is cost-effective and charities rely on the capacity and expertise of partners in data processing. We support data intermediaries being ‘enabled’ to play a role to support data processing which would make it easier for charities to work with professional partners. However, we would encourage clarity on where responsibility lies, for example, in the case of a data breach.
- Overall views on accountability, requirements on data protection officers, removal of requirement for DPIA
Proposals: A number of proposals around accountability and requirements – moving towards removal of set ways of working, and more around outcomes. Proposes removing requirements for Data Protection Impact Assessments, record keeping, Data Protection Officers, breach notifications. Less ‘box ticking’ legal requirements and more risk-based approach based on outcomes. Proposal for organisations to have instead a ‘Privacy Management Programme’ through which they assess risk, take decisions, and ensure outcomes are met
We are supportive of an outcomes-based approach and reduction of mandatory requirements which take up time and capacity to be replaced by a more risk-based approach where organisations can set their policies and ways of working.
We note some concern about being ‘caught out’ if a tick box approach is moved away from, so seek assurance that the regulation and expectation of organisations is done in a supportive way through appropriate guidance.
While this does not manifestly impact fundraising activities themselves, it will save organisations time, money, and capacity in their data governance without risking individual rights and expectations.
However, we also note that organisations may want to keep the current ways of working that they have embedded and recognise the amount of effort and investment that has taken place among charities to respond to GDPR. It would be helpful for organisations to have appropriate guidance and messaging to provide reassurance that they are able to choose their approach in a way that works best for them.
Proposal: The government is considering two main options: The first option would permit organisations to use analytics cookies and similar technologies without the user’s consent.
The government also welcomes evidence on the risks and benefits of a second option, which could permit organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes.
The government recognises there may be alternatives to web browser solutions or software applications that achieve the effect of removing cookie pop-up notices altogether.
Q2.4.2 To what extent do you agree with the proposal to remove the consent requirement for analytics cookies and other similar technologies covered by Regulation 6 of PECR?
○ Strongly agree
- Extension of soft opt-in to charities and political parties for electronic communications
Proposal: Soft opt-in is available to businesses currently, charities are not able to use it, nor political parties. We always said that charities should be able to use it alongside businesses. Key question is whether it extends to donations, or only to transactions where people are paying for a service or product from a charity (e.g a membership or subscription). Essentially, it’s akin to allowing legitimate interest on electronic communications (emails and texts)
Q2.4.9. To what extent do you agree that the soft opt-in should be extended to non-commercial organisations? See paragraph 208 for description of the soft opt-in.
○ Strongly agree
Please explain your answer, and provide supporting evidence where possible.
We strongly welcome this proposal and agree that soft opt-in should be extended to enable charities to use it to keep in touch appropriately with people who have engaged with them. This would create a level playing field for charities in their fundraising and direct marketing, something which we regret was not properly considered at the time the legislation was brought in.
We note that the consultation talks about ‘membership and subscriptions’ being included in this extension of soft opt-in. We strongly propose that it is made explicit that this includes donations, and other forms of giving, are included in the soft opt-in, as well as for participation in challenge events and other forms of participation. Charities operate in different ways and with different fundraising activities that work best for their supporters. Sometimes these are ‘membership’ type schemes, sometimes they may be direct debit or cash donations. Indeed, often regular donations are of higher value than a membership scheme, and supporters expect professional and tailored communications when engaging with charities. Previously, the soft opt-in exclusion has hindered this effective communication and the building of relationships and so we firmly support the extension, which must also include donations. The soft opt-in has been there to enable people to hear about similar ‘products or services’ when they have engaged in a transaction (of whatever value). The giving of money through a donation can often a higher value than a purchase of a product, with similar considerations and expectations having been thought about by the individual. The soft opt-in therefore should include not just an extension to ‘charities’ but ensure that this extension is full and meaningful by explicitly including donations.
We also would like consideration given as to how the soft opt-in would work for charities in their campaigning, or engagement electronic communications: for example, signing a petition or other form of participation and volunteering. Many relationships and types of involvement with a charity are not predicated on ‘transaction’ activities (such as the sale of a product or service) but may be equally appropriate for the extension of the soft opt-in.
Under the Code of Fundraising Practice, set and enforced by the Fundraising Regulator, people must be given the chance to opt-out when contact details are first collected by charities for fundraising purposes and in every subsequent marketing communication they are sent (3.5.4 and 3.5.9 of the Code of Fundraising Practice). This means that current practice in fundraising would already be at the level needed to ensure that soft opt-in was used appropriately and in line with the public’s experience of other marketing communications from commercial organisations.
- Special category data and public interest
Q4.4.4. To what extent do you agree there are any situations involving the processing of sensitive data that are not adequately covered by the current list of activities in Schedule 1 to the Data Protection Act 2018?
Our members often report difficulty and challenge in responding appropriately and in the best interests of an individual when they are dealing with a supporter (and their family) when there is an issue around vulnerability. Often a charity would want to be able record certain data around an individual’s situation so as to be able to appropriately communicate (or not) with them in the future. This may include not sending certain types of fundraising communications to an individual, ‘pausing’ activity for a number of months, or being able to respond appropriately to an individual if they contact the charity to make a donation. They of course can only respond appropriately if they have the right data recorded to inform future communications.
Our understanding of the current legislation is that issues around vulnerability being recorded would most likely constitute ‘health’ information which explicit consent would need to have been provided in order for the organisation to record the data. This explicit consent may be inappropriate or insensitive to ask for, and may be unwelcome or distressing for the individual to respond to. If information relating to vulnerability was classified as part of the substantial public interest condition then this would be a welcome and valuable change which would provide for a much better experience for people and their families where issues of vulnerability are present.
Q4.4.7. To what extent do you agree that there may be a need to add to, or amend, the list of specific situations in Schedule 1 to the Data Protection Act 2018 that are deemed to always be in the substantial public interest?
Please explain your answer, and provide supporting evidence where possible, including on:
Including a provision for the processing of special category health data in relation to fundraising and the protection of vulnerable people would be a helpful and welcome change for supporters and the public. This change would be beneficial as it would enable charities to be able to properly record and action appropriate communications and processes, provide for a better and more tailored and sensitive experience by supporters and their families, and help charities comply with their legal and regulatory requirements.
○ What the risks and benefits of listing those situations would be
The benefits of listing this situation would be that charities could record data about vulnerable individuals to ensure that they are treated fairly and appropriately and are not approached for donations where it would not be appropriate to do so. This would better enable charities to comply with their legal and regulatory obligations in this area and to better protect and safeguard those people it interacts with. We do not perceive any risks to this, subject to appropriate guidance being provided as set out below.
○ What, if any, safeguards may be needed
Appropriate guidance to help organisations understand and appropriately use substantial public interest as a means of recording and responding appropriately to issues of vulnerability would be a necessary and welcome safeguard.
- Other views on improving data protection to give supporters the best experience of fundraising
There are areas where interpretation of GDPR, or the law itself, has caused difficulty in giving the best experience for supporters, and supporting innovation and effectiveness in fundraising. Welcome the opportunity for these to be addressed and considered, even if not part of legal changes (for example, in regulatory guidance, advice, or public policy)
Some of difficulty of navigating GDPR and PECR has been the interpretation of the ICO and the clarity and comprehensiveness of guidance. This has created a risk-averse approach, and has left charities unsure of action they can take.
Alongside specific proposals, we believe there are some ‘sticking points’ which have caused difficulty in putting people first in charity fundraising communications. These include:
- The requirement to inform people about data processing while building up some research and insight to best guide an appropriate form of communication (or to decide not to approach a supporter). Article 14 stated that consumers need to be informed within a month if their data is being processed – but that can often be ahead of when a communication with that individual would normally happen (for example, if planning a future fundraising campaign), creating a premature communication purely for the process of fulfilling the legislative requirement rather than when would make most sense for the individual and the charity. For charities with larger, more complex (and often more personalised) letters it can also be very difficult to do all the necessary cleaning and personalisation required. It is impractical, and creates a situation where charities are compelled to communicate with an individual before they are ready and before it is meaningful for the individual to receive it. We recommend that the existing requirement is extended so that the communication must happen within 90 days rather than one month.
- We note ongoing confusion and hesitancy throughout the charity sector over the ability to contact an individual to appropriately thank them for their donation or support in a meaningful way. A very risk averse stance has been taken by the ICO which has meant that some charity supporters do not get thanked appropriately which does not create a positive experience for fundraising and giving. For example, charities have previously been told you could thank a supporter by confirming the amount of the donation, but not tell that supporter the difference it will make or what the money will be used for, or how they might find out more about the cause they have supported. This is a very rigid interpretation of the current legislation and one that does not benefit people who support charities and the causes they give to.
- Equally, there is ongoing confusion and hesitancy on being able to ask a supporter if they want to Gift Aid a donation, with a lack of clarity as to this being an administrative rather than direct marketing communication, leading to lost income for charities due to a belief they are unable to ask. We understand that the regulatory approach is that this is an administrative communication, but charities would welcome clear guidance that they can rely on that this is the case.
- The length of time to keep supporter records is something which is currently able to be decided by an organisation based on the need and balancing rights of individuals. In some cases we know that this has resulted in organisations, out of fear of getting it wrong, deleting supporter data which they have subsequently needed and that the supporter expects them to have kept. We would welcome greater reassurance from the regulator or in regulatory guidance that supports charities in having the confidence to make those decisions.
We would also like to seek clarity and reassurance on re-using publicly available data (e.g. information from Companies House, newspaper articles etc.) for new purposes, perhaps through appropriate guidance (rather than legislation change