Data protection and fundraising

Rate this page

Rating statistics for this page

3.0 out of 5 from 53 votes

Breakdown

13 votes

10 votes

8 votes

10 votes

12 votes

You should assume that any fundraising appeal made directly to individuals is covered by the Data Protection Act. This includes any unsolicited contact by post, phone, email or text message. This is covered by the Act because you are using donors’ personal information.

It does not matter where your list comes from – your own members, people who have made enquiries, a bought-in list. The best way to ensure compliance (and good practice) is to get things right from the moment you start to compile the list. Start with your data capture forms, on paper, online and from phone calls.

Keep people informed from the start on data usage

Before people give you their details, they should know that you might use their information for fundraising or marketing. A simple declaration may be enough, for example, ‘We will keep your details so we can contact you in the future about our activities and how you can support us’.

Make it clear who you are collecting the information for (for example, for both a charity and its trading company).

Be ‘fair’ about using data

You can only use data in ways which are ‘compatible’ with the original purpose(s) it was obtained for. Data collection must be transparent. If you have people’s details already and have not told them you might use the data for marketing/fundraising, you may need their consent. Think carefully about how best to approach people in this situation. Take advice from the Information Commissioner’s Office (ICO) as necessary.

Give people the opportunity to say no to the use of their details

If someone ever tells you they do not want their details used for marketing/fundraising, you must ensure they are not contacted. Don’t leave it for them to tell you. At minimum offer an opt-out tick box when you collect data. If this is not possible, tell them an easy way to opt out

It is an offence to make a cold marketing call to a number on the Telephone Preference Service (TPS) register unless you have specific permission from the individual. There is some doubt over whether fundraising counts as marketing for TPS purposes. (It almost certainly does for Data Protection purposes.)

People may consider marketing/fundraising by phone, email or other electronic means as more intrusive. It is best practice to get positive consent for these forms of contact (opt-in). This is required for donations, but for events, merchandise sales etc., an opt-out may be acceptable. Regular contact by email – even a newsletter that is not strictly marketing or fundraising – should always contain instructions on how to unsubscribe.

Share data carefully

Whenever data leaves your organisation for any reason you must take adequate security measures to prevent it getting lost or falling into the wrong hands. This means:

• always use the most secure means of transfer available in the circumstances: for example, VPN (not email), courier or registered post (not ordinary post)
• minimise the quantity and extent of data involved. Exclude any individuals or data items that are not required for the purpose
• encrypt data and password protect the file and/or media on which the data is transferred. This reduces accessibility if it does fall into the wrong hands. Security requirements vary depending on the nature/size of data being sent. The ICO can provide advice on this.

If you buy in or swap lists you must be satisfied the people concerned have been told and have not opted out. For email lists they must always opt-in. When you buy/rent a list, ask for a written warranty that appropriate consents are in place.

If you are going to share or sell data you must always tell people in advance that this will happen. Indicate the type (and for regular transfers the identity) of organisations you will pass the data to.

If you send data to a third party for processing (for example, an agency that will make the calls or a mailing house to send out information) you are responsible for what happens to it. You must make sure the processor has proper security and will only use the data for the purposes you have authorised.

If you share data with an organisation overseas (possibly even when you put it on a web site where it is accessible overseas) you must comply with the rules for transferring data abroad (see PDF guide 'International transfers - legal guidance' listed under heading 'Detailed specialist guides').

Everyone has the right to see their personal records. You can charge up to £10 and send it within 40 days of a written request.

Every website must have a Privacy Statement explaining how you use personal data. Ensure it is up to date, accessible and covers all your main responsibilities.

If you take money from people by credit or debit card, make sure you are familiar with the Payment Card Industry Data Security Standard.

Source: Published with permission from the Directory of Social Change.

Have your say

Have you faced any challenges regarding the use of personal data? Share your experience with others on the Fundraising forum.