The announcement today by the UK Data Regulator, the Information Commissioner’s Office (ICO) that it has investigated a number of charities for their data handling practices shows that the use of Big Data continues to be on the agenda of regulators.
What happened?
According to the ICO’s investigation the Royal Society for the Prevention of Cruelty to Animals (RSPCA) and the British Heart Foundation (BHF) secretly screened millions of their donors so they could target them for more money. Their practices included sharing information with other charities (using a scheme called Reciprocate) and so called “wealth screening” where the charities employed wealth management companies to sweat data on their donors including their dates of birth, value and date of last donation, likely property value, lifestyle, social media friendship circles and the likelihood of them leaving legacies to the charities concerned in their wills.
The RSPCA were not able to identify which other charities were part of the Reciprocate scheme. Over a seven year period it disclosed hundreds of thousands of records each year. Supporters’ details were shared even if they had opted out. BHF said that it had disclosed over one million personal records through the Reciprocate scheme.
In addition both the RSPCA and BHF engaged in so-called “tele-matching” to try and find new contact details for previous donors. The RSPCA investigation revealed that they were likely to have tried tele-matching with more than one million individuals. In the BHF case they had been tele-matching since 2005 and had put several hundred thousand people through the system.
What were the penalties?
The ICO has fined the RSPCA £25,000 and BHF £18,000. It is the ICO’s belief that but for the fact they were a charity and the fines will be deducted out of money donated effectively by the victims the fines could have been £250,000 and £180,000 respectively.
It is important to remember that currently the maximum penalty the ICO could impose would be £500,000. That fine will go up to 4% of global annual turnover (note not profit) on 25 May 2018.
What do the two charities say?
I asked both the RSPCA and the BHF for their views.
The BHF’s Chief Executive, Simon Gillespie, said “We are extremely disappointed in the action the ICO has taken. ..We find the decision surprising as earlier this year in June the ICO praised our data handling and said that they had no concerns about us as a data controller. In June 2015 we took the decision never to share our supporters’ data with other fundraisers and we have made it clear to our supporters that this is the case. We believe that key aspects of the ICO’s decision and findings are wrong, disproportionate and inconsistent. Our trustees will therefore consider whether it’s in the interests of our supporters and beneficiaries to challenge this decision.”
The RSPCA said that they no longer tele-match data or wealth screen. Their Chief Executive, Jeremy Cooper, said: “We are disappointed at the ruling and disagree with the conclusions drawn by the ICO… the ICO considered the information we gave to supporters on how their personal data would be used was inadequate. There has been one acknowledged contravention, through an inadvertent error, which we ourselves brought to the ICO’s attention…”
Are there any other issues for big data?
Consent and the need to know the sources of data used is only one of the issues involved in running a compliant use of Big Data. I looked at some of the others in my guest article for Computer Weekly in October 2016. You can read that article here.
You can find out more about this investigation here.
You can visit the RSPCA’s website here and the BHF website here.
Jonathan Armstrong is a lawyer with Cordery in London where his focus is on compliance issues.
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com