Charities - Invisible Processing for Wealth Profiling and Fundraising

Processing must be lawful and fair

Information is considered "personal data" if an individual is identified (or can be identified) from either that information alone or that information along with other information available. Collecting and holding personal data still counts as "processing" right up until it is securely destroyed (regardless of the source).

If a charity is collecting anonymised data, statistical or geographical data about areas of wealth and that information cannot reasonably identify living individuals then the charity can proceed to use that data to direct their fundraising efforts. 

Organisations must have a legal basis for collecting personal data. The most likely option for collecting data for charity profiling is where processing is necessary for the purposes of legitimate interests, pursued by the charity (i.e. the controller). Charities must comply with the three step test set out by the Information Commissioner's Office (ICO) and ensure that the charity's legitimate interests are balanced against the individual's fundamental rights and freedoms.

1. There must be a clear purpose for processing personal data - Charities need to identify clear and specific outcomes as simply stating "business purposes" is deemed too wide a purpose by the ICO. One specific purpose is identifying high-net-worth individuals or regular donors to target with direct marketing or promotional mailshots.
2. The processing must be necessary for the purpose, for example: a charity is trying to attract new donors who have the means and potential interest in making a donation. A charity should consider whether there is another way of achieving the purpose before concluding that the proposed processing of personal data is necessary.
3. Balancing act - A charity would need to consider if their legitimate interests were overridden by individuals' rights, interests or freedoms. This involves considering the nature of information being processed (for example, name, contact details, rich list information), the reasonable expectations of the individual, and the likely impact on the individual.

Direct marketing

The processing of personal data for direct marketing purposes may be considered a ‘legitimate interest’ under data protection law. However, charities must exercise caution, as they are also required to comply with e-privacy regulations and adhere to relevant industry standards, including the Code of Fundraising Practice. A charity will generally be required to obtain explicit consent prior to sending any direct marketing emails, texts or phone calls. A charity can contact potential donors by post or live calls (if the individual is not registered with the Telephone Preference Service) provided the rights of the individual are not negatively impacted and the recipient is offered the opportunity to "opt out" of such direct marketing.

Charities must consider whether individuals would reasonably expect their personal information to be used for direct marketing purposes. This is particularly important when individuals are unaware that the charity holds their data. Under data protection law, individuals have an absolute right to object to the processing of their personal information. However, they must first be informed that such processing is taking place. Even when the impact appears minimal—such as receiving a marketing mailshot—charities are still required to provide a clear and accessible option for individuals to opt out of the use of their personal data.

Transparency

Individuals must be informed when their personal data is collected and how it will be used, typically via a website privacy notice. This transparency enables them to exercise their data rights. However, if individuals are unaware their data is being collected—especially when obtained from third parties—they may not know to access such notices. Controllers have the same duty to inform individuals, regardless of the data source. 

A charity collecting personal data from other sources needs to inform individuals within at least one month of collection or, if the if the information is being used to communicate with an individual, at the time of the first communication (for example, when issuing the first direct marketing mail-shot). However, there are practical issues that need to be considered. Trying to notify a potential donor that you are processing their information (and why) may seem counterproductive when the charity wants to contact them with fundraising information. The potential donor may well opt out of communications immediately. 

Exceptions

The requirement to provide privacy information doesn't apply where it is impossible to do so, where it would involve a disproportionate effort, or where providing the information would mean the objectives of processing are impossible or are seriously impaired. 

• Notifying individuals is impossible. Contacting individuals would only be seen as impossible where the organisation does not have any contact details for individuals and it would be impossible to obtain them. 
• Notifying individuals would involve a disproportionate effort. An excessive organisational and financial burden is not likely to outweigh the risk and possible damage to the rights and freedoms of data subjects. It has to be more than a mere inconvenience for the organisation. A charity would need to be confident they can justify why contacting individuals is genuinely disproportionate in the circumstances.
• Achievement of objectives would be impossible or seriously impair them. A charity must demonstrate that providing privacy information to individuals would hinder or prevent the objectives of the processing. The purpose of the processing may be to build a relationship with a potential new donor. A charity may be concerned that sending an unexpected privacy notice could harm trust. However, it must still balance its interests with individuals’ rights. Discovering months later that their data was used without their knowledge could undermine trust even more. Early transparency can be beneficial—if someone opts out, the charity avoids unnecessary effort and remains compliant.

There is no automatic exemption from providing privacy information just because individuals' personal information is in the public domain. Caution must be exercised around the use of the exceptions. The ICO have previously highlighted that if an organisation has individuals' contact details these should be used to contact those individuals and provide the necessary information on the use of their personal information.

Conclusion

• Collecting publicly available information for the purposes of wealth profiling or direct marketing to individuals for fundraising purposes can present significant benefits to a charity in a time of increasing uncertainty for the sector. 
• This has to be carefully balanced against the potential impact on individuals, particularly if individuals' rights are not effectively safeguarded. Failure to protect individuals rights may potentially damage or undermine trust with existing and potential donors. 
  The exceptions to providing privacy information present a high bar and should be applied with the utmost caution. 
• If a charity has access to the individuals' contact details, there is really no real justification for not contacting those individuals to provide privacy information. 
• A charity can consider other forms of information gathering that reduce the risks associated with processing personal data, for example collating information on market trends, geographical anonymised wealth data and statistics which will help guide long term funding planning.