Governance, legal and compliance

Data protection not data prevention

Earlier this week the UK Parliament’s Justice Select Committee held its first evidence session on the EU Data Protection Framework Proposals. Whilst they were concerned predominantly with the logistics and ...

Earlier this week the UK Parliament’s Justice Select Committee held its first evidence session on the EU Data Protection Framework Proposals. Whilst they were concerned predominantly with the logistics and technicalities in the Information Commissioner’s report, I am concerned that further regulation in the area of data protection, drawn up without consideration of the structure or activities of charities will prove unduly restrictive for many organisations. The new proposals build on the EU’s existing body of law around privacy rights and include the contentious “right to be forgotten”. The aim is noble; to allow individuals to control the information that is held about them and how it is processed, but, existing European law already implemented in the UK with the same end goal in sight leaves many charities walking a blurry line between what is compliant and what is not - simply because charities were not given adequate consideration during the proposal stages. Take for example, the Privacy and Electronic Communications Regulations (first introduced in 2003 and updated in 2011) which were designed to prevent individuals from being bombarded with unwanted marketing information. For charities with scarce resources to seek expert legal advice the law here is unclear as to both what can be sent, and who it can be sent to. Guidance from the ICO explains that “marketing material” cannot be sent to an individual subscriber who has not notified the sender previously that they wish to receive it, but this is not as straightforward as it may seem for two reasons. Firstly, marketing material is defined too broadly and secondly, the line between those who can and cannot be sent unsolicited marketing material is drawn at an arbitrary point where charities are concerned.
  • What is marketing material?
Marketing material is defined broadly so as to include “not just the offer for sale of goods or services, but also the promotion of an organisation’s aims and ideals”.  If it is not for the promotion of aims and ideals, what is the not-for-profit sector for? Does this mean that an email sent to an individual to discuss the possibility of collaborating on a new project is “marketing material” if it appeals to a shared ideal?
  • Who can be sent unsolicited marketing material?
The rules here are unclear where charities are concerned. Firstly, the language of the law is confusing. For data protection purposes “Person” is to be interpreted as a ‘legal person’ – which can in certain circumstances include a business or a charity. The law distinguishes between actual people as “individual subscribers” and “corporate subscribers”. This means that someone inheriting a list of contacts who have previously been involved with say, a community health service and wanting to contact them about setting up a new venture must first determine whether each contact is an individual subscriber or a corporate subscriber – and this is by no means straightforward. The rules on corporate subscribers are the least restrictive, but the most confusing. The ICO provides a long list of criteria as to who can be a corporate subscriber. The list includes “corporate bodies such as a limited company in the UK” in addition to a further list buried deep within the Companies Act of 1985. Many charities are indeed limited companies (roughly 60% of CFG’s members are companies limited by guarantee) so their staff and even volunteers with a work email address can be contacted without permission with any marketing material. The term individual subscriber refers to everyone whose email address ends in “” but also includes those people with “” who do not satisfy any of the criteria which would make them “corporate subscribers”. It is this group of people that cannot be contacted with unsolicited “marketing material”, which includes the promotion of aims or ideals. In practice this means that someone wishing to promote the aims or ideals of their project with a view to establishing a new service in the community should only contact those individuals on their list who work for an incorporated organisation. I find it hard to believe that the law reasonably expects the sender to trawl through their database to determine the status of each of organisation they wish to contact. Surely a law which could prevent contacting potential partners who share your ideals regarding a new project (because they work for an unincorporated charity), but allows you to contact a volunteer at a charity (which is a limited company) with any marketing material, promotion of goods and services included, can only have been drawn up without any kind of awareness of the way the sector works. At CFG we know that data protection is a murky and confusing area for charities. We are currently in the process of reviewing our own data protection and information policies, so we know how tricky it can be to get it right. We’re also working on a best practice guide with some templates and useful information to build on the ICO’s top tips for charities released last month and are looking for involvement from the sector. If you would like to be involved in a working group or feel you could contribute (either with a case study or an informal chat) please contact me at In the meantime, I can only hope that the Justice Committee will be more mindful as they continue to deliberate on the latest proposals and will provide us with a framework which is not just workable, but actually makes sense for those working in a sector for which the promotion of aims and ideals is integral to their operation. Jazmine Bradfield works at CFG and is co-ordinating the Data Protection publication     « Back to all blog posts