Marketing and Fundraising
The ICO (the data protection and privacy regulator) is taking a very robust line in relation to marketing and fundraising as evidenced by its recent enforcement action and guidance. Most readers will be aware that the ICO fined the British Heart Foundation and the RSPCA late last year for breaches concerning their fundraising practices. In addition to this, the ICO has recently announced an intention to fine a further 11 charities.
You should ensure that your marketing and fundraising practices comply with data protection law. It is also worth keeping in mind that the definition of marketing is very broad. It goes beyond selling products or asking for donations. As such, an email telling alumni about your plans for the next five years is likely to count as marketing.
When carrying out marketing and fundraising, you should keep the following in mind:
You should ensure that individuals are told how their personal data is used for fundraising and marketing purposes. This should be done via the appropriate privacy notice. Transparency is particularly important for the more privacy intrusive practices such as wealth screening (which in some cases, according to the ICO at least, will also require consent).
Some fundraising practices require consent. For example, it is usually unlawful to send a marketing email unless the recipient has consented. Consent must be freely given, specific and informed. It must also be accompanied by a positive action. As such a statement such as 'You consent to us sending you fundraising emails. Please email us to opt out.' is not valid consent by any standards.
In order to cover off the transparency and consent requirements, we envisage more schools using 'opt in' tick boxes to obtain consent as appropriate with a detailed description of how personal data is used for fundraising purposes.
- Existing Data
Even if you are satisfied that your school has a compliant privacy notice/consent form in place going forward, you will also have to consider what steps to take to make your existing database compliant.
You should also be mindful of how the GDPR will impact on fundraising practices. The ICO's position appears to be that 'opt out' consent is no longer lawful under the GDPR.
The General Data Protection Regulation
The General Data Protection Regulation (GPDR) will replace the Data Protection Act from 25 May 2018. Although implementation is still over a year away, you should be taking steps now to ensure that they are compliant. This includes:
- reviewing information security arrangements to check that they meet the standards required by the GDPR
- checking policies and procedures for GDPR compliance
- considering how to meet the requirement under the GDPR that schools must be able to evidence compliance with data protection law
- updating privacy notices, which will require additional information to be included. For example, under the GDPR individuals must be told about their right to complain to the ICO.
Schools are increasingly being targeted by criminals via sophisticated cyber-attacks. Emails are particularly vulnerable. For example, a fraudster might intercept an email from a supplier to your school and replace the supplier's bank details with their own. Another common attack involves the fraudster sending an email to parents requesting payment of school fees, but again, the payment details are the fraudster's and not the school's.
Schools should take steps to ensure that they are adequately protected against such risks. This includes:
- check that your IT systems are sufficiently robust so as to prevent school systems and email accounts from becoming compromised
- train staff to be vigilant and how to spot the risks (such as suspicious emails)
- consider whether your current practices are secure - for example, is it really appropriate to send the school's bank details to parents via email
- have a security breach action plan in place - this can be used as a checklist so that a school can respond quickly should a breach occur
How Can We Help?
We can assist with all aspects of data protection compliance including with the issues set out above.
We have recently launched our Information Security training module for school staff as part of My OnStream. This module complements the data protection module which we launched late last year.
In addition, we are about to launch a data protection module of our Compliance Toolkit. This provides subscribers with a monthly notification about the latest developments in data protection compliance.
For further information, please contact our Independent Schools specialists Andrew Gallie on 0117 314 5623 or Claire Hall on 0117 314 5279.