3.Processing personal data (information)
Protecting personal data makes sure people can trust you to use their data legally, fairly and responsibly. This section sets out the standards we expect when you process
The rights people have over their data
The General Data Protection Regulation (GDPR) gives people the following rights in law regarding their
Special category data
Certain types of data need stronger protection. This includes, for example, information relating to their:
- race;
- ethnic background;
- political opinions;
- religion;
- trade-union membership;
- genetics;
- biometrics (computerised details used to identify a person through their unique characteristics, for example through fingerprint scanning and facial recognition);
- health;
- sex life; or
- sexual orientation (sexuality).
Guidance on conditions for
3.1.General requirements for personal data
You must meet all legal requirements relating to data protection, including:
- the Data Protection Act 2018;
- the General Data Protection Regulation (GDPR); and
- the Privacy and Electronic Communications (EC Directive) Regulations (PECR) 2003, including the requirements of the Telephone Preference Service (TPS), and any revisions to e-privacy legislation that result from the European Commission’s review of PECR that began in 2017.
You must keep up to date with guidance from the ICO. This includes the ICO’s direct marketing guidance, its GDPR consent guidance and legitimate interests guidance.
If you process personal data, you must pay the data protection fee to the ICO, unless you are exempt.
When processing personal data (including information that is available to the public) for any purpose, you must:
- have a lawful basis (a valid legal reason) for collecting, using and keeping the
personal data (for more information on the grounds (or ‘conditions’) forprocessing personal data , see articles 6 and 9 of the GDPR); - give people concise, open, understandable and easily accessible information about how you will
process theirpersonal data , including who your organisation is, what you are going to do with theirpersonal data and who (if anyone) you will share it with; - only
process personal data in ways that the person whose data it is would reasonably expect; and - not do anything unlawful with
personal data .
You must meet any duties you have to keep data confidential. You must not share data if you have a legal duty to keep the data confidential, unless there is an overriding legal reason to do so. For example, if a court ordered you to release the data.
- Information Commissioner’s Office: Guide to Privacy and Electronic Communications Regulations
- Information Commissioner’s Office: Right to be informed – for guidance on
privacy information and notices - Information Commissioner’s Office: Data Protection fee – for information on how to register with the ICO
3.2.Storing and maintaining personal data
You must make sure that all materials, in particular filled-in donor forms, are stored securely and in line with your obligations under data protection law.
You must make sure that data you keep about donors is accurate and reflects their communication preferences, and only keep it for as long as is necessary for:
- the purpose or purposes you are processing it for;
- purposes compatible with these stated
processing purposes; or - a purpose that is allowed by law and is in the public interest.
You must be able to show that you have taken all reasonable steps to make sure that:
- databases are accurate and, where necessary, up to date;
- you don’t send direct marketing to people who have told you they don’t want to receive it; and
- you stop sending communications addressed to people you know have died.
You must have appropriate systems or procedures in place (such as a list of people not to contact) to make sure that you do not send direct marketing to people who have asked not to receive it.
You must either stop sending direct marketing to a person within a reasonable period (as soon as possible, but in any case within 28 days) or not begin to process a person’s personal data for the purpose of sending them
- a notice from (or sent on behalf of) a person through the Fundraising Preference Service telling you that a request to stop contact has been made; or
- any other clear indication from a person (or made on their behalf) that they do not want you to contact them for
direct marketing purposes. This indication may include giving you their contact preferences or unsubscribing from mailing lists.
- Information Commissioner’s Office: Right to object – for guidance on people’s right to object to you processing their personal data
- Information Commissioner’s Office: Principle (b): Purpose limitation – for guidance on keeping to the limits on the purposes you are allowed to process personal data for
3.3.Sharing and selling personal data
You must not share personal data with any other organisation unless you have a lawful basis to share it and can prove that you meet the processing requirements in section 3.1 above.
If personal data is shared between organisations:
- within a federated structure (in other words, where one organisation controls the other or where both are controlled by the same parent organisation); or
- under a data-
processing arrangement (where one organisation acts on behalf of another organisation under a written contract, such as professionalfundraisers , data-management companies or printing houses);
the organisational structure or arrangement and the reason for processing the data must be clear in the privacy information you give to the person in order to meet their right to be informed. Or, if the organisation receiving the data needs the person’s consent (permission) to hold and use their data, the organisation or category of organisation receiving the information must be named in the request for
You must not share a person’s personal data with any other organisation for that organisation’s marketing purposes unless you are allowed to do so by law, either because you have the person’s consent to do so or through the exceptions in 3.3.2.
You must not sell a person’s personal data to any other organisation, unless you can show that you have that person’s freely given, specific, informed and unambiguous consent to sell their data.
3.4.Case studies
If you plan to use a real-life example of a person in a case study, you must only process that person’s personal data in line with the law.
For more standards on
If you want to use a case study which identifies a person who has died, you must make all reasonable efforts to get permission from that person's estate.
3.5.Direct marketing
The ICO states that fundraising activity, as well as charities’ promotional and campaigning work, is covered by the definition of
In practice, fundraising messages which are sent electronically (for example, phone calls, faxes, texts and emails) or by addressed mail are likely to be directed to a specific person, and so are covered by this definition.
The marketing must be directed to particular people. Some marketing is not directed to specific people (for example, unaddressed mail) and so is not covered by this definition.
Alongside data protection legislation that applies when processing personal data for
- you meet the
‘soft opt-in’ condition which allows businesses who have received a person’s contact details when selling a product or service to them (or during negotiations relating to a possible sale) to market similar products and services to that person; or - you are marketing to businesses or organisations (including where you contact an individual using a corporate email address such as firstname.surname@companyname.com).
You must have a lawful basis for processing personal data in order to send direct marketing communications to people.
The standards on ‘consent’ and ‘legitimate interest’, the two most common lawful bases for processing personal data in order to send
- Information Commissioner’s Office: Direct Marketing Guidance
- Information Commissioner’s Office: Electronic mail marketing – for guidance on when the PECR do not apply
- Information Commissioner’s Office: Lawfulness for processing – for guidance on
processing personal data in line with the law
Consent for direct marketing communications
If you use, or plan to use, consent as a lawful basis for processing personal data in order to send direct marketing communications, the
- be a freely given, specific, informed and unambiguous indication of the person’s wishes;
- be given through a clear positive action from the person concerned to show they have given
consent (for example, using active methods, such as ticking an unticked opt-in box or answering ‘yes’ to a question); - give options for different levels of
consent for different types ofprocessing if you plan toprocess the person’s data for more than one purpose; - be separate from your other terms and conditions and not be something the person has to give when signing up to a service (unless you need the
consent to be able to provide that service); - name your organisation and any others who will be relying on the
consent ; - tell people about their right to withdraw their
consent and make it as easy for them to withdrawconsent as it is to give it; and - be recorded in a way that allows your organisation to show who gave
consent , when they gaveconsent , how they gaveconsent , and what they were told in connection with givingconsent .
Electronic requests for consent must be clear and concise and must not unnecessarily disrupt the use of the service the
If you have a person’s consent to send them direct marketing communications, you:
- must offer them an easy way to withdraw their
consent (such as an ‘unsubscribe’ button in any communications you send); - must, as often as your organisation reasonably decides, remind the person of their contact preferences and offer them an easy way to change these if they want to (such as an ‘update your communication preferences’ button); and
- must update the person’s record as necessary to reflect changes to their
consent or contact preferences.
You must make sure that all consent statements (wording to gain
- any text which asks for personal data; or
- any text which states the donation amount;
whichever is bigger.
Legitimate interest as a basis for direct marketing communications
If you are using legitimate interest as the basis for processing data for the purpose of direct marketing by live phone call or by post, you must be able to show that you:
- have identified a
legitimate interest (under ICO guidance, this may be your organisation’s own interest or the interest of third parties and may include commercial interests, individual interests and broader benefits to society); - need to
process the data to achieve that interest (under ICO guidance, if the same result can reasonably be achieved in another, less intrusive way, legitimate interests will not apply); and - have balanced your interest in
processing thepersonal data against the interests, rights and freedoms of the person to make sure that your interests are not overridden by theirs (under ICO guidance, if the person would not reasonably expect you toprocess their data or it would cause them unjustified harm, their interests are likely to override yours).
If you are relying on the legitimate interest condition as the lawful basis to process data, you must have a record of your decision-making to help show that you meet the conditions set out above.
If you are relying on the legitimate interest condition as the lawful basis to process data for the purpose of direct marketing by phone or post, your privacy notice:
- must explain what you will use the personal data for;
- must explain your
legitimate interests ; and - must offer, in the privacy notice and in any other
direct marketing communication you send, a clear and simple way for the person to tell you that they do not want to receivedirect marketing in future.
- Information Commissioner’s Office: Right to be informed – for guidance on privacy notices
- Information Commissioner’s Office: Legitimate interests – for guidance on using this as a lawful basis to
process data - Information Commissioner’s Office: Consent – for guidance on using this as a lawful basis to
process data
3.6.Requests from people to access their personal data
If you process a person’s personal data, you must, if that person asks you to, give them a copy of the
If you hold or use a person’s personal data to fulfil a contract or because you have their consent to process it, you must make sure that the
- Information Commissioner’s Office: Right to data portability – for guidance on a person’s right to transfer data for their own purposes
- Information Commissioner’s Office: Right of access – for guidance on a person’s right to access their
personal data held by an organisation