Protecting personal data makes sure people can trust you to use their data legally, fairly and responsibly. This section sets out the standards we expect when you process
The rights people have over their data
The General Data Protection Regulation (GDPR) gives people the following rights in law regarding their
Special category data
Certain types of data need stronger protection. This includes, for example, information relating to their:
- ethnic background;
- political opinions;
- trade-union membership;
- biometrics (computerised details used to identify a person through their unique characteristics, for example through fingerprint scanning and facial recognition);
- sex life; or
- sexual orientation (sexuality).
Guidance on conditions for
3.1.General requirements for personal data
You must meet all legal requirements relating to data protection, including:
- the Data Protection Act 2018;
- the General Data Protection Regulation (GDPR); and
- the Privacy and Electronic Communications (EC Directive) Regulations (PECR) 2003, including the requirements of the Telephone Preference Service (TPS), and any revisions to e-privacy legislation that result from the European Commission’s review of PECR that began in 2017.
When processing personal data (including information that is available to the public) for any purpose, you must:
- have a lawful basis (a valid legal reason) for collecting, using and keeping the
personal data(for more information on the grounds (or ‘conditions’) for processing personal data, see articles 6 and 9 of the GDPR);
- give people concise, open, understandable and easily accessible information about how you will
processtheir personal data, including who your organisation is, what you are going to do with their personal dataand who (if anyone) you will share it with;
process personal datain ways that the person whose data it is would reasonably expect; and
- not do anything unlawful with
You must meet any duties you have to keep data confidential. You must not share data if you have a legal duty to keep the data confidential, unless there is an overriding legal reason to do so. For example, if a court ordered you to release the data.
- Information Commissioner’s Office: Guide to Privacy and Electronic Communications Regulations
- Information Commissioner’s Office: Right to be informed – for guidance on
privacy informationand notices
- Information Commissioner’s Office: Data Protection fee – for information on how to register with the ICO
3.2.Storing and maintaining personal data
You must make sure that all materials, in particular filled-in donor forms, are stored securely and in line with your obligations under data protection law.
You must make sure that data you keep about donors is accurate and reflects their communication preferences, and only keep it for as long as is necessary for:
- the purpose or purposes you are processing it for;
- purposes compatible with these stated
- a purpose that is allowed by law and is in the public interest.
You must be able to show that you have taken all reasonable steps to make sure that:
- databases are accurate and, where necessary, up to date;
- you don’t send direct marketing to people who have told you they don’t want to receive it; and
- you stop sending communications addressed to people you know have died.
You must have appropriate systems or procedures in place (such as a list of people not to contact) to make sure that you do not send direct marketing to people who have asked not to receive it.
You must either stop sending direct marketing to a person within a reasonable period (as soon as possible, but in any case within 28 days) or not begin to process a person’s personal data for the purpose of sending them
- a notice from (or sent on behalf of) a person through the Fundraising Preference Service telling you that a request to stop contact has been made; or
- any other clear indication from a person (or made on their behalf) that they do not want you to contact them for
direct marketingpurposes. This indication may include giving you their contact preferences or unsubscribing from mailing lists.
- Information Commissioner’s Office: Right to object – for guidance on people’s right to object to you processing their personal data
- Information Commissioner’s Office: Principle (b): Purpose limitation – for guidance on keeping to the limits on the purposes you are allowed to process personal data for
3.3.Sharing and selling personal data
You must not share personal data with any other organisation unless you have a lawful basis to share it and can prove that you meet the processing requirements in section 3.1 above.
If personal data is shared between organisations:
- within a federated structure (in other words, where one organisation controls the other or where both are controlled by the same parent organisation); or
- under a data-
processingarrangement (where one organisation acts on behalf of another organisation under a written contract, such as professional fundraisers, data-management companies or printing houses);
the organisational structure or arrangement and the reason for processing the data must be clear in the privacy information you give to the person in order to meet their right to be informed. Or, if the organisation receiving the data needs the person’s consent (permission) to hold and use their data, the organisation or category of organisation receiving the information must be named in the request for
If you want to use a case study which identifies a person who has died, you must make all reasonable efforts to get permission from that person's estate.
In practice, fundraising messages which are sent electronically (for example, phone calls, faxes, texts and emails) or by addressed mail are likely to be directed to a specific person, and so are covered by this definition.
The marketing must be directed to particular people. Some marketing is not directed to specific people (for example, unaddressed mail) and so is not covered by this definition.
Alongside data protection legislation that applies when processing personal data for
- you meet the
‘soft opt-in’condition which allows businesses who have received a person’s contact details when selling a product or service to them (or during negotiations relating to a possible sale) to market similar products and services to that person; or
- you are marketing to businesses or organisations (including where you contact an individual using a corporate email address such as firstname.lastname@example.org).
Consent for direct marketing communications
- be a freely given, specific, informed and unambiguous indication of the person’s wishes;
- be given through a clear positive action from the person concerned to show they have given
consent(for example, using active methods, such as ticking an unticked opt-in box or answering ‘yes’ to a question);
- give options for different levels of
consentfor different types of processingif you plan to processthe person’s data for more than one purpose;
- be separate from your other terms and conditions and not be something the person has to give when signing up to a service (unless you need the
consentto be able to provide that service);
- name your organisation and any others who will be relying on the
- tell people about their right to withdraw their
consentand make it as easy for them to withdraw consentas it is to give it; and
- be recorded in a way that allows your organisation to show who gave
consent, when they gave consent, how they gave consent, and what they were told in connection with giving consent.
Electronic requests for consent must be clear and concise and must not unnecessarily disrupt the use of the service the
- must offer them an easy way to withdraw their
consent(such as an ‘unsubscribe’ button in any communications you send);
- must, as often as your organisation reasonably decides, remind the person of their contact preferences and offer them an easy way to change these if they want to (such as an ‘update your communication preferences’ button); and
- must update the person’s record as necessary to reflect changes to their
consentor contact preferences. Legitimate interest as a basis for direct marketing communications
- have identified a
legitimate interest(under ICO guidance, this may be your organisation’s own interest or the interest of third parties and may include commercial interests, individual interests and broader benefits to society);
- need to
processthe data to achieve that interest (under ICO guidance, if the same result can reasonably be achieved in another, less intrusive way, legitimate interests will not apply); and
- have balanced your interest in
processingthe personal dataagainst the interests, rights and freedoms of the person to make sure that your interests are not overridden by theirs (under ICO guidance, if the person would not reasonably expect you to processtheir data or it would cause them unjustified harm, their interests are likely to override yours).
- must explain what you will use the personal data for;
- must explain your
legitimate interests; and
- must offer, in the privacy notice and in any other
direct marketingcommunication you send, a clear and simple way for the person to tell you that they do not want to receive direct marketingin future.
- Information Commissioner’s Office: Right to be informed – for guidance on privacy notices
- Information Commissioner’s Office: Legitimate interests – for guidance on using this as a lawful basis to
- Information Commissioner’s Office: Consent – for guidance on using this as a lawful basis to
3.6.Requests from people to access their personal data
If you hold or use a person’s personal data to fulfil a contract or because you have their consent to process it, you must make sure that the