If you were to follow the ICO’s lead, it would be easy to believe that consent is the only lawful grounds for contact – they’ve published a 39 page consultation on the subject, but it’s likely to be another 6 months before we see any guidance on Legitimate Interest. And there’s no sign at all of further info on the other categories. But consent is just one of 6 equally-weighted legal grounds for processing an individual’s data, so here’s our attempt to illuminate the murky world of these under-reported options…
A contract with the individual
ICO Definition: for example, to supply goods or services they have requested, or to fulfil your obligations under an employment contract. This also includes steps taken at their request before entering into a contract.
- It doesn’t take a huge leap of the imagination to see that this purpose can be invoked to how you cover a wide range of fundraising admin, Gift Aid confirmation and ANL letters to regular givers.
Compliance with a legal obligation
ICO Definition: if you are required by UK or EU law to process the data for a particular purpose, you can.
- Gift Aid confirmation and ANL letters to regular givers are also a legal requirement, as is processing data for annual accounts. However this won’t extend as far as giving you permission to disseminate your Annual Review to supporters.
ICO Definition: you can process personal data if it’s necessary to protect someone’s life. This could be the life of the data subject or someone else.
- As tempting as it is to argue the case for this one, unfortunately the DMA have said that the ICO won’t recognise this use, even in the case of emergency appeals etc when lives are imminently at risk.
A public task
ICO Definition: if you need to process personal data to carry out your official functions or a task in the public interest – and you have a legal basis for the processing under UK law – you can. If you are a UK public authority, our view is that this is likely to give you a lawful basis for many if not all of your activities.
- Similarly, the ICO won’t recognise that charitable work done in the ‘public benefit’ is equivalent to being a task in the ‘public interest’, so this option is also out-of-bounds for fundraising
ICO Definition: if you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests.
- This is expected to be widely used across all sectors and is especially relevant to the charity sector, as an individual often continues to identify as a supporter and remains interested for many years after donating. In fact, many who consider themselves supporters will engage at a local level and never even end up on a centralised database – the massive volume of legacies that are received from unknown supporters is testament to this. So again this boils down to relevancy – if you’ve done your data homework at selection level, you should be able to confidently evidence that the customer is engaged and unlikely to feel that their privacy rights are being harmed by an irrelevant communication.
- Remember, ePrivacy laws mean that you must have consent in order to send direct marketing by email, SMS, automated calls, or via live calls to TPS-registered numbers – legitimate interest cannot override this