ICO investigates uncharitable ‘data sales’

I know many people who would argue that there shouldn’t be a need for charities, saying the search for a cure for cancer, protection of vulnerable children, etc., etc., should all be funded by government.

Fair point methinks but, as that is not the world we live in, we have to recognise the need for such organisations. We also need to recognise how many do a stellar job of improving the lives of all those people (and animals) that they help.

But, according to the Daily Mail, some of those charities need help of a different kind – the kind offered by Give01Day, perhaps?

The issue highlighted by the paper today surrounds the alleged selling of personal data.

I’m not talking about the under the counter sort of data deals that seem to take place between mobile phone companies (allegedly, of course) and questionable third parties but rather the sharing of information between charities themselves, as well as other organisations.

In the Mail’s article, the case of retired lieutenant colonel Samuel Rae makes interesting reading.

The 87-year-old widower, who suffers from dementia, filled in a newspaper lifestyle survey in 1994.

As the company which conducted the survey no longer exists, it is impossible to verify whether Mr Rae ticked a box to prevent sharing of his data or not. In any event, the fact that he mentioned having a cat was enough to see his data sold on to two charities who then wrote to him, asking for donations. After donating to at least one of those, his information was sold on to yet more charities, as well as an insurance company, gambling and jewellery companies.

By interacting with many of the letters he subsequently received, especially lotteries and sweepstakes, including at least one run by a known conman, his details wound up on 11 so-called ‘suckers’ lists which detail people known to respond to such ploys.

Given that many people on such lists are elderly or not otherwise fully in charge of their faculties, it seems both inappropriate and morally wrong that charities could sell their details in such a way, doesn’t it?

As a result of such lists and other ‘scams’, Mr Rae lost some £35,000 and has been contacted by charities 731 times. The Daily Mail also reports that his data was passed on 200 times.

Commenting on the findings, unearthed via ‘subject access requests,’ his son Chris said:

It is a horrific insight into what can happen when you forget – as we all sometimes do – to tick a box in the small print.

The most shocking thing to me is the charities.

You think charities would have the highest ethical standards of any organisations. It is clear to me that some of them have been taken over by people who only care about making money.

In a way, I am glad my father is not able to understand what has happened. He belongs to a generation who just trusted charities to do the right thing.

Numerous charities named by the Mail have since said they take the matter seriously, will investigate or take action where necessary to ensure good practices in the future.

While there is no suggestion that any genuine charity breached the Data Protection Act, the UK’s Information Commissioner’s Office (ICO) has nonetheless taken an interest, saying that it is looking into the case.

Speaking to BBC Radio 4’s Today programme, Information Commissioner Christopher Graham said:

If the law has been broken, we will take action.

Whether or not Samuel Rae ticked the box in 1994 and is still being plagued with unwanted mail and unwanted approaches is beside the point. The Data Protection Act is very clear – the very first principle is that your data is only processed fairly and lawfully. What’s described in the papers this morning doesn’t look like that.

A failure to tick a box isn’t consent and it doesn’t give you the right to trade in people’s personal information years after the event.

If there’s any connection between the good work that charities do and the scam merchants, that’s very concerning and we’ve got to get to the bottom of how this information was passed on.

Graham did however make the point that a thorough investigation was required and that he didn’t want the whole charity sector to be tarnished unfairly.

Head of enforcement at the ICO, Steve Eckersley, echoed the need for an investigation but highlighted how data protection laws apply to charities in exactly the same way as they do to businesses.

If you run a charity and have any concerns over data protection there is no excuse not to set that right. If you need help. Give01Day (our CEO Brian Honan sits on the founding advisory board) – a collective of volunteering security professionals – can offer help and advice. You can find Give01Day here, or contact founder Amar Singh via Twitter if you prefer.

Leave a Reply