Tris Lumley of NPC tells an event that the charity sector needs to consider how service users’ personal data is collected and how their consent to keep and use it is gained
The charity sector needs to create a charter that would set out what constitutes acceptable use of beneficiaries’ personal data, according to Tris Lumley, director of innovation and development at the think tank NPC.
Speaking at the NPC event How Should Charities Respond to the Challenge of Privacy in the Digital Age? in central London this morning, Lumley said there needed to be greater communication across the sector to reach a consensus on how data should be treated.
The General Data Protection Regulation, tougher new EU data legislation, is due to come in to force in May next year, and while much of the discussion about the new rules has focused on their impact on fundraising, it will apply to all aspects of charities’ data processing.
Lumley said that people within NPC had been discussing what could be done to support the sector, particularly the smaller organisations.
“Something we’ve thought about is whether there are common things we should be setting in place as charities,” he said.
“Maybe we could work together on a personal data charter for the social sector that would start to draw out some of the common-sense expectations we think a reasonable person would have as a service user – and which would be socially acceptable to the wider public.”
For example, under the GDPR, consent to process data must be “freely given”, so organisations will not be able refuse to offer a service unless consent to process data is given. Lumley said charities needed to consider how they collected beneficiaries’ data and how they could ensure consent was freely given.
He said: “A lot of people are working on data in the charity sector, but it seems to me they aren’t connected to each other.”
Claire Tuffin, deputy director of strategy and policy at the homelessness charity St Mungo’s, agreed and said her charity was hoping to talk to other organisations, as well as commissioners and partners, about issues such as what kinds of data would be considered sensitive personal data, which will need to be processed differently under GDPR.
“It’s important to be working with sector partners to say ‘what are you doing?’, because whatever we decide there’s herd protection if we decide the same thing,” she said.
During the session, Tanvi Desai, a freelance data policy and strategy adviser, said there were certain dangers in relying solely on consent as a basis for processing people’s data.
Under the GDPR, organisations will under certain circumstances be able to process data without consent, but usually not if the person is asked for their consent and declines to give it.
Desai warned that organisations could find themselves “hostage” to the specific wording they had used to collect the consent.
“You are asking for consent for unanticipated future events,” she said. “Can you predict all the possible uses you will want to make of that data now and in the future?
“If you haven’t predicted them all, you might find that you can’t use the data unless you can revisit these people, which will present its own problems.”
She said organisations needed to be aware that people might not interpret the consent forms in the same way they did.
“A fair amount of research has found that often the data collector says someone’s agreed, but when you ask the respondents they say ‘Oh no, that wasn’t what the document said’,” said Desai. “So you need to think about whether you’re sure they have actually agreed to what you think they’ve agreed to.”