Create a charter on the use of beneficiaries’ data, says think tank director

Tris Lumley of NPC tells an event that the charity sector needs to consider how service users’ personal data is collected and how their consent to keep and use it is gained

The charity sector needs to create a charter that would set out what constitutes acceptable use of beneficiaries’ personal data, according to Tris Lumley, director of innovation and development at the think tank NPC.

Speaking at the NPC event How Should Charities Respond to the Challenge of Privacy in the Digital Age? in central London this morning, Lumley said there needed to be greater communication across the sector to reach a consensus on how data should be treated.

The General Data Protection Regulation, tougher new EU data legislation, is due to come in to force in May next year, and while much of the discussion about the new rules has focused on their impact on fundraising, it will apply to all aspects of charities’ data processing.

Lumley said that people within NPC had been discussing what could be done to support the sector, particularly the smaller organisations.

“Something we’ve thought about is whether there are common things we should be setting in place as charities,” he said.

“Maybe we could work together on a personal data charter for the social sector that would start to draw out some of the common-sense expectations we think a reasonable person would have as a service user – and which would be socially acceptable to the wider public.”

For example, under the GDPR, consent to process data must be “freely given”, so organisations will not be able refuse to offer a service unless consent to process data is given. Lumley said charities needed to consider how they collected beneficiaries’ data and how they could ensure consent was freely given.

He said: “A lot of people are working on data in the charity sector, but it seems to me they aren’t connected to each other.”

Claire Tuffin, deputy director of strategy and policy at the homelessness charity St Mungo’s, agreed and said her charity was hoping to talk to other organisations, as well as commissioners and partners, about issues such as what kinds of data would be considered sensitive personal data, which will need to be processed differently under GDPR.

“It’s important to be working with sector partners to say ‘what are you doing?’, because whatever we decide there’s herd protection if we decide the same thing,” she said.

During the session, Tanvi Desai, a freelance data policy and strategy adviser, said there were certain dangers in relying solely on consent as a basis for processing people’s data.

Under the GDPR, organisations will under certain circumstances be able to process data without consent, but usually not if the person is asked for their consent and declines to give it.

Desai warned that organisations could find themselves “hostage” to the specific wording they had used to collect the consent.

“You are asking for consent for unanticipated future events,” she said. “Can you predict all the possible uses you will want to make of that data now and in the future?

“If you haven’t predicted them all, you might find that you can’t use the data unless you can revisit these people, which will present its own problems.”

She said organisations needed to be aware that people might not interpret the consent forms in the same way they did.

“A fair amount of research has found that often the data collector says someone’s agreed, but when you ask the respondents they say ‘Oh no, that wasn’t what the document said’,” said Desai. “So you need to think about whether you’re sure they have actually agreed to what you think they’ve agreed to.”

Source link

New guidance from ICO limits use of fully automated data processing

The document from the Information Commissioner’s Office says such data processing will be legal under the General Data Protection Regulation only in certain circumstances

Charities should not use fully automated processing of personal data unless they can show they have explicit consent or that it is necessary for fulfilling a contract, according to new guidance on profiling under the General Data Protection Regulation from the Information Commissioner’s Office.

The EU’s GDPR will come into force on 25 May and will introduce stricter requirements for organisations that process data than are currently required under the Data Protection Act 1998.

The new guidance from the ICO on profiling defines it as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person”.

The guidance does not allow for fully automated individual decision-making except in certain cases.

The data controller cannot get around this by fabricating human involvement, according to the guidance, and the human’s oversight of a decision must be “meaningful”, rather than token, and have the authority and competence to change the algorithm’s decision if necessary.

There are exceptions to this, the guidance says: when it is necessary for the performance of or entering into a contract; when authorised by the EU or the member state the data controller is a member of; or when it is based on the data subject’s explicit consent.

Profiling must be shown to be necessary in the performance of a contract to meet the first exception, according to the guidance, including consideration of whether any less intrusive methods can be adopted.

Targeted online advertising is also covered by the guidance, which says that it could have a “significant effect” on individuals depending on certain characteristics of each case, such as the intrusiveness of the profiling process involved, the expectations or wishes of the individuals concerned, how the advert is delivered and the “particular vulnerabilities of the data subjects targeted”.

Data controllers should also be aware of their transparency obligations, the guidance says, including ensuring that information about the profiling is both easily accessible for the data subject and brought to their attention.

The guidance says that profiling can involve the use of personal data that was originally collected for another reason, but will depend on a number of factors, including the context in which the data was collected, the expectations of the data subjects regarding its future use, any safeguards applied and the impact of further processing on the data subject.

Data has to be kept accurate and up to date, the guidance says, explaining that keeping personal data for too long increases the risk of inaccuracies.

Source link

Breaking GDPR rules ‘could put charities out of business’, says data strategist

Ilja de Coster of Amnesty International in Belgium tells the International Fundraising Congress in the Netherlands that failing to tell donors what information they hold on them could cost charities dear

Charities will face fines that could put them out business if they cannot tell donors what information they are holding about them after the General Data Protection Regulation comes into force, delegates at the International Fundraising Congress in the Netherlands have heard.

Ilja de Coster, fundraising data strategist at Amnesty International in Belgium and director of donor relationship management at the fundraising agency The DonorVoice, warned that charities needed to prepare their systems to deal with the implications of the EU legislation, which is due to be implemented from 25 May next year.

Under the GDPR, people will have the right to approach any organisation and demand to know what data the organisation is holding about them.

De Coster said he recommended that charities should ensure their customer relationship management system has a simple mechanism to allow them to extract all the data on a particular subject into a single report.

“That’s an important thing,” he said. “Every person has the right to access data and, in the whole fine and penalty system, if you do not comply with that I guarantee you will get a high penalty.

“If you will not answer that request from a donor, you are out of business – that’s it. The fee will be the maximum.”

Under the GDPR, the Information Commissioner’s Office will be able to levy fines on organisations for data protection breaches of up to 4 per cent of their turnover or €20m (£18m), whichever is larger.

De Coster also told delegates that charities operating in more than one country needed to be aware that any fines would be calculated on the basis of turnover of the global organisation, not just the turnover of the charity in the country in which the breach happened.

He said the GDPR should be viewed as human rights legislation, because it was designed to protect people’s right to privacy, guaranteed under Article 8 of the European Convention on Human Rights, and many of the requirements of the GDPR were not new.

“The GDPR is the continuation of existing data protection law in Europe,” he said. “There’s some details stuff and some optimisation stuff based on the evolution of technology, but basically everything you’re not allowed to do in GDPR you are not allowed to do today.

“But what is new is that from now on it’s serious; playtime is over.”

Source link

Further £3m given to Grenfell fire victims in past week, commission’s data shows

A total of £5.8m of the £19m raised has now been distributed, according to the regulator

An additional £3m has been distributed to victims of the Grenfell Tower fire in the past week, according to new data released by the Charity Commission.

Last week the commission announced that just £2.8m of the £19m raised for Grenfell Tower victims had been distributed to those affected.

But commission data released last night shows that £5.8m has now reached the people who need it, although that still represents less than a third of the money that has been raised so far.

The amount that has been given to distributors by groups fundraising for the Grenfell fire victims has also reached £9.2m – an almost £1.9m increase on last week’s total. 

The fire, which occurred in Kensington, west London, on 14 June, killed an estimated 80 people and left many more homeless.

The Charity Commission has also announced that initial payments to the next of kin of those who are believed or known to have died in the fire have been increased from £20,000 to £40,000.

Payments to those seriously injured at Grenfell have also been doubled from £10,000 to £20,000 per person.

The Rugby Portobello Trust will also distribute a £15,000 payment from the London Community Foundation to families from Grenfell Tower in the next few days, the commission said.

Of the funds raised so far, British Red Cross has sent £2.4m of the almost £5.8m it has raised to distributing organisations, and the Kensington & Chelsea Foundation has also sent £2.5m of its £5.8m.

The Evening Standard Dispossessed Fund and the London Community Foundation has sent £3.9m of the £6.2m it has raised to distributing organisations, the commission data shows.

Artists for Grenfell and the London Community Foundation have sent £316,000 of the £700,000 it has raised to distributing organisations, and Muslim Aid has sent £57,713 of its £177,803.

Of the distributing organisations, the London Emergencies Trust has given £1.8m of the £4.8m it has received to victims, and the Rugby Portobello Trust has got £3.3m of the £4m it has to those affected.

Direct distributions from the Kensington & Chelsea Foundation, Turn2us, Muslim Aid and the London Community Foundation have all been sent in full to victims of the fire.

Clement James Centre has distributed £58,482 of the £62,923 it has received to victims, and the National Zakat Foundation has handed out all of the £253,080 it has been given to Grenfell victims.

David Holdsworth, registrar of charities in England and Wales, said: “We are pleased that a further £3m has reached survivors and those affected by this terrible tragedy in the last week, and that further funds will be distributed in the coming days. Some challenges still remain but it is important that the charities continue to work with the community and that the remaining funds are made available to meet their short, medium and longer-term needs.”

Source link